View Full Version : Win32.KillAV-KQ keeps coming back
CrazyMums
2009-04-18, 17:55
My computer has been infected with KillAV-KQ. When I run SpyBot, it finds 6 entries but says it is unable to delete them because they are in use and to restart the computer and run SpyBot again, which I have done several times. When I rerun SpyBot, it doesn't find the files.
I followed the Manual Removal Instructions in this forum but the six registry keys that it says to delete are not in my registry.
As soon as I open Explorer again, I am almost immediately infected again. There were originally no obvious signs that my computer was infected until I went to shut down and it said I had a browser open, but there were no visible browsers open. Since then, I've noticed under processes in task manager that there will be 1 more iexplore process than windows that I have open.
I am not a "technical" person so any help with simple instructions would be greatly appreciated. Thank you.
Hi CrazyMums
READ this (http://forums.spybot.info/showthread.php?t=288) BEFORE Requesting Assistance
CrazyMums
2009-04-21, 01:48
Sorry for the delay - I really didn't understand how to do this.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:51 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Desktop Alert\desktopalert_1149199.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205704926\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1149199.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.8.3.35/mahjong/mahjong-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.8.3.35/sweettooth/sweettooth-en_US.cab
O16 - DPF: Word Craft by pogo - http://game1.pogo.com/applet-6.8.3.35/babble/babble-en_US.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter hijack: text/html - {c9daa9f7-1676-4db4-bc39-7f279d885604} - C:\WINDOWS\system32\dsound3dd.dll
O20 - Winlogon Notify: byxwuur - byxwuur.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://clocks.cruisecritic.com/countdown.pl?name=CrazyMums&date=3-30-2008&image=Beach-8&text=&ship=Carnival Miracle
--
End of file - 8086 bytes
Hi CrazyMums and welcome to Safer Networking
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
I f you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
1 - Download and Run ComboFix
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html#)
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
3 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log
Thanks peku006
CrazyMums
2009-04-22, 04:17
peku006,
Before I received your message I had installed and run Avira anti-virus since the AVG had not allowed me to update and I had no protection so I ran another HiJackThis log BEFORE the ComboFix just in case you needed it. The first HiJack log is before the ComboFix, then the ComboFix log, and then a new HiJack log. I got several error messages when ComboFix was installing and running but they disappeared from the screen too quickly to see what they were. My anti-virus software automatically restarted when my computer was rebooted but ComboFix kept going fortunately. Is it okay to reactivate the anti-virus software now? I would also like to uninstall AVG since I can't update it. Is that okay or should I wait. Thank you so very much and I'm sorry I have so many questions.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:11 PM, on 4/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\AOL\1205704926\ee\AOLSoftware.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Desktop Alert\desktopalert_1149199.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205704926\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1149199.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.8.3.35/mahjong/mahjong-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.8.3.35/sweettooth/sweettooth-en_US.cab
O16 - DPF: Word Craft by pogo - http://game1.pogo.com/applet-6.8.3.35/babble/babble-en_US.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter hijack: text/html - {c9daa9f7-1676-4db4-bc39-7f279d885604} - C:\WINDOWS\system32\dsound3dd.dll
O20 - Winlogon Notify: byxwuur - byxwuur.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://clocks.cruisecritic.com/countdown.pl?name=CrazyMums&date=3-30-2008&image=Beach-8&text=&ship=Carnival Miracle
--
End of file - 8440 bytes
ComboFix 09-04-22.02 - Owner 04/21/2009 21:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.197 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\ql
c:\program files\screensavers.com
c:\program files\screensavers.com\Installer\bin\iebyterange.xml
c:\program files\screensavers.com\Installer\bin\iebyterange.xml.backup
c:\program files\screensavers.com\Installer\bin\siuninst.exe
c:\program files\screensavers.com\Installer\temp\dm256.tmp
c:\program files\screensavers.com\Wallpaper\swpstart.exe
c:\windows\BMffe08c59.txt
c:\windows\BMffe08c59.xml
c:\windows\cookies.ini
c:\windows\patch.exe
c:\windows\system32\besaoqtp.ini
c:\windows\system32\gjjlm.ini
c:\windows\system32\iDlo01
c:\windows\system32\ilkkj.ini
c:\windows\system32\lhclgmyx.ini
c:\windows\system32\poaklpyy.ini
c:\windows\system32\qatjlwce.ini
c:\windows\system32\vqmskyhq.ini
c:\windows\system32\xnexwvid.ini
.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.
