Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please tell me if im doing this right.


  • This topic is locked This topic is locked
3 replies to this topic

#1 ArchieSanchez

ArchieSanchez

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 30 April 2012 - 08:42 PM

Help me guys, i have the same problem with this link http://www.bleepingcomputer.com/forums/topic251725.html
and i think this VIRUS uses up my RAM and it slows my computer down.
I'm Using Avast! antivirus, They can't seem to get rid of this virus.
yah and i read your conversation and i did exactly what you said...

here is DDS lof of my Computer


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_31
Run by grace at 7:56:01 on 2012-05-01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.330 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\grace\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\grace\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\grace\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\notepad.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://isearch.avg.com/?cid={A2B84AEB-C04B-4915-BDD6-AD65B9E9077D}&mid=dab02740bbff47d0a6a39128c06130a6-548c62247590b5a260c77b0a406309adbf2d5944&lang=en&ds=ft011&pr=sa&d=2012-04-13%2020:48:08&v=10.2.0.3&sap=hp
mStart Page = hxxp://home.sweetim.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Updater For Spam Free Search Bar: {20a0be68-8fd9-4539-8712-ce3d1c1fdfc6} - c:\program files\blekkotb\auxi\blekkoAu.dll
BHO: Spam Free Search Bar: {26c9e18c-3717-4be1-a225-04e4471f5b6e} - c:\program files\blekkotb\blekkoDx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SweetPacks Browser Helper: {eee6c35c-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: Spam Free Search Bar: {26c9e18c-3717-4be1-a225-04e4471f5b6e} - c:\program files\blekkotb\blekkoDx.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
TB: SweetPacks Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Anti-phishing Domain Advisor] "c:\documents and settings\all users\application data\anti-phishing domain advisor\visicom_antiphishing.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
mRun: [Sweetpacks Communicator] c:\program files\sweetim\communicator\SweetPacksUpdateManager.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 124.106.7.2 124.106.5.2
TCP: Interfaces\{C21DED19-7173-4746-9313-D394CE268BCA} : DhcpNameServer = 124.106.7.2 124.106.5.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll
Notify: DfLogon - LogonDll.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\grace\application data\mozilla\firefox\profiles\gr1bnopp.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com/?st=1
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Ba1a55bc8-9602-4290-9b4c-14f6098d61f1%7D&mid=dab02740bbff47d0a6a39128c06130a6-548c62247590b5a260c77b0a406309adbf2d5944&ds=ft011&v=10.2.0.3&lang=en&pr=sa&d=2012-04-13%2020%3A48%3A08&sap=ku&q=
FF - plugin: c:\documents and settings\grace\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Yontoo: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: SweetPacks Toolbar for Firefox: {EEE6C361-6118-11DC-9C72-001320C79847} - %profile%\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}
FF - Ext: AVG Security Toolbar: avg@toolbar - c:\documents and settings\all users\application data\avg secure search\10.2.0.3
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - db414a6c-a68e-4380-860e-82307c17d315
FF - user.js: extentions.y2layers.defaultEnableAppsList - bestvideodownloader,ezLooker,pagerage,buzzdock,toprelatedtopics
FF - user.js: extensions.autoDisableScopes - 14
.
============= SERVICES / DRIVERS ===============
.
R0 DeepFrz;DeepFrz;c:\windows\system32\drivers\DeepFrz.sys [2007-3-7 130584]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-4-10 312912]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-4-10 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-4-10 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2012-4-10 40384]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\10.2.0\ToolbarUpdater.exe [2012-4-13 918880]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2012-4-10 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2012-4-10 40384]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-4-10 1691480]
.
=============== Created Last 30 ================
.
2012-05-01 14:31:44 -------- d-sha-r- C:\cmdcons
2012-05-01 14:29:38 98816 ----a-w- c:\windows\sed.exe
2012-05-01 14:29:38 518144 ----a-w- c:\windows\SWREG.exe
2012-05-01 14:29:38 256000 ----a-w- c:\windows\PEV.exe
2012-05-01 14:29:38 208896 ----a-w- c:\windows\MBR.exe
2012-05-01 11:26:45 171795 ----a-w- c:\windows\system32\asr_lfcrgr.exe
2012-05-01 11:02:53 -------- d-----w- c:\windows\system32\SoftwareDistribution
2012-04-30 23:53:43 -------- d-----w- c:\windows\system32\appmgmt
2012-04-30 23:40:10 -------- d-----w- c:\program files\common files\Sandlot Shared
2012-04-30 23:40:09 -------- d-----w- c:\documents and settings\all users\application data\Sandlot Games
2012-04-30 22:22:43 -------- d-sh--w- c:\windows\ftpcache
2012-04-30 20:50:54 420240 ----a-w- c:\windows\system32\mpg4c32.dll
2012-04-30 20:50:54 309616 ----a-w- c:\windows\system32\wmv8dmod.dll
