Skip to main content

kevin27_b3d29f

2 Intern

 • 

1.5K Posts

July 11th, 2010 02:00

Hi subman123,

Welcome to the Dell Community Malware removal Forum.

Sorry for the Delay in getting to you.

If you still require assistance please post a fresh HJT log and any symptoms you are still experiencing.

Thanks,
K27.

subman123

25 Posts

July 11th, 2010 10:00

Hi there!

Thank you for responding, I am still having issues.  I am still having the "Just-In-Time" debugger popping up and when I google things and click on links I still get redirected.  In addition to those symptoms, I've had some new problems develop.  Upon booting windows a dialog box pops up titled RUNDLL and inside it, it says "Error Loading C:\WINDOWS\mstrac.dll Access is denied"  In addition to that on startup AVG detects the Trojan Horse Hiloti.AW.  Please advise on the steps that can get my computer well again.  Thank you so much for any help. Below is the hijackthis log:

\Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:03:13 AM, on 7/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {9C81E52A-2BC6-4ADB-8661-7FA7F84BCA33} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D136180C-0E32-4FCA-BECA-721742E1AF20} - C:\WINDOWS\system32\urqOEUom.dll (file missing)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\Act for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [Ohicovidogosixa] rundll32.exe "C:\WINDOWS\ohosiyuwamoxobuz.dll",Startup
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Snojunoja] rundll32.exe "C:\WINDOWS\mstrac.dll",Startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: fdba39af-b1d4-41ab-b45e-ff4bb5755336 - http://conf.subway.com//Downloads/cmW32client.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229112464046
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://subway-6783.mydtt.com/cab/OCXChecker_8198.cab
O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://69.129.200.25:8880/cab/DownloadFile_8100.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://paychex.webex.com/client/T27L/webex/ieatgpc.cab
O16 - DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} (DownloadCenter Control) - http://subway-6783.mydtt.com/cab/DownloadCenter_8200.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: zrqreo.dll ztccqv.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ACT! Scheduler - Sage Software, Inc. - C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: vtigercrm4_2 - Unknown owner - C:\Program Files\vtigerCRM4_2\apache\bin\Apache.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 15726 bytes

kevin27_b3d29f

2 Intern

 • 

1.5K Posts

July 11th, 2010 12:00

Hi subman123,

I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.

 

I need to see some additional information about what is happening in your machine.
Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.
    DDS.jpg
  • Instead of attaching, please copy/past both logs into your next reply.

     

     

  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control here

 

YOU MUST DISABLE ALL REAL TIME PROTECTION BEFORE RUNNING THE NEXT TOOL,

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

 

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to launch it
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply.
  • Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.


.
If the ARK tool crashes your machine or causes a Blue Screen error, please post the log results from the first inital quick scan,this can be saved in the same way as the full scan in the above instructions.

 

Please COPY/PASTE BOTH DDS logs and the ARK log back to this thread,
Thanks
K27

subman123

25 Posts

July 11th, 2010 18:00

Hi there,

Here is my DDS log file and my attached log file.  I then tried to run the antirootkit program and was only able to do the first scan which I've also put in this reply.  The full scan caused me to blue screen with an PFN_LIST_CORRUPT error message.


DDS (Ver_09-09-29.01) - NTFSx86 
Run by Brian at 17:04:16.01 on Sun 07/11/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.230 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)   {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV:  *On-access scanning disabled* (Updated)   {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW:  *disabled*   {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Brian\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {9C81E52A-2BC6-4ADB-8661-7FA7F84BCA33} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: {d136180c-0e32-4fca-beca-721742e1af20} - c:\windows\system32\urqOEUom.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Snojunoja] rundll32.exe "c:\windows\mstrac.dll",Startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ ]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Ohicovidogosixa] rundll32.exe "c:\windows\ohosiyuwamoxobuz.dll",Startup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ptbujwfi] c:\documents and settings\networkservice\local settings\application data\tyihdoqts\hswkhuwtssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: paychex.com\previewhostingservice
DPF: fdba39af-b1d4-41ab-b45e-ff4bb5755336 - hxxp://conf.subway.com//Downloads/cmW32client.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229112464046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://subway-6783.mydtt.com/cab/OCXChecker_8198.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - hxxp://69.129.200.25:8880/cab/DownloadFile_8100.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://paychex.webex.com/client/T27L/webex/ieatgpc.cab
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://subway-6783.mydtt.com/cab/DownloadCenter_8200.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: zrqreo.dll ztccqv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqOEUom

