View Full Version : Can't even do "Before you Post" - this PC is HOSED!
kylepete
2009-04-24, 02:27
Hello,
and HELP! My parents have (as they often do) enlisted my help to diagnose/repair their home PC. The current problem, however, boggles even my self-proclaimed computer savvy mind!
I've read thru the "Before you Post" post, and attempted to do the things called out therein - and am stumped, as I will explain eventually. First, let me provide some background.
1) IE has been hijacked. Google search provides relevant (and according to the URL, legit) search results. Clicking on any result opens a new window with some other search engine providing more search results for the original query. Firefox does not have this problem - google searches provide legit results and the results can be clicked to arrive at the appropriate listed page.
2) Windows App "Defrag" will not run.
3) Windows frequently "locks up" and requires a hard reboot.
4) AVG is the only spyware/etc sw app installed (other than built-in windows security), and the last scan reported multiple problems.
5) On last bootup, in the task bar, the Windows Update shield appeared briefly... it seems that Windows Update might have something that wants to run, but is being suppressed?
6) Haven't really tried any other utilities, but the apparent trend here is that nothing of diagnostic value will run?
Now on to the task of recovery...
1) I downloaded the ERUNT registry backup utility, ran it, and backed up the registry. Success.
2) I downloaded HJTInstall and ran it. It appeared to run (even showed up in the Task Manager List), but didn't fully open, i.e. no window appeared to actually begin install/use of the program.
3) I downloaded spybotsd162 & ran it - it completed install, created program group, etc. but won't "run". Same as HJT, it shows up in the task list but doesn't open up a UI window for scanning.
That's it. I'm going to need some expert guidance here!
Thanks,
Kyle
Hello Kyle,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
kylepete
2009-04-25, 18:56
Thank you, Blade81,
Results of script as follows. I'm not overly familiar with this PC, so I don't know if there's any windows-level script blockers running. Per DDS' instructions, I'm zipping & attaching attach.txt.
DDS (Ver_09-03-16.01) - NTFSx86
Run by Kim at 10:20:34.79 on Sat 04/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.95 [GMT -5:00]
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\desktop weather\desktopweather_858861.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Kim\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.powerball.com/powerball/pb_numbers.asp
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://pages.ebay.com/ebay_toolbar/app/congrats.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: BHO: {abd45510-9b22-41cd-9acd-8182a2da7c63} - c:\windows\system32\iehelper.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\kim\startm~1\programs\startup\deskto~1.lnk - c:\program files\desktop weather\desktopweather_858861.exe
StartupFolder: c:\docume~1\kim\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\printmaster 16\pmremind.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: aol.com\free
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\kim\applic~1\mozilla\firefox\profiles\qyzwcj31.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-5-3 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-28 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-9 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-9 298264]
=============== Created Last 30 ================
2009-04-23 18:05 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-23 18:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-17 05:32 118 a------- c:\windows\system32\MRT.INI
2009-04-16 03:13 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 03:13 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 03:13 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 03:13 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 03:13 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 03:13 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 03:13 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 03:13 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 03:13 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 03:11 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 03:11 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-16 03:11 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-11 18:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2009-04-11 18:37 <DIR> --d----- c:\program files\Enlight
2009-04-11 18:17 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-04-11 18:04 <DIR> --d----- c:\windows\Logs
2009-04-11 18:04 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-11 16:50 <DIR> --d----- c:\docume~1\kim\applic~1\eBay
2009-04-11 16:29 <DIR> --d----- c:\program files\Download Manager
2009-04-11 10:57 43 a------- c:\windows\gswin32.ini
2009-04-05 12:08 <DIR> --d----- c:\program files\GPL Ghostscript 8.54 for Win32
==================== Find3M ====================
2009-04-08 08:30 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-25 09:48 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-25 09:48 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 13:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2009-01-27 07:39 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2007-05-28 10:15 560 a------- c:\documents and settings\kim\DMOrganizer.dat
2006-03-12 21:39 284 a------- c:\docume~1\kim\applic~1\ViewerApp.dat
============= FINISH: 10:22:18.04 ===============
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This second script scan is after ending the process "teatimer." I know I should have done this the first time, but since spybot appeared to be getting suppressed by something, I thought I'd let it run during the first script scan. My apologies if this is nothing more than a waste of space! :)