2012-04-30 20:50:54 245760 ----a-w- c:\windows\system32\mp4sds32.ax
2012-04-30 20:47:25 217088 ----a-w- c:\windows\system32\srkey.exe
2012-04-30 20:26:01 -------- d-----w- c:\documents and settings\grace\application data\Ford Street Racing
2012-04-30 20:24:35 -------- d-----w- c:\program files\Xplosiv
2012-04-30 20:24:13 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2012-04-30 20:24:13 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2012-04-30 20:24:13 225280 ------w- c:\program files\common files\installshield\iscript\IScript.dll
2012-04-30 20:24:13 176128 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2012-04-30 20:24:12 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2012-04-30 20:17:24 -------- d-----w- c:\windows\SSMaui Wowee
2012-04-30 20:17:19 49664 ----a-w- c:\windows\SSMaui Wowee.scr
2012-04-30 20:14:19 802816 ----a-w- c:\windows\FeedingFrenzy.scr
2012-04-30 20:12:32 57344 ----a-w- c:\windows\system32\Big Kahuna Reef.scr
2012-04-30 20:11:27 389120 ----a-w- c:\windows\Adventure Inlay.scr
2012-04-22 03:45:58 -------- d-----w- c:\windows\pss
2012-04-20 12:35:41 -------- d-----w- c:\documents and settings\grace\application data\EurekaLog
2012-04-20 11:42:30 -------- d-----w- c:\program files\SweetIM
2012-04-20 11:42:30 -------- d-----w- c:\documents and settings\all users\application data\SweetIM
2012-04-20 11:40:44 -------- d-----w- c:\documents and settings\grace\application data\Softplicity
2012-04-20 11:40:18 -------- d-----w- c:\program files\TotalMovieConverter
2012-04-20 11:02:04 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-04-20 11:02:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-16 21:34:55 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2012-04-15 23:29:26 -------- d-----w- c:\documents and settings\grace\local settings\application data\Temp
2012-04-15 23:29:21 -------- d-----w- c:\documents and settings\grace\local settings\application data\Facebook
2012-04-15 16:04:15 -------- d-----w- c:\program files\Yontoo
2012-04-15 16:04:13 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2012-04-15 16:02:50 -------- d-----w- c:\program files\uTorrent
2012-04-15 16:02:19 -------- d-----w- c:\documents and settings\grace\application data\uTorrent
2012-04-15 16:01:25 -------- d-----w- c:\documents and settings\grace\application data\BitTorrent
2012-04-14 03:53:22 -------- d-----w- c:\program files\Cheat Engine 6.1
2012-04-14 03:53:22 -------- d-----w- c:\documents and settings\grace\application data\OpenCandy
2012-04-14 03:48:09 -------- d-----w- c:\documents and settings\grace\application data\AVG Secure Search
2012-04-14 03:48:09 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search
2012-04-14 03:48:05 -------- d-----w- c:\program files\common files\AVG Secure Search
2012-04-14 03:48:02 -------- d-----w- c:\program files\AVG Secure Search
2012-04-14 03:47:28 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-04-12 08:41:57 -------- d-----w- c:\documents and settings\grace\local settings\application data\blekkotb
2012-04-12 08:41:55 -------- d-----w- c:\documents and settings\all users\application data\Anti-phishing Domain Advisor
2012-04-12 08:41:43 -------- d-----w- c:\documents and settings\grace\application data\blekkotb
2012-04-12 08:41:40 -------- d-----w- c:\program files\blekkotb
2012-04-11 04:17:29 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2012-04-11 04:17:29 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-04-11 04:17:19 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2012-04-11 04:17:19 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-04-11 03:04:45 473656 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-04-11 02:39:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-04-11 02:29:09 65536 ----a-w- c:\windows\system32\LogonDll.dll
2012-04-11 02:29:09 12104143 ------w- C:\$Persi0.sys
2012-04-11 02:29:07 -------- d-----w- c:\program files\Faronics
2012-04-11 02:28:29 -------- d-----w- C:\DeepFreeze Std v6.20.20.1692
2012-04-11 02:26:46 312912 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-04-11 02:26:22 38848 ----a-w- c:\windows\avastSS.scr
2012-04-11 02:25:59 -------- d-----w- c:\documents and settings\all users\application data\Alwil Software
2012-04-11 02:18:38 -------- d-----w- c:\program files\VideoLAN
2012-04-11 02:17:41 -------- d-----w- c:\program files\GRETECH
2012-04-11 02:16:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-11 01:51:04 -------- d-----w- c:\program files\common files\Macrovision Shared
2012-04-11 01:21:58 -------- d-----w- c:\windows\ptemp
2012-04-11 01:19:19 -------- d-----w- c:\documents and settings\grace\local settings\application data\Adobe
2012-04-11 01:10:10 -------- d-----w- c:\documents and settings\grace\local settings\application data\Google
2012-04-11 01:03:44 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2012-04-11 01:03:44 32592 ----a-w- c:\windows\system32\msonpmon.dll
.
==================== Find3M ====================
.
.
============= FINISH: 7:57:14.70 ===============





and after that i downloaded the combofix thing and this what came out. is this a good thing or a bad thing?





