PDA

View Full Version : Internet access slow and spotty, Virtumonde.prx can't be removed.



secretbison
2010-05-09, 10:52
My laptop is still mostly working, but my programs that access the Internet have been unusually slow or nonfunctional. I have checked my connection, both over wireless networks and when I plug an Ethernet cable into the computer directly, and it doesn't seem to be the source of the problem. Even when I can't access the internet at all, the computer still says that it is connected to the Internet. The problem is the same with Firefox, Thunderbird, and Google Chrome.

Spybot S&D is indicating two instances of Virtumonde.prx when I check for problems. When I try to remove them, I get the message that one of them can't be removed without restarting my computer. However, when I allow Spybot to run on the next system startup, I get the same message.

Each time I use Spybot S&D, the second instance of Virtumonde claims to be fixed when I click "fix selected problems" a second time. However, each time I check for problems, Spybot still finds two instances of Virtumonde.

Here is the DDS log. Please let me know if you need anything else. Thanks for your help!

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 2:19:39.54 on Sun 05/09/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.337 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\svcmsdebug.exe
C:\WINDOWS\system32\svcmsv3.exe
C:\WINDOWS\system32\svcmsv4.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
F:\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {825B7EBC-365B-42F0-9844-5C36051799C6} - No File
BHO: GrandBar IE Helper: {84ba8988-33e1-4c89-a150-bf428e8d3213} - c:\program files\grandpack\GrandPack2.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9EA5E767-C0D0-44FD-932E-6206701A2C0C} - No File
BHO: {ABDB4BBF-5624-43BC-B681-106862C06E17} - No File
BHO: {e3be2159-36fd-4014-993d-5de74b6d0047} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Internet Speed Monitor: {17bfcf1a-b579-48a7-9849-719ddd11d340} - c:\program files\grandpack\GrandPack2.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [7498f5a7] rundll32.exe "c:\windows\system32\thvfuccy.dll",b
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205528448609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJDsrpn
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\u849jt16.default\
FF - prefs.js: browser.startup.homepage - hxxp://webmail.cartoonstudies.org/
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R?2 svcmsdebug;svcmsdebug;c:\windows\system32\svcmsdebug.exe [2010-3-22 49152]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\vmlaunch\BuddyVM.sys [2004-12-3 15872]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-17 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 svcmsv32;svcmsv32;c:\windows\system32\svcmsv3.exe [2010-5-3 73728]
R2 svcmsv4;svcmsv4;c:\windows\system32\svcmsv4.exe [2010-5-6 110592]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-3-17 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-3-17 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-3-17 168776]
S3 cpuz132;cpuz132;\??\c:\docume~1\admini~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\admini~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]

=============== Created Last 30 ================

2010-05-07 00:52:22 110592 ----a-w- c:\windows\system32\svcmsv4.exe
2010-05-06 22:15:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Driver Whiz
2010-05-06 21:48:51 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2010-05-06 21:48:51 43904 ----a-w- c:\windows\system32\drivers\sbp2port.sys
2010-05-03 05:54:24 73728 ----a-w- c:\windows\system32\svcmsv3.exe
2010-05-03 05:54:24 114 ----a-w- c:\windows\system32\dct.sys
2010-05-03 05:54:23 76288 ----a-w- c:\windows\system32\module.exe
2010-04-28 04:51:13 0 d-----w- c:\program files\Will
2010-04-24 06:36:10 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-04-24 06:36:10 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-04-24 06:35:42 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-04-24 06:35:42 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-04-24 06:35:35 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-04-24 06:35:35 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-04-24 06:35:34 16384 -c--a-w- c:\windows\system32\dllcache\ipsink.ax
2010-04-24 06:35:34 16384 ----a-w- c:\windows\system32\ipsink.ax
2010-04-24 06:35:24 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-04-24 06:35:24 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-04-24 06:35:07 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-04-24 06:35:07 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-04-24 06:34:35 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-04-24 06:34:35 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-04-24 06:34:22 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-04-24 06:34:22 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2010-04-24 06:33:53 91136 -c--a-w- c:\windows\system32\dllcache\kswdmcap.ax
2010-04-24 06:33:53 91136 ----a-w- c:\windows\system32\kswdmcap.ax
2010-04-24 06:33:51 61952 -c--a-w- c:\windows\system32\dllcache\kstvtune.ax
2010-04-24 06:33:51 61952 ----a-w- c:\windows\system32\kstvtune.ax
2010-04-24 06:33:51 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-04-24 06:33:51 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-04-24 06:33:48 43008 -c--a-w- c:\windows\system32\dllcache\ksxbar.ax
2010-04-24 06:33:48 43008 ----a-w- c:\windows\system32\ksxbar.ax
2010-04-24 06:33:01 0 d-----w- c:\docume~1\admini~1\applic~1\ManyCam

