Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked by an antivirus called AV Guard Online


  • This topic is locked This topic is locked
37 replies to this topic

#1 spiggy

spiggy

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 05 October 2011 - 07:27 PM

It 's my personal business computer. Running on XP. AV Guard just popped up and shut down all other antiviruses, access to task manager, regedit, etc. Can't even run Firefox or IE until and unless I cave and buy from these jerks.
I've tried RKill, Tddsskiller, and Dr.Web Cure it all in safe mode. But no go? Need help, as this is my only source of potential imcome.

I can get online in safe mode.

Thanks much.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,853 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:07 PM

Posted 05 October 2011 - 10:30 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 spiggy

spiggy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 06 October 2011 - 02:03 AM

I have read the guide. However, I am communicating from another computer because the infected computer can no longer connect to the internet. I connected fine in safe mode after the virus was first established. But after getting one Kaspersky tool to execute (tdsskiller), something went wrong with the internet. It just keeps trying to access my IP address now, without success. Nothing at all wrong with the adaptor (wireless) or the cards...they all seem to work fine. So I need help getting the internet back up before I can execute the guide you sent please. Thanks much.

I should also say that the Tdsskiller tool did not eliminate the virus. What I am able to do however, is to immediately go to task manager after rebooting and then "end task" on the culprit, AV Guard Online. That seems to let me function OK until I reboot or some other trigger brings it back...and it always eventually comes back. But still cannot get online.

Merged posts. ~ OB

Edited by Orange Blossom, 07 October 2011 - 02:07 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,853 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:07 PM

Posted 06 October 2011 - 12:21 PM

You can download the requested programs to a flash drive or other removable media using another computer, then transfer them to the sick computer. Logs can also be transferred this way, in reverse of course.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 spiggy

spiggy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 06 October 2011 - 12:48 PM

OK. Thank you, I will try that. But I still need to get the internet back up on the virus infected computer also.

