View Full Version : Defense Center Malware
janicelg
2010-07-14, 19:31
McAfee seems not to have any information about --or the ability to remove-- this malware and, as a long time user of Spybot, I decided to check her for help. Seem to be infected with something called, Defense Center. McAfee keeps posting that it is blocking and removing many trojans, and I get lots of popups asking me to get rid of my MSC software. Desktop now has all kinds of shortcuts to porn and executable spam files. Please help. (BTW, I did do everything you recommended in your "Before You Post" entry.)
Thanks so much, Janice
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 11:17:43.99 on Wed 07/14/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2491 [GMT -5:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\OEM05Mon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\wscsvc32.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Logitech\SetPoint\LULnchr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Logitech\SetPoint\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LULnchr.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Documents and Settings\Janice Gilford\Desktop\dds.scr
C:\WINDOWS\system32\wuauclt.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080609 (http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080609)
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [tcjcoixx] c:\documents and settings\janice gilford\local settings\application data\haepapuvl\talqogetssd.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ECenter] "c:\dell\e-center\EULALauncher.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [OEM05Mon.exe] "c:\windows\OEM05Mon.exe"
mRun: [Kernel and Hardware Abstraction Layer] "c:\windows\KHALMNPR.EXE"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [REGSHAVE] "c:\program files\regshave\REGSHAVE.EXE" /AUTORUN
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_06\bin\jusched.exe"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [tcjcoixx] c:\documents and settings\janice gilford\local settings\application data\haepapuvl\talqogetssd.exe
mRun: [bxnxwnyy] c:\documents and settings\janice gilford\local settings\application data\lynaqgkdp\cycitnntssd.exe
dRun: [bxnxwnyy] c:\documents and settings\janice gilford\local settings\application data\lynaqgkdp\cycitnntssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnotes\psnotes.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Search - ?p=ZNxdm824YYUS
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: sun.com\www
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226967206175
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.mc.vanderbilt.edu/dana-cached/sc/JuniperSetupClient.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\janice~1\applic~1\mozilla\firefox\profiles\266phpu8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-9 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-9 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-9 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-9 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-9 35272]
R3 OEM05Afx;Provides a software interface to control audio effects of OEM005 camera.;c:\windows\system32\drivers\OEM05Afx.sys [2008-6-9 141376]
R3 OEM05Vfx;Creative Camera OEM005 Video VFX Driver;c:\windows\system32\drivers\OEM05Vfx.sys [2008-6-9 7424]
R3 OEM05Vid;Creative Camera OEM005 Driver;c:\windows\system32\drivers\OEM05Vid.sys [2008-6-9 235616]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2008-6-9 31616]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-9 606736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-9 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-9 40552]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
============== File Associations ===============
.exe=secfile
=============== Created Last 30 ================
2010-07-14 15:37:13 0 d-----w- c:\program files\Defense Center
2010-07-14 15:26:21 289024 ----a-w- c:\windows\exe.exe
2010-07-02 16:34:34 0 d-----w- c:\windows\Performance
2010-07-02 16:34:06 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-06-29 21:25:09 69632 ----a-w- c:\windows\Alcmtr.exe
2010-06-23 15:16:09 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-23 15:16:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
==================== Find3M ====================
2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-29 14:30:23 256 ----a-w- c:\documents and settings\janice gilford\pool.bin
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 11:43:25 634656 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-04-16 11:43:23 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2008-06-22 13:18:32 76 --sh--r- c:\windows\CT4CET.bin
============= FINISH: 11:19:11.15 ===============
Hello and welcome to the the forum.
Please read the following information carefully.
IMPORTANT: Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
To make cleaning this machine easier:
Continue to respond to this thread until I I tell you that the logs are clean!
Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
Please follow all instructions in the order posted.
If you have any questions or do not understand instructions, please ask before continuing.
Please reply to this thread. Do not start a new topic.
Please post the second DDS log in your next reply just as you did with the first log in your previous post.
janicelg
2010-07-16, 19:43
vict0r,
I've read the instructions in your reply to my post. Will follow them precisely. Note that since I posted, I can only get into Windows via Safe Mode with Networking. If I boot up normally, I get as far as my screen background, but no programs / icons load.