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-10 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-11 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-11 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-11 108552]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-11 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S2 vtigercrm4_2;vtigercrm4_2;"c:\program files\vtigercrm4_2\apache\bin\apache.exe" -k runservice --> c:\program files\vtigercrm4_2\apache\bin\Apache.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]

=============== Created Last 30 ================

2010-07-11 16:53 1,409 a------- c:\windows\QTFont.for
2010-07-11 16:53 54,156 a---h--- c:\windows\QTFont.qfn
2010-07-06 13:14 

 --d----- c:\program files\Trend Micro
2010-07-05 18:22 0 a------- c:\windows\Kyomijuqumofu.bin
2010-07-05 18:22 0 a------- c:\windows\Hsetoxa.dat
2010-06-22 08:29 34 a------- c:\windows\system32\BD7840W.DAT
2010-06-22 08:26 77,824 a------- c:\windows\system32\BRLMW03A.DLL
2010-06-22 08:26 45,056 a------- c:\windows\system32\BRTCPCON.DLL
2010-06-22 08:26 114 a------- c:\windows\system32\BRLMW03A.INI
2010-06-21 22:10 3,246 a------- c:\windows\system32\wbem\Outlook_01cb11b86b7eb7f4.mof

==================== Find3M  ====================

2010-07-11 17:01 952 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-06-21 20:10 35,568 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-21 14:14 221,568 -------- c:\windows\system32\MpSigStub.exe
2010-05-04 07:39 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 07:39 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 00:22 1,851,264 a------- c:\windows\system32\win32k.sys
2010-05-02 00:22 1,851,264 -------- c:\windows\system32\dllcache\win32k.sys
2010-04-20 00:30 285,696 a------- c:\windows\system32\atmfd.dll
2010-04-20 00:30 285,696 -------- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 06:43 634,656 -------- c:\windows\system32\dllcache\iexplore.exe
2010-04-16 06:43 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-03-11 09:06 88 ---shr-- c:\docume~1\alluse~1\applic~1\53DBABB5A2.sys
2009-02-11 18:27 99,072 a------- c:\program files\MC
2009-03-25 15:03 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032520090326\index.dat

============= FINISH: 17:06:30.70 ===============

 


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/4/2006 7:58:29 PM
System Uptime: 7/11/2010 4:56:59 PM (1 hours ago)

Motherboard: Dell Inc. |  | 0KD882
Processor: Genuine Intel(R) CPU           T2050  @ 1.60GHz | Microprocessor | 1596/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 107 GiB total, 57.065 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 7/6/2010 7:35:00 AM - System Checkpoint
RP2: 7/6/2010 12:58:25 PM - when things were broken
RP3: 7/6/2010 1:14:39 PM - Installed HiJackThis
RP4: 7/8/2010 8:06:02 AM - System Checkpoint
RP5: 7/9/2010 5:12:50 PM - Windows Defender Checkpoint

==== Installed Programs ======================

ACT! by Sage Premium 2009 (11.0)
Ad-Aware
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge 1.0
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Common File Installer
Adobe Creative Suite 2
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Center 1.0
Adobe Illustrator CS4
Adobe InDesign CS2
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop 7.0
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Stock Photos 1.0
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AOLIcon
AVG 8.5
Azureus Vuze
Bonjour
Broadcom Management Programs
Brother HL-2040
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Connect
Critical Update for Windows Media Player 11 (KB959772)
Dell Media Experience
Dell System Restore
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
Draft Master
DTT OnSite MultiCam Remote 1024x768
DTT OnSite Remote ViewLog
EducateU
Games, Music, & Photos Launcher
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GeoVision ADPCM
GeoVision H264
GeoVision JPEG
GeoVision MPEG2
GeoVision MPEG4
GeoVision MPEG4 ASP
GeoVision MPEG4 AVC
Get High Speed Internet!
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.0.0.320
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
Internet Service Offers Launcher
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 14
kuler
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
mCore
MCU
mDrWiFi
MediaDirect
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Basic Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
mIWA
mLogView
mMHouse
Modem Helper
Move Networks Media Player for Internet Explorer
mPfMgr
mPfWiz
mProSafe
MSN
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Musicmatch for Windows Media Player
mWlsSafe
mWMI
mXML
mZConfig
NetWaiting
NetZeroInstallers
Octoshape add-in for Adobe Flash Player
OutlookAddinSetup
PDF Settings CS4
Photoshop Camera Raw
PL-2303 USB-to-Serial
PowerDVD 5.7
PS-Utility
QuickBooks Pro 2006
QuickSet
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Suite Shared Configuration CS4
Suite Specific
Synaptics Pointing Device Driver
TightVNC 1.3.10
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URL Assistant
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebCyberCoach 3.2 Dell
WebEx
WebFldrs XP
Windows Defender
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