The DDS file that was requested is below.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by David at 23:42:00 on 2011-10-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1376 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
C:\Program Files\ooVoo\oovoo.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Personal\bin\Personal.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\Program Files\Common Files\microsoft shared\virtualization handler\cvh.exe
C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = my.daemon-search.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No File
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [HLBackupScheduler] c:\program files\verizon v cast media manager\V CAST Backup Scheduler.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe /startup
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [VMM Mode Selection] c:\program files\htc\modeselection\VMMModeSelection.exe
mRun: [konnF4mmH6WJ7E8234A] c:\windows\system32\accAA1ivD3.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0ANAA0ADQANAAxADQAMwA2ADIALQBGAFAAOQArADYALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQAtAEYAOQBNADEAMABCACsAMgAtAFgATwA5ACsAMQAtAEYAOQBNADIAKwAxAC0ARABEAFQAKwAyADMANwA4ADcALQBEAEQAOQAwAEYAKwAxAC0AUwBUADkAMABGAEEAUABQACsAMQAtAEYAOQAwAE0AMQAyAEEATgArADIALQBGADkAMABNADEAMgBBACsAMQAtAEYAOQAwAE0AMQAyAEEAQgArADEALQBVADkANQArADEALQBGADkAMABNADEAMgBBAFQAQgBOACsAMQA"&"prod=90"&"ver=9.0.894
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\david\startm~1\programs\startup\mlbtvn~1.lnk - c:\documents and settings\david\local settings\application data\autobahn\mlb-nexdef-autobahn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bankid~1.lnk - c:\program files\personal\bin\Personal.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdanyw~1.lnk - c:\windows\installer\{649c4b1a-6a76-499a-9aec-0c9530fa7d2c}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5B94E8F7-CCA8-431D-95EC-56DFCCA32179} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: ACNotify - ACNotify.dll
Notify: cryptnet32 - cryptnet32.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
LSA: Notification Packages = scecli ACGina psqlpwd
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\david\application data\mozilla\firefox\profiles\70gocier.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.oovoostart.com/s/?src=FF-Address&site=Bing&cfg=2-201-0-0&engine_id=1&provider_id=1&product_id=201&country=US&q=
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\personal\bin\np_prsnl.dll
.
============= SERVICES / DRIVERS ===============
.
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-5-23 218688]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-4-24 483688]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-14 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-2-8 569344]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 211432]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-4-24 209768]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-22 135664]
S2 hatqheav;hatqheav;"c:\docume~1\david\locals~1\temp\datb53.tmp.exe" --service --> c:\docume~1\david\locals~1\temp\DATB53.tmp.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-22 135664]
S3 uti1ntq4;AVZ Kernel Driver;c:\windows\system32\drivers\uti1ntq4.sys [2011-10-5 7168]
.
=============== Created Last 30 ================
.
2011-10-06 21:18:33 -------- d-----w- c:\documents and settings\david\application data\iNtxA0ucSiFpGaJ
2011-10-06 21:18:32 -------- d-----w- c:\documents and settings\david\application data\W8gTZqhYCkVl
2011-10-06 20:57:07 -------- d-----w- c:\documents and settings\david\application data\DonG4amH6W7E9Tq
2011-10-06 20:57:06 -------- d-----w- c:\documents and settings\david\application data\BS2ibF3pm5Q6E8R
2011-10-06 20:46:30 81920 ------w- c:\windows\system32\ieencode.dll
2011-10-06 20:45:56 19569 ----a-w- c:\windows\000001_.tmp
2011-10-06 18:43:34 -------- d-s---w- c:\documents and settings\all users\application data\WD
2011-10-06 18:43:31 -------- d-----w- c:\program files\common files\eSellerate
2011-10-06 18:43:29 -------- d-----w- c:\program files\WD
2011-10-06 18:43:25 -------- d-----w- c:\documents and settings\david\application data\WD
2011-10-06 16:00:33 -------- d-----w- c:\documents and settings\david\application data\UG4aQH6sW7R9TqU
2011-10-06 16:00:33 -------- d-----w- c:\documents and settings\david\application data\f0ycS1ibDo
2011-10-06 15:19:54 -------- d-----w- c:\documents and settings\david\application data\X1uvD2obFpHsJdL
2011-10-06 15:19:54 -------- d-----w- c:\documents and settings\david\application data\hqjUCekIBzNx
2011-10-06 15:03:22 -------- d-----w- c:\documents and settings\david\application data\HibF3pmG5Q6E8R9
2011-10-06 15:03:22 -------- d-----w- c:\documents and settings\david\application data\fYXwjUVelBz0c1v
2011-10-06 06:45:01 -------- d-----w- c:\documents and settings\david\application data\sfEL9gTZqYeIrOy
2011-10-06 06:45:01 -------- d-----w- c:\documents and settings\david\application data\d3onF4amH
2011-10-06 06:31:07 -------- d-----w- c:\documents and settings\david\application data\PJ7dEK8gRqYwUrO
2011-10-06 06:31:07 -------- d-----w- c:\documents and settings\david\application data\nxA1uvS2oFpG
2011-10-06 05:22:34 -------- d-----w- c:\documents and settings\david\application data\wG5aQJ6dW8R9TwU
2011-10-06 05:22:34 -------- d-----w- c:\documents and settings\david\application data\belIBtzP0c1v3n
2011-10-06 04:09:15 -------- d-----w- c:\documents and settings\david\application data\mJ7dEL8gRqYwUrO
2011-10-06 04:09:15 -------- d-----w- c:\documents and settings\david\application data\CtxP0ucS2b3n5Q
2011-10-06 03:58:00 -------- d-----w- c:\documents and settings\david\application data\t8gTZqhYCkVlNx0
2011-10-06 03:58:00 -------- d-----w- c:\documents and settings\david\application data\lcA1uvD2o
2011-10-06 03:35:55 -------- d-----w- c:\documents and settings\david\application data\LZqjYCekIrOyAuS
2011-10-06 03:35:55 -------- d-----w- c:\documents and settings\david\application data\J1ivD3onFaHsJfL
2011-10-06 03:28:36 -------- d-----w- c:\documents and settings\david\application data\X8gRZ9hYXkVlB
2011-10-06 03:28:36 -------- d-----w- c:\documents and settings\david\application data\nA0uvS2ob3m5Q6E
2011-10-06 03:23:03 -------- d-----w- c:\documents and settings\david\application data\m7dEK8gRZhXkVlB
2011-10-06 03:23:03 -------- d-----w- c:\documents and settings\david\application data\CxP0ucS1iDpGaHd
2011-10-06 03:17:56 -------- d-----w- c:\documents and settings\david\application data\DvD3onG4aHsKfLg
2011-10-06 03:17:56 -------- d-----w- c:\documents and settings\david\application data\aXqjYCekIrOyAuS
2011-10-06 02:19:43 -------- d-----w- c:\documents and settings\david\application data\yXXwwkUVelOBx0y
2011-10-06 02:19:42 -------- d-----w- c:\documents and settings\david\application data\zVrrzOONyx
2011-10-05 23:16:35 -------- d-----w- c:\documents and settings\david\local settings\application data\Downloaded Installations
2011-10-05 22:55:27 -------- d-----w- c:\documents and settings\david\application data\z5sWJ7dELgZhCkV
2011-10-05 22:55:27 -------- d-----w- c:\documents and settings\david\application data\uONtxA0uc2b3n5Q
2011-10-05 22:48:06 -------- d-----w- c:\documents and settings\david\application data\fH5sQJ7dE8RqYwU
2011-10-05 22:48:05 -------- d-----w- c:\documents and settings\david\application data\TjUCekIBrPyAuDo
2011-10-05 22:33:15 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-05 22:20:19 -------- d-----w- c:\documents and settings\david\DoctorWeb
2011-10-05 21:28:16 7168 ----a-w- c:\windows\system32\drivers\uti1ntq4.sys
2011-10-05 19:43:00 -------- d-----w- c:\documents and settings\david\application data\SUPERAntiSpyware.com
2011-10-05 19:42:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-05 19:37:45 -------- d-----w- c:\documents and settings\david\application data\RIBtzP0yc1v3n4m
2011-10-05 19:37:44 -------- d-----w- c:\documents and settings\david\application data\iaQJ6dWK8R9TwUe
2011-10-05 19:34:09 -------- d-----w- c:\documents and settings\david\application data\HVVrrzONyxA0vSo
2011-10-05 19:34:09 -------- d-----w- c:\documents and settings\david\application data\cF33pmmG5sQ6dK8
2011-10-05 19:34:00 2411520 ----a-w- c:\windows\system32\accAA1ivD3.exe
2011-10-05 19:34:00 -------- d-----w- c:\documents and settings\david\application data\hhTTXwwjUVeIBz0
2011-10-05 02:50:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
.
============= FINISH: 23:42:44.82 ===============