Looking forward to your help with this mess.
Thanks, Janice
Hi
I don't recommend to use the computer in safe mode with networking. Do you have access to another computer and a usb-stick/drive or empty cd's (cd burner required in the alternate computer)?
Attempt to force a desktop in normal mode:
You may want to print these instructions:
Please reboot your computer into normal mode. If you do not get a desktop, try this:
Press (Ctrl + Shift + Esc) or (Ctrl+Alt+Delete) (simultaneously!) to open Task Manager.
Click on File...then select, press New Task (Run...).
In the "Create New Task" entry box...type in explorer.exe and press Enter. Your desktop should now appear. Please continue with the instructions below. Try to start explorer.exe 2-3 times if it does not start:
Note: If you are unable to get a desktop in normal mode and you do not have access of another computer and storage, then follow the instructions below in safe mode with networking.
Download/run Rkill:
Please download Rkill from one of the following links and save it to your Desktop:
One (http://download.bleepingcomputer.com/grinler/rkill.exe), Two (http://download.bleepingcomputer.com/grinler/rkill.com),Three (http://download.bleepingcomputer.com/grinler/rkill.scr) Four (http://download.bleepingcomputer.com/grinler/rkill.pif) Five (http://download.bleepingcomputer.com/grinler/iExplore.exe) Six (http://download.bleepingcomputer.com/grinler/eXplorer.exe)
Double click on Rkill.
A command window will open then disappear upon completion, this is normal.
A notepad window will open, please post the contents in your next reply
This log can also be found at C:\rkill.log
Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore and allow the download to continue.
Malwarebytes' Anti-Malware:
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to both:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Check all items and click Remove Selected.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
DDS:
There should still be a copy of DDS in your desktop, if not download DDS by sUBs from one of the links below and save it to your desktop:
http://img.photobucket.com/albums/v666/sUBs/dds_scr.gif
Link1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link2 (http://www.forospyware.com/sUBs/dds) (right click -> Save link as...)
Double-Click on the DDS icon to run the program. A command window will appear. This is normal.
Shortly after two logs will appear:
DDS.txt
Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs into your next reply
Please post (one log per post):
the rkill log
the MBAM log
the DDS logs
Please describe any problems occured when following these instructions.
janicelg
2010-07-18, 18:52
vict0r,
have completed all of your instructions. Thank you so much.
Here's the first log you requested (rkill):
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Janice Gilford on 07/18/2010 at 10:25:10.
Processes terminated by Rkill or while it was running:
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
Rkill completed on 07/18/2010 at 10:25:17.
janicelg
2010-07-18, 18:54
vict0r,
have completed all of your instructions. Thank you so much.
Here's the second log you requested (MBAM):
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4324
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13
7/18/2010 10:38:22 AM
mbam-log-2010-07-18 (10-38-22).txt
Scan type: Quick scan
Objects scanned: 142118
Time elapsed: 4 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 33
Registry Values Infected: 14
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 77
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9d74a457-66e0-4999-a9e7-d54242219575} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d74a457-66e0-4999-a9e7-d54242219575} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f678d6c3-7f34-4eb4-9936-8ac133ec2e66} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f678d6c3-7f34-4eb4-9936-8ac133ec2e66} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmasiuteisevx (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defense center (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mchk (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trvplppv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trvplppv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Virus.Ertfor) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uiha98uiohf873yuiadnhgjesgregas (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsehf98u34i9tjioaugy987iuegdsg (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\13 (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcjcoixx (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcjcoixx (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bxnxwnyy (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\Defense Center\defcnt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xzpwp.exe (Trojan.Adware) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\tbjimeljn\yfjybqqtssd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mb3dw5.dll (Virus.Ertfor) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tq1x8ht.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win16.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msrss.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kzpwp.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gzpwp.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qg6d21cxp.dll (Virus.Ertfor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\1F2.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\asd16.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\asd1FE.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\mschrt20ex.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\MSDERUN.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\PRAGMA10f3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\qoykaPJZWk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\TliaOayuQS.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\120220724.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avp.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avp32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\dbiqws.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\h92kaxr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\iexplarer.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\iexplorer.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mdm.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mrxru.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\qgkmdut.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\taskmgr.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tipby85sf.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uxeut.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temporary Internet Files\Content.IE5\SMUEOLXA\263-direct[1].ex (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\exe.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\about.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\activate.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\buy.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\def.db (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\defext.dll (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\defhook.dll (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\help.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\scan.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\settings.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\splash.mp3 (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\Uninstall.exe (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\update.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\virus.mp3 (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\About.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Activate.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Buy.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Defense Center Support.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Defense Center.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Scan.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Settings.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Update.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\pragmabbr.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\pragmaserf.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Update\seupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\Defense Center Support.LNK (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\Defense Center.LNK (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\spam001.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\spam003.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\troj000.exe (Malware.Trave) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Application Data\Microsoft\Internet Explorer\Quick Launch\Defense Center.LNK (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Application Data\Windows Server\pywfls.dll (Trojan.Agent) -> Quarantined and deleted successfully.