==================== Find3M ====================

2010-05-08 20:31:08 36696 ----a-w- c:\docume~1\admini~1\applic~1\wklnhst.dat
2010-05-08 19:09:31 13879 ----a-w- c:\windows\system32\tablet.dat
2010-05-02 16:43:32 49152 ----a-w- c:\windows\system32\svcmsdebug.exe
2010-03-19 04:04:08 163840 ----a-w- c:\windows\system32\6liejzuauj.tmp
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 07:04:17 4620 ----a-w- c:\windows\XChange.dat
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-05-13 01:45:20 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-05-13 01:45:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-09-13 17:24:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091320080914\index.dat
2009-05-13 01:45:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
2009-11-27 21:28:22 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-11-27 21:28:22 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-11-27 21:28:22 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 2:21:20.50 ===============

JonTom
2010-05-09, 21:15
Hello secretbison and :welcome:

My name is JonTom.

Malware Logs can sometimes take a lot of time to research and interpret.

Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.

Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.

Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.

PLEASE NOTE: If you do not reply after 5 days your thread will be closed.


Please be aware that I am still in training, and all of my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice.
This may cause a delay in response time, but I will do my best to keep it as short as possible.
I will reply back shortly with instructions.

secretbison
2010-05-09, 21:18
Thank you. It's good to be here. I'll continue to check this thread as well as my private messages.

JonTom
2010-05-11, 00:09
Hello secretbison

Thank you for the log.

Did you run DDS from a flash drive (USB storage device)?

If the answer is yes:


Please download Flash Disinfector


Click here (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fdownload.bleepingcomputer.com%2FsUBs%2FFlash_Disinfector.exe) to download Flash Disinfector and save the file (called Flash_Disinfector.exe) to your desktop.
Double click on the Flash_Disinfector.exe icon to run the program and follow any prompts that may appear.
The program may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so if prompted.
Wait until Flash disinfector has finished scanning and then exit the program.
Reboot your computer.



DeFogger


Please download DeFogger (http://www.jpshortstuff.247fixes.com/Defogger.exe) to your desktop.
Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Please scan your system with GMER


http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and attach it in your reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please post the GMER log in your next reply. If you have any trouble running GMER, come back and let me know.

secretbison
2010-05-11, 08:26
I've run Flash Disinfector on my laptop while the thumb drive I'm using was plugged into it. Then I used Defogger and GMER. I've attached the log from the latter. I attached it as a .zip because the original .txt exceeded the file size limit for attachments on this forum.

Let me know if you have any further instructions.

JonTom
2010-05-12, 11:44
Hello secretbison

Thank you for the log.

Please work your way through the following steps:


Combofix


Download ComboFix from one of the following locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216).
Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

secretbison
2010-05-12, 23:59
It appears that Windows Recovery Console installed and ComboFix ran successfully. I've attached the log from ComboFix. (Once again, it's compressed into a .zip because the .txt was too large.)

JonTom
2010-05-13, 02:29
Hello secretbison

Thank you for the log.


Please work through the following steps


Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").

NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.

Copy and Paste the text in the codebox below (including the link) into the open Notepad window:


http://forums.spybot.info/showpost.php?p=370900&postcount=7

Collect::
c:\windows\system32\svcmsv4.exe
c:\windows\system32\svcmsdebug.exe
c:\windows\system32\6liejzuauj.tmp
c:\documents and settings\Administrator\Local Settings\Application Data\yhfeamxtl\memfjnxtssd.exe
c:\windows\system32\thvfuccy.dll

Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\yhfeamxtl

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"jhnfjetb"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"jhnfjetb"=-
"7498f5a7"=-

Driver::
svcmsv4



Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.

Close any open browsers.

Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Refering to the picture below, drag CFScript.txt into ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif



When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Once the log is produced, re-engage your resident anti virus.
Note: When ComboFix finishes running, the ComboFix log will open along with a message box - do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.

secretbison
2010-05-13, 05:08
I've followed your instructions again. Here is the log that was produced the second time I ran ComboFix. Let me know if you have more instructions.

JonTom
2010-05-13, 20:06
Hello secretbison

Thank you for the log.

Please work your way through the following steps:


P2P Programs:


P2P programs are a major source of Malware infections.
From your log I see you have uTorrent. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
If you wish to keep the program(s), please do not use them until your computer is cleaned.


Information regarding the risk of using these programs can be found from here (http://malwareremoval.com/p2pindex.php) and here. (http://www.internetworldstats.com/articles/art053.htm)


It is strongly recommend that you uninstall any P2P programs you have on your system.


To do this, Click on "Start" then on "Control Panel" and then on "Add or remove programs".
A list of currently installed programs will be displayed.
Find the "uTorrent" program, click on it once and then click on the "Remove" button.
If you are prompted to re-boot your computer to complete the uninstall please do so.


PLEASE NOTE:
Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.



Please perform the following scan:


Please download MalwareBytes AntiMalware by clicking here (http://www.besttechie.net/tools/mbam-setup.exe) and save the file (called mbam-setup.exe) to your desktop.

Double click on the mbam-setup.exe icon to install the program.
Follow the prompts during installation and have the Installation Wizzard create a desktop icon.
Once installed, double click on the MalwareBytes AntiMalware icon to launch the program.
Click on the "Update" tab and then on "Check for Updates".
The program will now install the latest Malware definition files.
Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
Once the program has scanned your computer, a log file will be created in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.


If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Come back here to this thread and Paste the log in your next reply.



Please update your Java



Click on "Start", then on "Control Panel".
Go to "Add or Remove Programs" and uninstall any previous versions of Java that you find.
Reboot your computer.
Next, download the latest version of Java by clicking here (http://java.sun.com/javase/downloads/index.jsp)
Scroll down the page until you reach "Java Platform Standard Edition".
Beneath this and to the right, you will see a red button marked "Download JRE".
Click the "Download JRE" button.
Select the platform (Windows, in your case), multi language.
Accept the license agreement and click on "Continue".
You do not have to register if you do not want to (the registration step is optional).
Scroll down and click on the file called jre-6u20-windows-i586.exe located under "Windows Offline Installation".
Save the file to your desktop.
Do not select Run.
Double click on the saved file (jre-6u20-windows-i586.exe) to install the update.
Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.



Please perform the following scan:


This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.


It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
DO NOT surf the net while your resident protection is disabled!
Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.


Please perform a Kaspersky Online Scan of your computer by clicking here (http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html?n=1240137288999) or here (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html).


Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run (at times it may appear to stall).
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report. To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
If you need help performing the above steps, an animated tutorial can be found here. (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)


Please provide the MBAM log and the Kaspersky Online Scan log in your next reply.

How is your machine behaving now? Are you still experiencing problems?

secretbison
2010-05-13, 22:42
My laptop is working better now: I'm able to browse and send emails, but the results when I check for problems with Spybot appear the same.

I've run into a problem, though. The MalwareBytes AntiMalware link you provided isn't working for me. Are there any other places where I can download the program?

JonTom
2010-05-14, 00:14
Hello secretbison


The MalwareBytes AntiMalware link you provided isn't working for me

Ive checked the link and the download site appears to be temporarily offline....:sad:

No problem though, you can download MBAM from one of the links below:


Link 1 (http://www.malwarebytes.org/mbam-download.php)

Link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


If you have any more problems come back and let me know.

secretbison
2010-05-15, 04:55
I have run scans with MBAM and the Kaspersky Scan website. The attached .zip contains the logs from both of them.

JonTom
2010-05-15, 16:18
Hello secretbison

Thank you for the logs. We have a little more work to do.

The Kaspersky Online Scan has identified some infected files, an infected Java cache and some infected e mails on your system. Please work your way through the following steps:

Please run the following Command


Click on "Start" and then on "Run".
Copy and Paste the following command into the Run box:



cmd /c del /f/a/q "C:\Documents and Settings\Administrator\Desktop\site(broken)\public_html\wp-content\plugins\google-analyticator\external-tracking.js" "C:\Documents and Settings\Administrator\Desktop\site(broken)\public_html\wp-content\plugins\wp-cumulus\swfobject.js"


Click on "OK".