Here is the Zipped Attach.txt file that was requested. It is attached.

The Ark.txt file from GMER is now attached. It ran overnight. I think it's right, but the file did not look like the picture in the preparations section of your site as mine had many more entries than the few seen in you last example. I zipped it.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 07 October 2011 - 02:08 PM.


#6 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 PM

Posted 10 October 2011 - 07:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/422078 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#7 spiggy

spiggy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 10 October 2011 - 08:42 PM

In response to the HelpBot question, I was attacked by AV Guard Online, a supposed antivirus. It hijacked my laptop, trying to force me to buy it. In the process, it tried to disable everything, and succeeded with most. I was able, in the beginning, to get access to the internet in safe mode. Tried running Malwarebites, SuperAntispyware, Dr. Web Cure it, etc. all without success...could not run them. I unfortunately turned off my system restore during this process, so I have no backups there any longer.

I did backup the entire hard drive however.

I found a tool in Kaspersky called TDSSKiller, and was able to run that somehow. But after that ran I was not able to get onto the internet any longer. My internet is now stuck in a constant loop of trying to find the IP addresses. It says, Error 1068, and I have traced the dependencies to AFD. It's there it seems, but the computer cannot find it, so DHCP is not started, nor is network location awareness, nor is TCP/IP Netbios helper.

Also, after running TDSSKiller, I noticed that I could get into Task Manager if I kept trying fast enough to get around the Virus' attempt to stop me. I could then "end task" on AV Guard Online for that session. Once I discovered this, I ran Malwarebytes (older version, as I cannot update), and SuperAntiSpyware (also an older version). I think AV Guard or residual effects are still there, but they seem dormant at the moment.

I then tried to reconnect the internet, and ran:
Netsh int ip reset resetlog.txt
Netsh winstock reset catalog

I also updated Windows service pack 3, as I run on XP on a Lenovo laptop with ThinkVantage.

I pinged the adaptor...it's good.

Then I ran Windows Fixit for the AFD problem. That did not work either, but it did cause another problem. It disabled and seemingly eliminated my ability to access my laptop through secure fingerprint scanning....but I consider that one a minor problem.

Lastly, ThinkVantage as a "rejuvenate" function that I think works like a system restore. It still shows backup dates. I've never used it, but tried it. It has been running for an entire day now, and I think it's doing nothing as it shows no signs of progressing. Task Manager says it's running, but I'm sure it's not and will stop it to do your DDS and GMER requests now.