ComboFix 12-04-31.02 - grace 05/01/2012 7:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.401 [GMT -7:00]
Running from: c:\documents and settings\grace\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\NEW15.tmp
c:\windows\system32\NEW16.tmp
c:\windows\system32\NEWF.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-04-01 to 2012-05-01 )))))))))))))))))))))))))))))))
.
.
2012-04-11 02:29 . 2012-04-11 02:29 12104143 ------w- C:\$Persi0.sys
2012-04-11 02:28 . 2012-04-11 02:28 -------- d-----w- C:\DeepFreeze Std v6.20.20.1692
2012-04-11 01:47 . 2012-04-11 01:47 246 ----a-w- C:\history.js
2012-04-11 01:47 . 2012-04-11 01:47 783 ----a-w- C:\rb_config.js
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20a0be68-8fd9-4539-8712-ce3d1c1fdfc6}]
2012-01-17 19:28 262312 ----a-w- c:\program files\blekkotb\auxi\blekkoAu.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26c9e18c-3717-4be1-a225-04e4471f5b6e}]
2012-01-17 19:28 86696 ----a-w- c:\program files\blekkotb\blekkoDx.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-04-14 03:48 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2012-02-19 21:46 1337648 ----a-r- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{26c9e18c-3717-4be1-a225-04e4471f5b6e}"= "c:\program files\blekkotb\blekkoDx.dll" [2012-01-17 86696]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-04-14 1869152]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2012-02-19 1337648]
.
[HKEY_CLASSES_ROOT\clsid\{26c9e18c-3717-4be1-a225-04e4471f5b6e}]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-06-28 20:59 153184 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-03-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]
"RTHDCPL"="RTHDCPL.EXE" [2010-06-08 19552872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"Anti-phishing Domain Advisor"="c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-01-17 232616]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-04-14 982880]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2012-02-16 114992]
"Sweetpacks Communicator"="c:\program files\SweetIM\Communicator\SweetPacksUpdateManager.exe" [2012-02-26 295728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
2007-03-07 10:13 65536 ----a-w- c:\windows\system32\LogonDll.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C /k:D *
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\CherryDeGames\\Dragon Nest\\DragonNest.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\SweetIM\\Communicator\\SweetPacksUpdateManager.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R0 DeepFrz;DeepFrz;c:\windows\system32\drivers\DeepFrz.sys [3/7/2007 3:17 AM 130584]
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/10/2012 7:26 PM 312912]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/10/2012 7:26 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2012 7:26 PM 17744]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [4/13/2012 8:48 PM 918880]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 3:56 PM 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/10/2012 5:46 PM 1691480]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1677128483-725345543-1003Core.job
- c:\documents and settings\grace\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-16 03:31]
.
2012-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1677128483-725345543-1003UA.job
- c:\documents and settings\grace\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-16 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://isearch.avg.com/?cid={A2B84AEB-C04B-4915-BDD6-AD65B9E9077D}&mid=dab02740bbff47d0a6a39128c06130a6-548c62247590b5a260c77b0a406309adbf2d5944&lang=en&ds=ft011&pr=sa&d=2012-04-13%2020:48&v=10.2.0.3&sap=hp
mStart Page = hxxp://home.sweetim.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 124.106.7.2 124.106.5.2
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\grace\Application Data\Mozilla\Firefox\Profiles\gr1bnopp.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com/?st=1
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Ba1a55bc8-9602-4290-9b4c-14f6098d61f1%7D&mid=dab02740bbff47d0a6a39128c06130a6-548c62247590b5a260c77b0a406309adbf2d5944&ds=ft011&v=10.2.0.3&lang=en&pr=sa&d=2012-04-13%2020%3A48%3A08&sap=ku&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Yontoo: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: SweetPacks Toolbar for Firefox: {EEE6C361-6118-11DC-9C72-001320C79847} - %profile%\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}
FF - Ext: AVG Security Toolbar: avg@toolbar - c:\documents and settings\All Users\Application Data\AVG Secure Search\10.2.0.3
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: extentions.y2layers.installId - db414a6c-a68e-4380-860e-82307c17d315
FF - user.js: extentions.y2layers.defaultEnableAppsList - bestvideodownloader,ezLooker,pagerage,buzzdock,toprelatedtopics
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-nwiz - nwiz.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-01 07:36
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\LogonDll.dll
.
Completion time: 2012-05-01 07:38:11
ComboFix-quarantined-files.txt 2012-05-01 14:38
.
Pre-Run: 18,716,168,192 bytes free
Post-Run: 19,138,801,664 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3A943F1968F349870C89B21BE5B1AD50

please help me on this. hoping for your reply soon

Edited by ArchieSanchez, 30 April 2012 - 08:45 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:03 AM

Posted 02 May 2012 - 02:58 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

and i think this VIRUS uses up my RAM and it slows my computer down.


From the discription you have given us it sounds like this may or may not be a malware problem, I will check very hard to make sure it is not malware and if none is found you may ned to go to another part of the forum to find the answers to the problems you are having.



I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

The next thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.




Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:03 AM

Posted 05 May 2012 - 12:29 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:03 AM

Posted 08 May 2012 - 09:44 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users