DDS (Ver_09-03-16.01) - NTFSx86
Run by Kim at 10:50:15.40 on Sat 04/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.107 [GMT -5:00]
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\desktop weather\desktopweather_858861.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Kim\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.powerball.com/powerball/pb_numbers.asp
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://pages.ebay.com/ebay_toolbar/app/congrats.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: BHO: {abd45510-9b22-41cd-9acd-8182a2da7c63} - c:\windows\system32\iehelper.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\kim\startm~1\programs\startup\deskto~1.lnk - c:\program files\desktop weather\desktopweather_858861.exe
StartupFolder: c:\docume~1\kim\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\printmaster 16\pmremind.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: aol.com\free
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\kim\applic~1\mozilla\firefox\profiles\qyzwcj31.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-5-3 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-28 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-9 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-9 298264]
=============== Created Last 30 ================
2009-04-23 18:05 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-23 18:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-17 05:32 118 a------- c:\windows\system32\MRT.INI
2009-04-16 03:13 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 03:13 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 03:13 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 03:13 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 03:13 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 03:13 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 03:13 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 03:13 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 03:13 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 03:11 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 03:11 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-16 03:11 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-11 18:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2009-04-11 18:37 <DIR> --d----- c:\program files\Enlight
2009-04-11 18:17 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-04-11 18:04 <DIR> --d----- c:\windows\Logs
2009-04-11 18:04 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-11 16:50 <DIR> --d----- c:\docume~1\kim\applic~1\eBay
2009-04-11 16:29 <DIR> --d----- c:\program files\Download Manager
2009-04-11 10:57 43 a------- c:\windows\gswin32.ini
2009-04-05 12:08 <DIR> --d----- c:\program files\GPL Ghostscript 8.54 for Win32
==================== Find3M ====================
2009-04-08 08:30 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-25 09:48 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-25 09:48 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 13:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2009-01-27 07:39 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2007-05-28 10:15 560 a------- c:\documents and settings\kim\DMOrganizer.dat
2006-03-12 21:39 284 a------- c:\docume~1\kim\applic~1\ViewerApp.dat
============= FINISH: 10:51:17.28 ===============
Thanks for your time & help!
-Kyle
kylepete
2009-04-26, 08:08
My apologies!
AVG has been running nightly for quite some time, and has documented numerous threats! I've done some reading of the forums, and see that "UAC..." is fairly well documented, and is apparently what I have. I've just initiated a full-computer scan via AVG, and already 12 threats have been found - all "UAC..." related. Here is the last-run AVG scan documented the previously found & "fixed" "UAC..." threats:
"Scan ""Scheduled scan"" was finished."
"Infections";"18";"9";"9"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Saturday, April 25, 2009, 12:00:02 AM"
"Scan finished:";"Saturday, April 25, 2009, 1:44:23 AM (1 hour(s) 44 minute(s) 21 second(s))"
"Total object scanned:";"533215"
"User who launched the scan:";"SYSTEM"
"Infections"
"File";"Infection";"Result"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\Program Files\Internet Explorer\iexplore.exe (2608)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (1156)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (1056)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (1252)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (1360)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (1728)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (2392)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (500)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (984)";"Virus identified Win32/Cryptor";""
"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Kim\Cookies\kim@247realmedia[2].txt";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@247realmedia[2].txt:\247realmedia.com.125a868c";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@247realmedia[2].txt:\247realmedia.com.855b46d";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@2o7[2].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@2o7[2].txt:\2o7.net.b48c4065";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[2].txt:\ad.yieldmanager.com.87a9ab5d";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[2].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[2].txt:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[2].