2009-04-22 01:44 . 2009-04-22 01:49 -------- d-----w C:\32788R22FWJFW
2009-04-22 01:35 . 2009-04-22 01:36 -------- d-----w c:\program files\ERUNT
2009-04-21 00:32 . 2009-02-13 15:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-21 00:32 . 2009-04-21 00:32 -------- d-----w c:\program files\Avira
2009-04-21 00:32 . 2009-04-21 00:32 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-16 21:28 . 2009-01-09 19:19 1089593 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-16 11:41 . 2009-04-16 11:42 -------- d-----w C:\236588e0be7648a37fb21e40
2009-04-16 11:41 . 2009-04-16 21:25 -------- d-----w c:\windows\SxsCaPendDel
2009-04-16 11:32 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 11:32 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 11:32 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 11:32 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 11:32 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 11:32 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 11:32 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 11:32 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 11:32 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 11:31 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 11:31 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 11:31 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 02:00 . 2008-03-17 17:10 -------- d-----w c:\documents and settings\Owner\Application Data\AVG7
2009-04-22 01:44 . 2009-04-22 01:44 1095 ----a-w C:\Bug.txt
2009-04-21 23:07 . 2006-12-07 01:08 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-21 21:42 . 2007-02-08 22:44 3912224 ----a-w C:\VETlog.txt
2009-04-21 21:42 . 2007-02-08 22:44 94987 ----a-w C:\VETlog.dmp
2009-04-11 18:04 . 2008-04-09 22:16 -------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-04-01 11:37 . 2006-12-07 01:13 -------- d-----w c:\program files\Java
2009-03-12 10:12 . 2008-03-15 18:50 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-09 09:19 . 2008-12-02 23:31 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2002-08-04 01:45 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2002-07-24 07:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-03-15 05:20 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2002-07-24 07:05 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-03-15 04:26 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2002-08-04 01:43 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2002-07-24 07:05 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2002-08-04 01:46 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2001-08-17 20:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-04 01:46 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2002-08-04 01:45 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-04 01:46 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2002-08-04 01:46 56832 ----a-w c:\windows\system32\secur32.dll
2008-03-28 20:57 . 2008-03-28 20:57 128 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2008-03-17 15:57 . 2007-04-04 21:16 37032 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-02-07 04:2008-03-15 05:58 05:20 . c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-08-02 14:05 . 2008-08-02 14:06 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 155648]
"DDCM"="c:\program files\WildTangent\DDC\DDCManager\DDCMan.exe" [2002-06-08 122880]
"DDCActiveMenu"="c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" [2002-06-08 86016]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"HostManager"="c:\program files\Common Files\AOL\1205704926\ee\AOLSoftware.exe" [2006-09-26 50736]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2002-05-04 364544]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-04-09 219136]
c:\documents and settings\LogMeInRemoteUser\Start Menu\Programs\Startup\
AutoTBar.exe [2002-5-30 40960]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Desktop Alert.lnk - c:\program files\Desktop Alert\desktopalert_1149199.exe [2003-8-26 327680]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
hp center.lnk - c:\program files\hp center\137903\Program\BackWeb-137903.exe [2002-7-24 16384]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BMffe08c59"=Rundll32.exe "c:\windows\system32\uduvvini.dll",s
"fcd3bfc5"=rundll32.exe "c:\windows\system32\xymglchl.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"c:\\kav\\kis\\setup.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]
.