I need this system desparately. An entire business depends on a special key that is only on this system (not so smart on my part, but I have to get it back before I can remedy that problem). I have critical bills to pay, and cannot do it without that key. It's there, but I cannot use it with the virus or without the internet.

I'm sending DDS and GMER next.

Thanks much, it's truly appreciated.

#8 spiggy

spiggy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 11 October 2011 - 01:09 AM

Requested DDS File Below; Ark and Attach files are also zipped and attached: October 10, 2011

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by David at 18:44:21 on 2011-10-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1409 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\microsoft shared\virtualization handler\cvh.exe
C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = my.daemon-search.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No File
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [HLBackupScheduler] c:\program files\verizon v cast media manager\V CAST Backup Scheduler.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe /startup
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [VMM Mode Selection] c:\program files\htc\modeselection\VMMModeSelection.exe
mRun: [konnF4mmH6WJ7E8234A] c:\windows\system32\accAA1ivD3.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0ANAA0ADQANAAxADQAMwA2ADIALQBGAFAAOQArADYALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQAtAEYAOQBNADEAMABCACsAMgAtAFgATwA5ACsAMQAtAEYAOQBNADIAKwAxAC0ARABEAFQAKwAyADMANwA4ADcALQBEAEQAOQAwAEYAKwAxAC0AUwBUADkAMABGAEEAUABQACsAMQAtAEYAOQAwAE0AMQAyAEEATgArADIALQBGADkAMABNADEAMgBBACsAMQAtAEYAOQAwAE0AMQAyAEEAQgArADEALQBVADkANQArADEALQBGADkAMABNADEAMgBBAFQAQgBOACsAMQA"&"prod=90"&"ver=9.0.894
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\david\startm~1\programs\startup\mlbtvn~1.lnk - c:\documents and settings\david\local settings\application data\autobahn\mlb-nexdef-autobahn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bankid~1.lnk - c:\program files\personal\bin\Personal.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdanyw~1.lnk - c:\windows\installer\{649c4b1a-6a76-499a-9aec-0c9530fa7d2c}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5B94E8F7-CCA8-431D-95EC-56DFCCA32179} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ACGina psqlpwd
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\david\application data\mozilla\firefox\profiles\70gocier.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.oovoostart.com/s/?src=FF-Address&site=Bing&cfg=2-201-0-0&engine_id=1&provider_id=1&product_id=201&country=US&q=
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\personal\bin\np_prsnl.dll
.
============= SERVICES / DRIVERS ===============
.
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-5-23 218688]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-4-24 483688]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-14 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-2-8 569344]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 211432]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-4-24 209768]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-22 135664]
S2 hatqheav;hatqheav;"c:\docume~1\david\locals~1\temp\datb53.tmp.exe" --service --> c:\docume~1\david\locals~1\temp\DATB53.tmp.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-22 135664]
.
=============== Created Last 30 ================
.
2011-10-09 02:59:27 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-10-09 02:59:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-08 18:29:41 -------- d-----w- c:\documents and settings\david\application data\xdWK8fRZ9TwUeIt
2011-10-08 18:29:40 -------- d-----w- c:\documents and settings\david\application data\BNtxA0ucSiFpGaJ
2011-10-06 21:18:33 -------- d-----w- c:\documents and settings\david\application data\iNtxA0ucSiFpGaJ
2011-10-06 21:18:32 -------- d-----w- c:\documents and settings\david\application data\W8gTZqhYCkVl
2011-10-06 20:57:07 -------- d-----w- c:\documents and settings\david\application data\DonG4amH6W7E9Tq
2011-10-06 20:57:06 -------- d-----w- c:\documents and settings\david\application data\BS2ibF3pm5Q6E8R
2011-10-06 20:46:30 81920 ------w- c:\windows\system32\ieencode.dll
2011-10-06 20:45:56 19569 ------w- c:\windows\000001_.tmp
2011-10-06 18:43:34 -------- d-s---w- c:\documents and settings\all users\application data\WD