7/9/2010 5:12:51 PM, error: WinDefend [1008]  - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Alureon.CT&threatid=144991  Scan ID: {4298B169-49A3-44EE-BF3C-E4EB006AF7B0}    Scan Type: AntiMalware  User: SUBWAY\Brian  Name: Trojan:Win32/Alureon.CT  ID: 144991  Severity: Severe  Category: Trojan  Path:   Action: Remove  Error Code: 0x80508025  Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
7/6/2010 5:46:31 PM, error: Dhcp [1002]  - The IP address lease 192.168.1.101 for the Network Card with network address 0018DE3E0F53 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/6/2010 5:41:26 PM, error: Ftdisk [45]  - The system could not sucessfully load the crash dump driver.
7/6/2010 3:28:31 PM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the avg8wd service.
7/6/2010 2:41:12 PM, error: Service Control Manager [7000]  - The vtigercrm4_2 service failed to start due to the following error:  The system cannot find the path specified.
7/6/2010 2:40:54 PM, error: Ftdisk [49]  - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
7/6/2010 11:49:41 AM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
7/6/2010 11:49:41 AM, error: Service Control Manager [7000]  - The iPod Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
7/6/2010 11:49:40 AM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
7/5/2010 9:43:57 PM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
7/5/2010 7:42:05 AM, error: Dhcp [1002]  - The IP address lease 192.168.0.106 for the Network Card with network address 0018DE3E0F53 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/5/2010 6:22:06 PM, error: WinDefend [3006]  - Windows Defender Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:WinNT/Alureon.H&threatid=145930  Scan ID: {2EBCB016-6D4C-4B9B-BE4F-55D7F7A46AC0}  User: SUBWAY\Brian  Name: Trojan:WinNT/Alureon.H  ID: 145930  Severity: Severe  Category: Trojan  Path:   Alert Type: Spyware or other potentially unwanted software  Action: Remove  Error Code: 0x80508025  Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
7/5/2010 2:43:29 AM, error: Dhcp [1002]  - The IP address lease 192.168.1.101 for the Network Card with network address 0018DE3E0F53 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
7/11/2010 5:00:36 PM, error: Service Control Manager [7000]  - The Application Layer Gateway Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
7/11/2010 4:59:58 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
7/11/2010 4:59:15 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
7/11/2010 4:59:15 PM, error: Service Control Manager [7000]  - The Windows Search service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
7/11/2010 1:06:21 PM, error: NetBT [4321]  - The name "SUBWAY         :0" could not be registered on the Interface with IP address 192.168.1.104. The machine with the IP address 192.168.1.101 did not allow the name to be claimed by this machine.

==== End Of File ===========================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-11 18:53:23
Windows 5.1.2600 Service Pack 3
Running: rtpjdonu.exe; Driver: C:\DOCUME~1\Brian\LOCALS~1\Temp\uxtdypob.sys


---- System - GMER 1.0.15 ----

SSDT            splb.sys                                 ZwEnumerateKey [0xF745BCA2]
SSDT            splb.sys                                 ZwEnumerateValueKey [0xF745C030]

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                   86D671F8

AttachedDevice  \Driver\Tcpip \Device\Ip                 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Udp                avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp              avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0  SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1  SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device           -> \Driver\atapi \Device\Harddisk0\DR0  86B24EC5

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\system32\drivers\atapi.sys    suspicious modification

---- EOF - GMER 1.0.15 ----

 

kevin27_b3d29f

2 Intern

 • 

1.5K Posts

July 11th, 2010 23:00

Hi,

You have a pretty nasty rootkit called TDL3. This can be cleaned but we have a bit of work to do.

Firstly;

Before we continue can I ask you to please read all the information in the link below as it contain information for Peer2Peer programs,
Not only is it illegal to download from P2P and torrent sites it is also a breeding ground for malware and more than likely the reason you were infected.
It would be futile to try and remove any infection on your system all the time P2P programs are installed.

Perils of P2P File Sharing

Then i need you to go to:

  • Start (windows icon bottom left corner of screen)
  • Control panel
  • Add/Remove programs
  • look for
    • Vuze
  • Uninstall
  • Reboot PC

Then please uninstalll anything else running on the machine that may relate to P2P files sharing or cracked Software.