Contents of the 'Scheduled Tasks' folder
2009-04-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-23 20:20]
.
- - - - ORPHANS REMOVED - - - -
Notify-byxwuur - byxwuur.dll
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Mah Jong Garden by pogo - hxxp://game1.pogo.com/applet-6.8.3.35/mahjong/mahjong-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/applet-6.8.3.35/sweettooth/sweettooth-en_US.cab
DPF: Word Craft by pogo - hxxp://game1.pogo.com/applet-6.8.3.35/babble/babble-en_US.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pggeg19i.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 22:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2781504589-665485730-1614765859-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail]
@Denied: (Full) (LocalSystem)
[HKEY_USERS\S-1-5-21-2781504589-665485730-1614765859-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\America Online - crazymums@aol.com]
"MessageCount"=dword:00000167
"TimeStamp"=hex:e8,6c,e2,f8,e6,c2,c9,01
"Application"="\"c:\\Program Files\\America Online 9.0\\waol.exe\" -ncrazymums -u\"aol://1722:mailbox\""
[HKEY_USERS\S-1-5-21-2781504589-665485730-1614765859-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\AOL - crazymums@aol.com]
"MessageCount"=dword:0000016a
"TimeStamp"=hex:88,c6,14,37,4a,88,c8,01
"Application"="\"c:\\Program Files\\AOL 9.0\\waol.exe\" -ncrazymums -u\"aol://1722:mailbox\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2584)
c:\docume~1\Owner\LOCALS~1\Temp\IadHide3.dll
c:\program files\Desktop Alert\BugEx.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\wanmpsvc.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-22 22:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 02:06
Pre-Run: 46,045,609,984 bytes free
Post-Run: 46,132,858,880 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
216 --- E O F --- 2009-04-17 02:33
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:21 PM, on 4/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\AOL\1205704926\ee\AOLSoftware.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Desktop Alert\desktopalert_1149199.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205704926\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1149199.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.8.3.35/mahjong/mahjong-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.8.3.35/sweettooth/sweettooth-en_US.cab
O16 - DPF: Word Craft by pogo - http://game1.pogo.com/applet-6.8.3.35/babble/babble-en_US.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://clocks.cruisecritic.com/countdown.pl?name=CrazyMums&date=3-30-2008&image=Beach-8&text=&ship=Carnival Miracle
--
End of file - 8330 bytes
Hi
Is it okay to reactivate the anti-virus software now? I would also like to uninstall AVG since I can't update it
Yes, you can reactivate anti-virus software and uninstall AVG now...........
1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to a convenient location.
Double click on mbam-setup.exe to install it.
Before clicking the Finish button, make sure that these 2 boxes are checked (ticked): Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.
http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/mbam1.png
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
2 - Status Check
Please reply with
1. the Malwarebytes' Anti-Malware Log
Thanks peku006
CrazyMums
2009-04-23, 04:51
Malwarebytes' Anti-Malware 1.36
Database version: 2029
Windows 5.1.2600 Service Pack 3
4/22/2009 10:50:03 PM
mbam-log-2009-04-22 (22-50-03).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 212517
Time elapsed: 42 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9daa9f7-1676-4db4-bc39-7f279d885604} (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dsound3dd.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
Hi CrazyMums
Looking good :)
Let's make sure we got everything
1 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
2 - Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the Kaspersky online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?
Thanks peku006
CrazyMums
2009-04-24, 06:42
How's the computer running now? Any problems?