janicelg
2010-07-18, 19:08
vict0r,
The DDS logs are below (one here; one attached as per the DDS pop-up instructions).
Computer never would open Windows.
Task Manager was disabled "by my administrator" (or some words very similar to that)
Ran rkill from USB drive after booting in Safe Mode (no networking).
Ran MBAM from USB drive, but wasn't able to update because I had no internet connection. So, after rebooting in Safe Mode With Networking I updated the Malwarebytes Anti-Malware.
Ran MBAM and it did request that I reboot, which I did. When the computer rebooted, it went immediately to my normal Windows start-up (even though I had pressed F8 to boot up again in Safe Mode).
Computer seems to be behaving normally.
You have been so helpful; I really appreciate your time and effort.
Am I cured??
Thanks, vict0r!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DDS (Ver_10-03-17.01) - NTFSx86
Run by Janice Gilford at 10:42:08.34 on Sun 07/18/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2496 [GMT -5:00]
AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\OEM05Mon.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
J:\dds.scr
C:\WINDOWS\system32\wscript.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080609
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ECenter] "c:\dell\e-center\EULALauncher.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [OEM05Mon.exe] "c:\windows\OEM05Mon.exe"
mRun: [Kernel and Hardware Abstraction Layer] "c:\windows\KHALMNPR.EXE"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [REGSHAVE] "c:\program files\regshave\REGSHAVE.EXE" /AUTORUN
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_06\bin\jusched.exe"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [sta] rundll32 "kzpwp.dll",,Run
dRun: [bxnxwnyy] c:\documents and settings\janice gilford\local settings\application data\lynaqgkdp\cycitnntssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnotes\psnotes.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Search - ?p=ZNxdm824YYUS
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: sun.com\www
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226967206175
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.mc.vanderbilt.edu/dana-cached/sc/JuniperSetupClient.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\janice~1\applic~1\mozilla\firefox\profiles\266phpu8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101035100&s=c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-9 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-9 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-9 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-9 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-9 35272]
R3 OEM05Afx;Provides a software interface to control audio effects of OEM005 camera.;c:\windows\system32\drivers\oem05afx.sys [2008-6-9 141376]
R3 OEM05Vfx;Creative Camera OEM005 Video VFX Driver;c:\windows\system32\drivers\oem05vfx.sys [2008-6-9 7424]
R3 OEM05Vid;Creative Camera OEM005 Driver;c:\windows\system32\drivers\oem05vid.sys [2008-6-9 235616]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2008-6-9 31616]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-9 606736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-9 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-9 40552]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
=============== Created Last 30 ================
2010-07-18 15:27:41 0 d-----w- c:\docume~1\janice~1\applic~1\Malwarebytes
2010-07-18 15:27:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-18 15:27:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-18 15:27:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-18 15:27:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-16 17:12:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-07-16 17:12:20 0 ----a-w- c:\windows\system32\perf73845.dat
2010-07-16 17:12:15 150 ----a-w- C:\zrpt.xml
2010-07-02 16:34:34 0 d-----w- c:\windows\Performance
2010-07-02 16:34:06 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-06-29 21:25:09 69632 ----a-w- c:\windows\Alcmtr.exe
2010-06-23 15:16:09 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-23 15:16:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
==================== Find3M ====================
2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-29 14:30:23 256 ----a-w- c:\documents and settings\janice gilford\pool.bin
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2008-06-22 13:18:32 76 --sh--r- c:\windows\CT4CET.bin
============= FINISH: 10:45:23.39 ===============
janicelg
2010-07-18, 20:09
vict0r,
Two "error" messages when I just rebooted my computer.