Please Clear Your Sun Java Cache


Click on "Start", then on "Control Panel" and then on the Java icon (looks like a coffee cup). If you do not see the icon, look to your left and click "Switch to Classic View".
On the "General" tab, under "Temporary Internet Files", click the "Settings" button.
Next, click on the "Delete Files" button.
There are two options in the window to clear the cache - ("Applications and Applets" and "Trace and Log Files").
Leave BOTH Checked
Click "OK" on Delete Temporary Files Window.
Note: This deletes ALL the Downloaded Applications and Applets from the Cache.
Click "OK" to leave the Temporary Files Window.
Click "OK" to leave the Java Control Panel.



Infected e mails


You have three infected e mails.
Two are present in your inbox, and one is present in your trash.
Unfortunately, the Kaspersky Online Scan does not tell us which e mails are infected, only that they are there.
You are therefore advised to delete all of your old and unwanted e mails, and all of those that have attachments, as the attachments may contain the infecting malware.



Please make all files and folders VISIBLE:


Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
Choose to "Show hidden files and folders."
Uncheck the "Hide protected operating system files" and the "Hide extensions for know file types" boxes.
Close the window with "OK".



Please scan the following files


Please visit Virus Total by clicking here. (http://www.virustotal.com/)
Click the Browse button and search for the following file: C:\dell\drivers\R169011\Win64\Data1.cab
Click Open.
Then click Send File.
Please be patient while the file is scanned.
If Virus Total tells you that the file has already been scanned, click "reanalyse now".

Once the scan results appear, copy and paste them into Notepad.

Please provide the results from the scan in your next reply.

secretbison
2010-05-16, 04:35
I've followed the most recent set of instructions. I've attached the log from the Virustotal scan of the file you requested.

JonTom
2010-05-16, 18:29
Hello secretbison

Your system is looking good! Please work your way through the following steps:

Re-enable your drivers


To re-enable your Emulation drivers, double click on DeFogger to run the tool.

The application window will appear.
Click the Re-enable button to re-enable your CD Emulation drivers.
Click Yes to continue A 'Finished!' message will appear.
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.
Your Emulation drivers are now re-enabled.


Please Uninstall Combofix



Click on "Start" and then on "Run".
Now type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.



Removal of tools


You no longer need DeFogger, GMER or DDS. Please delete them from your system.



Your Internet Explorer is out of date


A newer version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)
Alternatively, you can use Firefox (I will provide the link later).



Your Adobe is out of date


You can obtain the latest version of Adobe Reader from here (http://get.adobe.com/uk/reader/), and the latest version of Flash Player from here. (http://www.adobe.com/products/flashplayer/)
For more information and links to Adobe updates and downloads click here. (http://www.adobe.com/downloads/)



Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.


Finally, please take the time to read through the information provided below:

Enhance your System Security

For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here. (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)

IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
Once complete, remember to re-engage your resident security before going online.

Web Browsers and Browser Security

Firefox

Firefox is generally considered to have greater browsing security in comparison to other popular programs. You can download Firefox 3.0 from here. (http://www.mozilla.com/en-US/firefox/)


No-Script

If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
You can download No-Script by clicking here. (https://addons.mozilla.org/en-US/firefox/addon/722)


Internet Explorer

The newest version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)


SpywareBlaster

If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
You can download SpywareBlaster by clicking here. (http://www.javacoolsoftware.com/sbdownload.html)

Web of Trust

When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
You can download Web of Trust by clicking here. (http://www.mywot.com/)


Keep your Software Updated

Outdated software can sometimes have vulnerabilities that are exploitable by malware.
Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here. (http://secunia.com/vulnerability_scanning/online/)


Passwords

Learn how to create strong passwords by clicking here (http://www.microsoft.com/protect/yourself/password/create.mspx) and test the strength of the passwords you already use by clicking here. (http://www.microsoft.com/protect/yourself/password/checker.mspx)


General Reading

How did I get infected in the first place? (http://www.spywareinfoforum.com/index.php?showtopic=60955)

PC Safety and Security - What do I need? (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)

How to prevent Malware (by Miekiemoes) (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)


Learn How To Combat Malware

Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here. (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)