Hi Peku,
I am no longer showing extra iexplore processes in Task Manager and no longer get the browser open message on shutdown/restart. :) I am however getting a DDCMan error message on shutdown/restart but that has always been there. Yesterday, Alvira anti-virus popped up several threat detections for several WildTangent files infected with Trojans. Today the popup threats were for Sam's Club files. I don't use either of these and will attempt to uninstall them when we are finished. Something must have changed to Firefox during one of the reports too. I can no longer open up the SpyBot webpage through Firefox and I always have. Here are the two reports. Thank you so much.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, April 24, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, April 24, 2009 02:49:35
Records in database: 2073708
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Files scanned: 125845
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:53:37
File name / Threat name / Threats count
C:\POGO GAME INSTALLS\Tri_Peaks_Solitaire_2-setup.exe Infected: Trojan.Win32.Inject.hrj 1
The selected area was scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:26 AM, on 4/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\AOL\1205704926\ee\AOLSoftware.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Desktop Alert\desktopalert_1149199.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1205704926\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1149199.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.8.3.35/mahjong/mahjong-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.8.3.35/sweettooth/sweettooth-en_US.cab
O16 - DPF: Word Craft by pogo - http://game1.pogo.com/applet-6.8.3.35/babble/babble-en_US.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://clocks.cruisecritic.com/countdown.pl?name=CrazyMums&date=3-30-2008&image=Beach-8&text=&ship=Carnival Miracle
--
End of file - 8380 bytes
Hi CrazyMums
looks good ,but there are still one or two things to do
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file
C:\POGO GAME INSTALLS\Tri_Peaks_Solitaire_2-setup.exe
It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:
Avira AntiVir
AVG7
Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
Please remove one of them.
I am however getting a DDCMan error message on shutdown/restart but that has always been there
what kind of "DDCMan error message" (what it says)
Yesterday, Alvira anti-virus popped up several threat detections for several WildTangent files infected with Trojans. Today the popup threats were for Sam's Club files. I don't use either of these and will attempt to uninstall them when we are finished
you can uninstall them both now
I can no longer open up the SpyBot webpage through Firefox and I always have
whether it is the only page which is not open
Thanks peku006
CrazyMums
2009-04-25, 02:27
Hi Peku,
The file C:\POGO GAME INSTALLS\Tri_Peaks_Solitaire_2-setup.exe has been deleted.
AVG7 has been successfully uninstalled. The only reason I installed Avira was because installation failed trying to update to AVG 8.5. I have read that many were unable to uninstall the AVG7 and I hadn't tried it yet, but it did work. In a week or so, I may try to install the AVG 8.5 again and remove the Avira but right now, this computer is giving me white hairs.
The DDCMan error message doesn't stay on the screen long enough to get the complete message, but on the message bar it says:
DDCMAN.exe - Application Error
and in the message box:
instruction at 0x774fdf1b at 0x00000008 memory failed (then I lose it)
The DDCMAN file is in the Windows\Prefetch folder and I did notice that it shows it was modified about the same time that I uninstalled the WildTangent games so it may have taken care of itself.
When trying to uninstall the Sam's Club software and another called Five Roses Casino, it tells me it can't find the file to unstall. Is it safe to just find the folders through explore in the Start Menu and delete them?
Firefox will not let me open the main spybot page, and this only since the actions we took yesterday. It does seem to open everything else but now isn't loading the pages properly and is telling me to download tremendous amounts of plug-ins. Is this safe? Firefox does, however, open every other website I have tried, including various anti-virus sites. I am able to get to the spybot page with Firefox by using the direct link to the forums. Strange.
I did have a very unusual problem tonight though, one that I have never had before. Every time I tried to open up the program tab on the start menu, to view the programs that I had on the computer, my computer froze up. The only way to get out of the freeze was to shutdown through task manager. This happened at least 5 times. Each time it said "Application failed to initialize" and then the message disappeared. It seems to be fine now so I am clueless as to what the problem was.
I feel like I'm forgetting something but can't think of anything else right now. Thank you again.
Hi CrazyMums
we can start with DDCMan......
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:regfind
DDCMAN.exe
:filefind
DDCMAN
HKLM\software\microsoft\windows nt\currentversion\drivers32
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found at on your Desktop entitled SystemLook.txt
When trying to uninstall the Sam's Club software and another called Five Roses Casino, it tells me it can't find the file to unstall. Is it safe to just find the folders through explore in the Start Menu and delete them?