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@adbrite[2].txt";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@adbrite[2].txt:\adbrite.com.71beeff9";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@adbrite[2].txt:\adbrite.com.775ee79c";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@adbrite[2].txt:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@admarketplace[1].txt";"Found Tracking cookie.Admarketplace";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@admarketplace[1].txt:\admarketplace.net.61a250a";"Found Tracking cookie.Admarketplace";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@atdmt[1].txt:\atdmt.com.ce59db3e";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@burstnet[1].txt";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@burstnet[1].txt:\burstnet.com.c4fe2ebb";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@doubleclick[1].txt";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@doubleclick[1].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@enhance[2].txt";"Found Tracking cookie.Enhance";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@enhance[2].txt:\enhance.com.2ff9c31e";"Found Tracking cookie.Enhance";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@enhance[2].txt:\enhance.com.378d31e7";"Found Tracking cookie.Enhance";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@hitbox[2].txt";"Found Tracking cookie.Hitbox";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@hitbox[2].txt:\hitbox.com.2b95f8a3";"Found Tracking cookie.Hitbox";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@hitbox[2].txt:\hitbox.com.bbf2a6e8";"Found Tracking cookie.Hitbox";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@mediaplex[1].txt";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@mediaplex[1].txt:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@questionmarket[2].txt";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@questionmarket[2].txt:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@questionmarket[2].txt:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[1].txt";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[1].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[1].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[1].txt:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[1].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[1].txt:\revsci.net.f1b6b2e";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.cd7ce44f";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@zedo[1].txt";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@zedo[1].txt:\zedo.com.27f1639b";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@zedo[1].txt:\zedo.com.a5b6a132";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@zedo[1].txt:\zedo.com.c1dd09f2";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@zedo[1].txt:\zedo.com.cef1c7af";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@zedo[1].txt:\zedo.com.dd15d628";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@zedo[1].txt:\zedo.com.f1d14556";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
======== END OF REPORT ============================
I'll post the results of the latest scan upon completion. Please accept my apologies for my lack of posting this highly relevant information in my first post!
-Kyle
Hi,
Here comes further instructions (have TeaTimer disabled).
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
kylepete
2009-04-26, 22:53
Thanks again, Blade81.
I followed the instructions on the link you provided, but to make a long story short, I got the same results as spybot & HJT - combofix showed up in the task manager processes list, but ended after about a minute. I tried running it twice, with the same results. It seems that whatever is infecting me is doing a damned good job of preventing any type of good diagnostic software from running!
I also did some searching around the nets and found an interesting article which gave me some ideas:
http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/131008727931
The author discusses his encounter with a rootkit, and the steps he took to remove it. The main tool he used was a "disk editor," which allowed him to view the file tree from a low level, unhindered by the malicious software. In this way, he was able to disable the malicious files one by one until they could be detected & removed by his antivirus software (which also happened to be AVG 8, what I'm running).
I downloaded & tried 3 different disk editor programs, with the following results:
1) Acronis DiskDirectorSuite 10.0. Install failed with "E000101F4 : Acronis OS Selector has not found any hard disk drives." I was therefore unable to use this software.
2) DiskEdit by Microsoft, hosted by viennacomputerproducts.com. This standalone exe with associated dll's attached worked, however I apparently don't have the savvy to use it. It comes with no instructions for how to view a directory tree.
3)HxD Hex Editor. The install package actually worked, and the program ran. Slightly better interface than DiskEdit, however again I lack the savvy to get a directory tree displayed. After opening my root volume, all sectors when viewed in Hex showed up as '00 00 00..." This obviously is not right, which supports my theory that I don't know how to run a disk editor to view directory trees. double :(
The second scan with AVG completed early this morning, I'll post the results below. Other than that, unfortunately, I have no meaningful diagnostics to submit. I'd like some coaching on getting a low-level file tree so that I can post it here, or any other ideas you may have!
On second thought, I'm going to post the results of last night's AVG scan in another posting. Earlier when I tried to export the scan results to file, the computer froze & I had to reboot. Upon bootup, the computer gave me a BSOD. Finally the second bootup held. I've already typed this post twice, so to avoid having to repost a third time, please stand-by!
Cheers,
Kyle
kylepete
2009-04-26, 22:56
Didn't hang, imagine that! Here's the scan results from last night:
"Scan ""Scan whole computer"" was finished."