2011-10-06 18:43:31 -------- d-----w- c:\program files\common files\eSellerate
2011-10-06 18:43:29 -------- d-----w- c:\program files\WD
2011-10-06 18:43:25 -------- d-----w- c:\documents and settings\david\application data\WD
2011-10-06 16:00:33 -------- d-----w- c:\documents and settings\david\application data\UG4aQH6sW7R9TqU
2011-10-06 16:00:33 -------- d-----w- c:\documents and settings\david\application data\f0ycS1ibDo
2011-10-06 15:19:54 -------- d-----w- c:\documents and settings\david\application data\X1uvD2obFpHsJdL
2011-10-06 15:19:54 -------- d-----w- c:\documents and settings\david\application data\hqjUCekIBzNx
2011-10-06 15:03:22 -------- d-----w- c:\documents and settings\david\application data\HibF3pmG5Q6E8R9
2011-10-06 15:03:22 -------- d-----w- c:\documents and settings\david\application data\fYXwjUVelBz0c1v
2011-10-06 06:45:01 -------- d-----w- c:\documents and settings\david\application data\sfEL9gTZqYeIrOy
2011-10-06 06:45:01 -------- d-----w- c:\documents and settings\david\application data\d3onF4amH
2011-10-06 06:31:07 -------- d-----w- c:\documents and settings\david\application data\PJ7dEK8gRqYwUrO
2011-10-06 06:31:07 -------- d-----w- c:\documents and settings\david\application data\nxA1uvS2oFpG
2011-10-06 05:22:34 -------- d-----w- c:\documents and settings\david\application data\wG5aQJ6dW8R9TwU
2011-10-06 05:22:34 -------- d-----w- c:\documents and settings\david\application data\belIBtzP0c1v3n
2011-10-06 04:09:15 -------- d-----w- c:\documents and settings\david\application data\mJ7dEL8gRqYwUrO
2011-10-06 04:09:15 -------- d-----w- c:\documents and settings\david\application data\CtxP0ucS2b3n5Q
2011-10-06 03:58:00 -------- d-----w- c:\documents and settings\david\application data\t8gTZqhYCkVlNx0
2011-10-06 03:58:00 -------- d-----w- c:\documents and settings\david\application data\lcA1uvD2o
2011-10-06 03:35:55 -------- d-----w- c:\documents and settings\david\application data\LZqjYCekIrOyAuS
2011-10-06 03:35:55 -------- d-----w- c:\documents and settings\david\application data\J1ivD3onFaHsJfL
2011-10-06 03:28:36 -------- d-----w- c:\documents and settings\david\application data\X8gRZ9hYXkVlB
2011-10-06 03:28:36 -------- d-----w- c:\documents and settings\david\application data\nA0uvS2ob3m5Q6E
2011-10-06 03:23:03 -------- d-----w- c:\documents and settings\david\application data\m7dEK8gRZhXkVlB
2011-10-06 03:23:03 -------- d-----w- c:\documents and settings\david\application data\CxP0ucS1iDpGaHd
2011-10-06 03:17:56 -------- d-----w- c:\documents and settings\david\application data\DvD3onG4aHsKfLg
2011-10-06 03:17:56 -------- d-----w- c:\documents and settings\david\application data\aXqjYCekIrOyAuS
2011-10-06 02:19:43 -------- d-----w- c:\documents and settings\david\application data\yXXwwkUVelOBx0y
2011-10-06 02:19:42 -------- d-----w- c:\documents and settings\david\application data\zVrrzOONyx
2011-10-05 23:16:35 -------- d-----w- c:\documents and settings\david\local settings\application data\Downloaded Installations
2011-10-05 22:55:27 -------- d-----w- c:\documents and settings\david\application data\z5sWJ7dELgZhCkV
2011-10-05 22:55:27 -------- d-----w- c:\documents and settings\david\application data\uONtxA0uc2b3n5Q
2011-10-05 22:48:06 -------- d-----w- c:\documents and settings\david\application data\fH5sQJ7dE8RqYwU
2011-10-05 22:48:05 -------- d-----w- c:\documents and settings\david\application data\TjUCekIBrPyAuDo
2011-10-05 22:33:15 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-05 22:20:19 -------- d-----w- c:\documents and settings\david\DoctorWeb
2011-10-05 19:43:00 -------- d-----w- c:\documents and settings\david\application data\SUPERAntiSpyware.com
2011-10-05 19:37:45 -------- d-----w- c:\documents and settings\david\application data\RIBtzP0yc1v3n4m
2011-10-05 19:37:44 -------- d-----w- c:\documents and settings\david\application data\iaQJ6dWK8R9TwUe
2011-10-05 19:34:09 -------- d-----w- c:\documents and settings\david\application data\HVVrrzONyxA0vSo
2011-10-05 19:34:09 -------- d-----w- c:\documents and settings\david\application data\cF33pmmG5sQ6dK8
2011-10-05 19:34:00 -------- d-----w- c:\documents and settings\david\application data\hhTTXwwjUVeIBz0
2011-10-05 02:50:55 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
.
============= FINISH: 18:44:33.45 ===============

Attached Files



#9 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:07 PM

Posted 11 October 2011 - 11:20 AM

Hi,

My name is Casey and I will be helping you with your malware problems.