I'm not sure I need to see the uninstall list first
Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Firefox will not let me open the main spybot page, and this only since the actions we took yesterday. It does seem to open everything else but now isn't loading the pages properly and is telling me to download tremendous amounts of plug-ins. Is this safe? Firefox does, however, open every other website I have tried, including various anti-virus sites. I am able to get to the spybot page with Firefox by using the direct link to the forums. Strange.
Some plug-ins are required , what version of Firefox you are using ?
Please reply with
the uninstall list
the SystemLook.txt
Thanks peku006
CrazyMums
2009-04-25, 18:50
SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 12:28 on 25/04/2009 by Owner (Administrator - Elevation successful)
========== regfind ==========
Searching for "DDCMAN.exe"
No data found.
========== filefind ==========
Searching for "DDCMAN"
No files found.
Searching for "HKLM\software\microsoft\windows nt\currentversion\drivers32"
No files found.
-=End Of File=-
Uninstall List
ABBYY FineReader 5.0 Sprint
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
AOL Toolbar 5.0
AOL Uninstaller (Choose which Products to Remove)
ArcSoft Software Suite
Avira AntiVir Personal - Free Antivirus
CCleaner (remove only)
Critical Update for Windows Media Player 11 (KB959772)
Detto IntelliMover Demo
DLA
easy Internet sign-up
ERUNT 1.1j
FaxTools
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
hp center
HP Instant Support
HP Memories Disc
HP Photo and Imaging 1.1 - Photosmart Cameras
hp toolkit
Inactive HP Printer Drivers (Remove only)
Intel(R) 845G Chipset Graphics Driver Software
InterVideo WinDVD
Java(TM) 6 Update 13
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Kaspersky Online Scanner
Lernout & Hauspie TruVoice American English TTS Engine
Lexmark X1100 Series
LiveReg (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Lottso! Deluxe
Mahjong Garden Deluxe
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.9)
MSXML 6.0 Parser (KB933579)
MUSICMATCH Jukebox
NVIDIA Windows 2000/XP Display Drivers
Operation Mania
PC-Doctor for Windows
PICTUREKA! MUSEUM MAYHEM
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken Financial Center
RecordNow
RecordNow Update Manager
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Spybot - Search & Destroy
The Poppit! Show
Tri Peaks 2 Quest For The Ruby Ring
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
Word Riot Deluxe
WordPerfect Productivity Pack
WordPerfect Productivity Pack
Firefox is Version 3.0.9.
Earlier this morning, Alvira ran it's scheduled scan. It found 31 viruses! Why do they keep showing up? or should I not be concerned? Most seem to be in programs that either haven't been used for years or were never used. What concerns me most though is that some were in the System Volume files. Here is the report log of that scan:
Avira AntiVir Personal
Report file date: Saturday, April 25, 2009 08:38
Scanning for 1361795 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MINE
Version information:
BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 16:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:33:26
ANTIVIR2.VDF : 7.1.3.63 1588224 Bytes 4/16/2009 00:33:31
ANTIVIR3.VDF : 7.1.3.92 103424 Bytes 4/22/2009 00:33:18
Engineversion : 8.2.0.148
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 21:36:42
AESCRIPT.DLL : 8.1.1.75 373113 Bytes 4/22/2009 00:33:38
AESCN.DLL : 8.1.1.10 127348 Bytes 4/22/2009 00:33:37
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 22:24:41
AEPACK.DLL : 8.1.3.14 397685 Bytes 4/22/2009 00:33:37
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 00:01:56
AEHEUR.DLL : 8.1.0.119 1724791 Bytes 4/22/2009 00:33:36
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 00:01:56
AEGEN.DLL : 8.1.1.36 340341 Bytes 4/22/2009 00:33:34
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 18:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 4/22/2009 00:33:32
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 18:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 14:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 18:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 11:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 15:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 19:55:12
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Saturday, April 25, 2009 08:38
Starting search for hidden objects.
'76033' objects were checked, '0' hidden objects were found.