"Infections";"12";"6";"6"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Saturday, April 25, 2009, 11:29:12 PM"
"Scan finished:";"Sunday, April 26, 2009, 12:41:35 AM (1 hour(s) 12 minute(s) 23 second(s))"
"Total object scanned:";"379212"
"User who launched the scan:";"Kim"
"Infections"
"File";"Infection";"Result"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\Program Files\Internet Explorer\iexplore.exe (3620)";"Virus identified Win32/Cryptor";""
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\WINDOWS\system32\svchost.exe (1156)";"Virus identified Win32/Cryptor";""
"\\?\globalroot\systemroot\system32\UACpirqyppeyvjgdsi.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\Program Files\Internet Explorer\iexplore.exe (444)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (2384)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (868)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (984)";"Virus identified Win32/Cryptor";""
"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Kim\Application Data\Mozilla\Firefox\Profiles\qyzwcj31.default\cookies.sqlite";"Found Tracking cookie.7search";"Healed"
"C:\Documents and Settings\Kim\Application Data\Mozilla\Firefox\Profiles\qyzwcj31.default\cookies.sqlite:\7search.com.5bc4302d";"Found Tracking cookie.7search";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Application Data\Mozilla\Firefox\Profiles\qyzwcj31.default\cookies.sqlite:\7search.com.f2cc2494";"Found Tracking cookie.7search";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@2o7[1].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@2o7[1].txt:\2o7.net.8db3d11e";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@2o7[1].txt:\2o7.net.ca30b7c8";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@2o7[1].txt:\2o7.net.d94baaca";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[1].txt";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[1].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[1].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[1].txt:\ad.yieldmanager.com.830b6f08";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@ad.yieldmanager[1].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@adrevolver[2].txt";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@adrevolver[2].txt:\adrevolver.com.9b9d670a";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@adrevolver[2].txt:\adrevolver.com.f6cfcad4";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@advertising[2].txt:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@atdmt[1].txt:\atdmt.com.ce59db3e";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@bluestreak[1].txt";"Found Tracking cookie.Bluestreak";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@bluestreak[1].txt:\bluestreak.com.bf396750";"Found Tracking cookie.Bluestreak";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@bs.serving-sys[2].txt";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@bs.serving-sys[2].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@burstnet[1].txt";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@burstnet[1].txt:\burstnet.com.c4fe2ebb";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@casalemedia[2].txt";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@casalemedia[2].txt:\casalemedia.com.156cbc67";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@casalemedia[2].txt:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@casalemedia[2].txt:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@casalemedia[2].txt:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@casalemedia[2].txt:\casalemedia.com.3a28db8d";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@casalemedia[2].txt:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@casalemedia[2].txt:\casalemedia.com.8c65eddd";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@casalemedia[2].txt:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@doubleclick[2].txt";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@doubleclick[2].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@doubleclick[2].txt:\doubleclick.net.ce59db3e";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@enhance[1].txt";"Found Tracking cookie.Enhance";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@enhance[1].txt:\enhance.com.2ff9c31e";"Found Tracking cookie.Enhance";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@enhance[1].txt:\enhance.com.378d31e7";"Found Tracking cookie.Enhance";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@fastclick[1].txt";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@fastclick[1].txt:\fastclick.net.57e8da10";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@fastclick[1].txt:\fastclick.net.6fd479aa";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@fastclick[1].txt:\fastclick.net.8a6435e9";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@fastclick[1].txt:\fastclick.net.fac3d6f0";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@media.adrevolver[1].txt";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@media.adrevolver[1].txt:\media.adrevolver.com.7fd89687";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@questionmarket[2].txt";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@questionmarket[2].txt:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@questionmarket[2].txt:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[2].txt";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[2].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[2].txt:\revsci.net.cb09cf21";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[2].txt:\revsci.net.d7f89994";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[2].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[2].txt:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[2].txt:\revsci.net.63cb6cf0";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[2].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@revsci[2].txt:\revsci.net.f1b6b2e";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@serving-sys[1].txt:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@serving-sys[1].txt:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@serving-sys[1].txt:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@serving-sys[1].txt:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@serving-sys[1].txt:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@serving-sys[1].txt:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@statse.webtrendslive[1].txt";"Found Tracking cookie.Webtrendslive";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@statse.webtrendslive[1].txt:\statse.webtrendslive.com.b4ca7df0";"Found Tracking cookie.Webtrendslive";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.cd7ce44f";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tacoda[2].txt:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tribalfusion[2].txt";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@tribalfusion[2].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@zedo[2].txt";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@zedo[2].txt:\zedo.com.27f1639b";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@zedo[2].txt:\zedo.com.a5b6a132";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\Kim\Cookies\kim@zedo[2].txt:\zedo.com.c1dd09f2";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
Hi again,
Please don't try anything outside of instructions I give you.
Rename ComboFix.exe file -> CombFxx.exe and try running renamed file again.
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.