Next we need to disable Spybot's Teatimer function as it is renowned for interfering with the tools we use.

Please disable Teatime:
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
•    On the left hand side, click on Tools, then click on the Resident Icon in the list.
•    Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
•    Click on the "System Startup" icon in the List
•    Uncheck the "TeaTimer" box and "OK" any prompts.
•    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
•    Exit Spybot S&D when done.
•    (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

 
I dont think that the full TDL3 infection has shown it's self yet and would like to run a second anti rootkit scan.

  • Please download Rootkit Unhooker and save it to your desktop.
  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • This log may be very large so please attach it in your next reply.

 

Note** you may get the following warning. It is ok, just ignore it.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Please post the RKUnhooker log back to me along with confirmation that you have disabled Teatimer and remover all P2P programs.

Thanks,
K27

 

subman123

25 Posts

July 12th, 2010 08:00

Okay I removed VUZE and turned spybot to advanced mode, unchecked the resident "Tea Timer", but under the "system startup" icon I couldn't find a "tea timer" box to uncheck.  This is a list of all process started when I  boot my computer right?  I've run the rootkit unhooked and have attached the log here.  Thank you again for your help!

http://en.community.dell.com/cfs-file.ashx/__key/CommunityServer.Discussions.Components.Files/3521/0083.Report.txt

kevin27_b3d29f

2 Intern

 • 

1.5K Posts

July 12th, 2010 12:00

Hi subman123

RKUnhooker showed us what we needed to see, please proceed as follow's

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

 

Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:

Combo-fix MUST be save to your desktop before running the tool

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only

You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix,
Post back and we will install it manually.

DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should

Please include the C:\ComboFix.txt in your next reply for further review.

Thanks,
K27.

 

subman123

25 Posts

July 13th, 2010 08:00

Well, I tried to follow the directions on bleepingcomputer.com and during the recovery console installation it failed.  Unfortunately, I was reading the directions there  which told me that if it failed to please allow ComboFix to continue with the scan.  So I did this, but in your directions I see now that I shouldn't have done that?  I hope I didn't mess anything up too much.  Attached is my combofix log.http://en.community.dell.com/cfs-file.ashx/__key/CommunityServer.Discussions.Components.Files/3521/1882.combofix.txt

kevin27_b3d29f

2 Intern

 • 

1.5K Posts

July 13th, 2010 14:00

Hi Subman123,

ComboFix done a very good job for us but we still have a few more run's at this before you will be clean. But we need to get the Recovery Console installed before we continue. It's a very important part of ComboFix and needs to be installed.

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.

---------------------------------------------------------------------

Save the file to your Desktop.

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

RC1-4.gif

 

  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

     

    RC2-1.png

     

  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

Thanks,
K27.

 

subman123

25 Posts

July 13th, 2010 15:00

So I have yet to complete your last instructions because I've noticed that after combofix ran the first time it looks as if it erased all my files.  Should I do a system restore to try to bring them back or are my files just somewhere that i'm not looking?  I have some backed up to a flash drive but not all.

kevin27_b3d29f

2 Intern

 • 

1.5K Posts

July 13th, 2010 16:00

Hi subman123,

Please DO NOT do a system restore. Please reboot the system and then see if you can access the files. The files are there but they may be hidden.

Also what files exactly are missing or is it all of them?

kevin27_b3d29f

2 Intern

 • 

1.5K Posts

July 13th, 2010 16:00

Hi,

I need to see a txt file that combofix has created with a list of everything it has quarantined,

please press the Windows Key on the keyboard (located bottom left of the keyboard with the Windows icon on it) and then please press the "R" key.

In the text box that open's please copy/paste the bolded writing notepad C:\Qoobox\ComboFix-quarantined-files.txt and hit enter.

A notepad file will open, please copy/paste the contents back to me for analysts.