Whilst I research the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "Watch Topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.

Regards,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#10 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:07 PM

Posted 11 October 2011 - 11:25 AM

:step1: Since you have no internet access you will need to download the tools I instruct you to download from a clean PC with internet access and then transfer them over to your infected PC. Once logs have been created, transfer these back to the clean PC and post them here for my review.

To prevent infection of the clean PC you will need to run Flash Disinfector.

On your clean PC

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

:step2: Do you happen to have that TDSSKiller log? Specifically the one from when you lost internet access afterwards? If so, please post it.

:step3: Next, I would like to run ComboFix...

Download and run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are prompted to install the Recovery Console, then please do so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you have trouble running ComboFix, then please rename ComboFix.exe to Caseyboy.exe and re-run.

Casey

Edited by Casey_boy, 11 October 2011 - 11:26 AM.
Re-ordered

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#11 spiggy

spiggy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 11 October 2011 - 01:03 PM

Hi Casey. I am here, and reading your posts to me now. Will respond momentarily. I am Spiggy. And thank you in advance.

#12 spiggy

spiggy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 11 October 2011 - 02:39 PM

Hi Casey:

1) the good computer keeps telling me that Flash_Disinfector did not install correctly. I have run it a few times, but get no indication that it's doing anything to the flash drives or otherwise..not sure what I'm doing wrong. Seems simple enough.

2) I tried to find the log from TDSSkiller. I downloaded it to the flash drive, and ran it on the bad computer from there. I can't seem to find a log anywhere. Perhaps you know where I might look. The application that is on my flash drive simply runs the utility.

3) I am downloading and executing Combofix now.

Spiggy

#13 spiggy

spiggy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 11 October 2011 - 03:03 PM

An update:

1)I downloaded Combofix onto a flash drive and moved it to the bad computer
2) I ran it
3) It could not find the Recovery Counsel, and that computer does not connect to the internet at this time
4) Combofix continued, and said a couple of times that it found a Root something...the last time it said this it said it needed to reboot
5) it rebooted, and my computer went into Thinkvantage rescue and recovery mode (It's a Lenovo with Thinkvantage)
-- what I'm nervous about is that this Thinkvantage rescue and recovery mode immediately started running on its own...I did nothing
-- I don't dare stop it as it's doing stuff to my system
-- I'm praying that it's not reformatting...really praying!!!!

When it finishes, I will manually download the Recovery Counsel and try combofix again. I have no idea why it took this detour to Thinkvantage when it rebooted.

Spiggy

#14 spiggy

spiggy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 11 October 2011 - 04:53 PM

Another update:

1) As mentioned previously, Combofix kicked my system into a reboot, and that reboot caused Thinkvantage on my Lenovo XP system to "Rejuvenate" the system.
2) I suspect that somehow, because I had tried this rejuvenate process before and failed, that it may have been just sitting there waiting to execute and somehow
Combofix triggered it. I have no idea why.
3) What I do know is that the system is back up, and I have access to the Internet again miraculously.
4) I also do not see any signs of the virus, AV Guard Online...but that does not mean it's not there in hiding somewhere.
5) As an FYI, I had tried to rejuvenate my system back to a date in August 2011...so I'm guessing that is what it might have done, but I don't know.

I will now attempt again to run Combofix, as I believe we should go ahead and make certain this virus is removed and all others. I will post the log when it finishes. It should be able to establish the recovery counsel now that I have internet access.

Spiggy

#15 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:07 PM

Posted 11 October 2011 - 04:56 PM

Hi Spiggy,

It's getting late here in the UK (and I'm off to bed), but I'll check up on your progress in the morning. It'd be good if you could, when this is done, give a summary of any remaining symptoms and a new log - we'll then try and work out what happened and see if you still need some cleaning up.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users