The scan of running processes will be started
Scan process 'aolwbspd.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'shellmon.exe' - '1' Module(s) have been scanned
Scan process 'waol.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wanmpsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'desktopalert_1149199.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'lxbkbmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'lxbkbmgr.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
35 processes with 35 modules were scanned
Starting master boot sector scan:
Start scanning boot sectors:
Starting to scan executable files (registry).
The registry was scanned ( '60' files ).
Starting the file scan:
Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\HPSelect\Cluefinders Math\cfm.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\Cluefinders Search & Solve Adventures\cfsearch.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\Cluefinders Search & Solve Adventures\CFSHELP.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\frontend\uninstall.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\frontend\Installers\installer.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\frontend\thirdparty\thirdparty.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\Kid Pix Deluxe 3\KdpxManual.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\LilBear\help.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\Mavis12\manual.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\Mavis12\Typing1h.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\ps12\thirdparty\thirdparty.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\Reader Rabbit I Can Read! With Phonics\help.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\Reader Rabbit I Can Read! With Phonics\irj.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\Reader Rabbit I Can Read! With Phonics\rrr.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\HPSelect\Scooby\Sdreadme.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP286\A0033464.dll
[DETECTION] Is the TR/ExeDot.EN Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP294\A0034472.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.21845.K Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP294\A0034473.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.21845.K Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP294\A0034474.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.HMI Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP294\A0034475.exe
[DETECTION] Is the TR/Agent.1503232.B Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP294\A0034477.exe
[DETECTION] Contains recognition pattern of the DR/Keenval.1.B dropper
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP295\A0034512.dll
[DETECTION] Is the TR/ExeDot.FH Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP295\A0034513.dll
[DETECTION] Is the TR/ExeDot.FH Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP295\A0034514.dll
[DETECTION] Is the TR/ExeDot.EN Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP295\A0034515.dll
[DETECTION] Is the TR/ExeDot.EN Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP299\A0034900.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP299\A0034901.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP299\A0034902.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'D:\' <HP_RECOVERY>
D:\I386\APPS\APP04664\App04664.exe
[0] Archive type: ZIP SFX (self extracting)
--> hp/tmp/src/Setup/bfix.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
D:\I386\APPS\APP14771\App14771.exe
[0] Archive type: ZIP SFX (self extracting)
--> hp/tmp/Desktop.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
--> hp/tmp/hp learning adventure.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
Beginning disinfection:
C:\Program Files\HPSelect\Cluefinders Math\cfm.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a6036f1.qua'!
C:\Program Files\HPSelect\Cluefinders Search & Solve Adventures\cfsearch.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a6636f2.qua'!
C:\Program Files\HPSelect\Cluefinders Search & Solve Adventures\CFSHELP.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a4636d2.qua'!
C:\Program Files\HPSelect\frontend\uninstall.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a5c36fa.qua'!
C:\Program Files\HPSelect\frontend\Installers\installer.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a6636fa.qua'!
C:\Program Files\HPSelect\frontend\thirdparty\thirdparty.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a5c36f4.qua'!
C:\Program Files\HPSelect\Kid Pix Deluxe 3\KdpxManual.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a6336f0.qua'!
C:\Program Files\HPSelect\LilBear\help.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a5f36f1.qua'!
C:\Program Files\HPSelect\Mavis12\manual.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a6136ed.qua'!
C:\Program Files\HPSelect\Mavis12\Typing1h.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a633705.qua'!
C:\Program Files\HPSelect\ps12\thirdparty\thirdparty.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4957157d.qua'!
C:\Program Files\HPSelect\Reader Rabbit I Can Read! With Phonics\help.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '49552d32.qua'!
C:\Program Files\HPSelect\Reader Rabbit I Can Read! With Phonics\irj.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a5d36fe.qua'!
C:\Program Files\HPSelect\Reader Rabbit I Can Read! With Phonics\rrr.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a6536fe.qua'!