Thanks,
K27.

subman123

25 Posts

July 13th, 2010 18:00

2010-07-13 14:03:03 . 2010-07-13 14:03:03              912 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-WebCyberCoach_wtrb.reg.dat
2010-07-13 14:02:38 . 2010-07-13 14:02:38              160 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Ohicovidogosixa.reg.dat
2010-07-13 14:02:35 . 2010-07-13 14:02:35              374 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\BHO-{D136180C-0E32-4FCA-BECA-721742E1AF20}.reg.dat
2010-07-13 14:02:34 . 2010-07-13 14:02:35              157 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\BHO-{9C81E52A-2BC6-4ADB-8661-7FA7F84BCA33}.reg.dat
2010-07-13 13:28:55 . 2010-07-13 13:28:55            8,827 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-13 12:51:38 . 2010-07-13 13:05:48              102 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2010-07-12 14:22:30 . 2010-07-12 14:22:30          566,784 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0028\~de7b92.tmp.vir
2010-07-12 14:22:30 . 2010-07-12 14:22:30          697,884 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0028\~df394b.tmp.vir
2010-07-12 14:22:21 . 2010-07-12 14:22:21          573,952 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0027\~de7b92.tmp.vir
2010-07-12 14:22:21 . 2010-07-12 14:22:21          697,884 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0027\~df394b.tmp.vir
2010-07-12 12:27:20 . 2010-07-12 12:27:20            4,608 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\i4jdel0.exe.vir
2010-07-11 18:18:54 . 2010-07-11 18:18:37          293,632 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tyihdoqts\hswkhuwtssd.exe.vir
2010-07-09 21:44:02 . 2010-07-09 21:44:02          566,784 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0026\~de7b92.tmp.vir
2010-07-09 21:44:02 . 2010-07-09 21:44:02          697,884 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0026\~df394b.tmp.vir
2010-07-09 21:43:51 . 2010-07-09 21:43:51          573,952 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0025\~de7b92.tmp.vir
2010-07-09 21:43:50 . 2010-07-09 21:43:50          697,884 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0025\~df394b.tmp.vir
2010-07-05 23:19:48 . 2010-07-05 23:19:50           62,976 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\wzKFNbTJGR.exe.vir
2010-07-05 23:18:40 . 2010-07-05 23:18:40              100 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Application Data\Windows Server\flags.ini.vir
2010-07-05 23:18:40 . 2010-07-05 23:18:40               50 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Application Data\Windows Server\uses32.dat.vir
2010-07-05 23:18:28 . 2010-07-05 23:18:28           25,088 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\exe.exe.vir
2010-03-18 09:56:58 . 2010-03-18 09:56:58        2,743,448 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\TeamViewer\Version5\TeamViewer_.exe.vir
2009-09-06 19:39:40 . 2009-09-06 19:39:40           71,680 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\GLB1C.tmp.vir
2009-09-06 19:37:23 . 2008-12-04 19:51:04          126,976 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\9445535\ywiseext.dll.vir
2009-09-06 19:37:20 . 2009-09-06 19:37:20           71,680 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\GLBF.tmp.vir
2009-03-27 04:03:59 . 2009-03-27 04:03:59           77,824 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\swt-gdip-win32-3448.dll.vir
2009-03-27 04:03:53 . 2009-03-27 04:03:53          335,872 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\swt-win32-3448.dll.vir
2009-03-25 17:06:23 . 2010-07-12 14:22:21           59,964 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\Adobelm_Cleanup.0001.vir
2007-08-24 19:50:26 . 2007-08-24 19:50:26          577,536 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\pft1A.tmp\GeoCodecReg\GeoCodec_ReadOnly.dll.vir
2007-05-22 22:21:35 . 2005-04-07 02:39:06          121,064 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Temp\setFF.tmp.vir
2006-11-29 04:57:23 . 2006-11-29 04:57:38            1,113 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\xpsp1hfm.log.vir
2006-11-29 04:29:04 . 2008-04-13 18:36:38            8,832 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\wmiacpi.sys.vir
2004-08-10 18:51:27 . 2008-04-14 00:12:08          182,272 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\ohosiyuwamoxobuz.dll.vir
2000-10-27 23:23:18 . 2000-10-27 23:23:18           50,688 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\BSZIP.DLL.vir

subman123

25 Posts

July 13th, 2010 18:00

Hi there,

All the files are missing accept for my quickbooks files.  My ACT database is missing, my iTunes music, and a folder that I had with work related PDFs and word docs.  I have that folder backed up but the database I do not.  I've rebooted and no such luck, I still have all my programs, but its like I'm starting fresh on everything.  Ideas?

kevin27_b3d29f

2 Intern

 • 

1.5K Posts

July 13th, 2010 23:00

Hi subman123,

I need you you be as specific as you can on this. Please give me exact file names along with full file path's. for example c:\Users\username\Documents\Some folder\Some File.

I don't need for you to list every file that is missing but just a few.

Thanks,
K27.

Was this post helpful?

View All

No Events found!

Top