C:\Program Files\HPSelect\Scooby\Sdreadme.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a6536f0.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP286\A0033464.dll
[DETECTION] Is the TR/ExeDot.EN Trojan
[NOTE] The file was moved to '4a2336bc.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP294\A0034472.exe
[NOTE] The file was moved to '492c7415.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP294\A0034473.exe
[NOTE] The file was moved to '49596475.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP294\A0034474.exe
[NOTE] The file was moved to '4a2336bd.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP294\A0034475.exe
[DETECTION] Is the TR/Agent.1503232.B Trojan
[NOTE] The file was moved to '49326486.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP294\A0034477.exe
[DETECTION] Contains recognition pattern of the DR/Keenval.1.B dropper
[NOTE] The file was moved to '49337cce.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP295\A0034512.dll
[DETECTION] Is the TR/ExeDot.FH Trojan
[NOTE] The file was moved to '493647e6.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP295\A0034513.dll
[DETECTION] Is the TR/ExeDot.FH Trojan
[NOTE] The file was moved to '49354f9e.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP295\A0034514.dll
[DETECTION] Is the TR/ExeDot.EN Trojan
[NOTE] The file was moved to '4a2336be.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP295\A0034515.dll
[DETECTION] Is the TR/ExeDot.EN Trojan
[NOTE] The file was moved to '493bbe0f.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP299\A0034900.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '493aa6c7.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP299\A0034901.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a2336bf.qua'!
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP299\A0034902.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a2336c1.qua'!
D:\I386\APPS\APP04664\App04664.exe
[NOTE] The file was moved to '4be13786.qua'!
D:\I386\APPS\APP14771\App14771.exe
[NOTE] The file was moved to '4a633729.qua'!
End of the scan: Saturday, April 25, 2009 12:13
Used time: 1:11:15 Hour(s)
The scan has been done completely.
8664 Scanned directories
487364 Files were scanned
31 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
30 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
487331 Files not concerned
19925 Archives were scanned
2 Warnings
32 Notes
76033 Objects were scanned with rootkit scan
0 Hidden objects were found
At this point, you're probably wishing you never responded to my thread but I really do appreciate your help :) If I am overstepping the line and asking you too many questions, please just let me know. It seems that you have miraculously fixed my intial problems.
Unfortunately, I will be leaving town very early tomorrow morning and not returning until May 2. Will this thread be archived in my absence due to lack of activity? Thank you :)
Hi CrazyMums
those viruses which avira found has been moved,except those which are in system restore and inactive.
I give you later instructions how to empty it.
When trying to uninstall the Sam's Club software and another called Five Roses Casino, it tells me it can't find the file to unstall. Is it safe to just find the folders through explore in the Start Menu and delete them?
yes you can delete the folders because they do not appear on the uninstall list and likewise, you can also delete DDCMAN.exe if, you had removed (de-installed) WildTangent software.
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
any problems left? :D:
Thanks peku006
CrazyMums
2009-04-26, 11:22
Good Morning Peku,
Sam's Club and Five Roses successfully deleted!
DDCMan.exe file deleted with no problems.
System Restore turned off, rebooted, and turned back on.
any problems left?
System Restart with no errors! And there don't seem to be any problems or more questions if you can believe it.
I will be leaving town in about 30 minutes (returning May 2) and my computer will be getting a much deserved rest.
I can't even begin to thank you for all the time you so unselfishly gave to get me through this, and also for all your patience with my lack of knowledge of all this technical stuff and walking me through this. Your knowledge amazes me and the time you spend sharing that knowledge is also a true blessing. We are fortunate to have you and others like you so willing to help.
Thank you so very, very much :flowers:
CrazyMums
Hi CrazyMums
Congratulations, your log looks clean! :Yahoo:
To remove all of the tools we used and the files and folders they created do the following:
Delete SystemLook from your desktop
uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Here are some free programs I recommend that could help you improve your computer's security.
Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Install SpyWare Blaster 4.0
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Happy safe surfing! :bigthumb:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.