Message #1, center of deskop screen view:
RUNDLL
Error loading kzpwp.dll
The specified module could not be found.
OK (clickable button)
Message #2, right bottom of screen in tray:
Malicious software was removed
from your computer. Click here to complete the removal
process.
(Points to a clickable icon in tray)
Both messages have a white "X" in a red circle that strongly resemble icons used by the Defense Center malware.
I clicked "OK" for message #1 and it went away.
I closed message #2 without taking any action at all.
Thanks so much for you help and recommendations.
Janice
janicelg
2010-07-18, 20:10
Actually, vict0r, I attempted to close the "malicious software" message, but it won't close, just immediately opens back up.
Thanks,
Janice
janicelg
2010-07-18, 22:06
Google redirects to other search "engines" instead of going to the link that is clicked.
Thanks, Janice
Actually, vict0r, I attempted to close the "malicious software" message, but it won't close, just immediately opens back up.It seems to me that this may be a message from a fake Anti Virus.
Am I cured??Unfortunately not . Since the MBAM log shows many serious infections, it is still not even clear whether cleaning can be successfully completed.
Backdoor Warning
Your computer has multiple infections, including a Backdoor.
A backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. It compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user. Typically it's installed without user interaction through security exploits, and can severely compromise system security.
These type of infections may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware.
These backdoor infections may also collect and transmit personally identifiable information, without your consent and severely degrade the performance and stability of your computer.
A backdoor infection can give intruders complete control of your computer, logs your keystrokes, obtain passwords, steal personal information, etc.
You are strongly advised to do the following:
Disconnect the computer from the Internet and from any networked computers until it is cleaned.
Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, any online activity you perform, requiring a username and password).
Do NOT change your passwords from this computer as the attacker may be able to get all the new passwords and transaction records.
Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
Due to the backdoor's functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of infection, the best course of action would be to do a reformat and re-installation of the operating system (OS). This decision will have to be made by you...
We can attempt to clean this machine but we will not guarantee that it won't still be compromised, afterwards.
To help you understand more, please take some time to read the following articles:
When should I re-format and reinstall my OS (http://www.dslreports.com/faq/10063)
What are Remote Access Trojans and why are they dangerous (http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx)
How do I respond to a possible identity theft and how do I prevent it (http://www.dslreports.com/faq/10451)
How and Where to backup your files (http://www.microsoft.com/athome/security/update/wherebackup.mspx)
Restoring your backups (http://support.microsoft.com/kb/309340)
Please let me know how you would like to proceed.
Thanks
janicelg
2010-07-20, 02:01
vict0r,
I guess I will have to go with the option to wipe the HD and reinstall.... :sad: This is such a nightmare. I guess I was "due" since I've had home computers since 1987, but I never click things and just can't understand how that darned stuff got in there.
I have already begun making the changes you suggested r/t banks, online accounts, etc.
I am wondering about changing info r/t to my modem, also...like the WEP key, etc. Comcast customer. That would mean, of course, reconnecting the RJ45 cable.
When I connect it up, can I safely upload all my pics to Picasa Web? And other data and music files to some alternate temp backup location or to a USB drive?
So..., please advise...again.
I am so appreciative of your help!
Janice
I'm sorry about the delay. I will post a followup as soon as possible.
janicelg
2010-07-21, 21:56
Please don't worrry about the delay, vict0r. I am just grateful for your help.
I have run into another problem: i was going to move my music, pictures, and data files to CDs or DVDs and my computer no longer can access my CD drive (D:). I rebooted several times, but each time I try to access that drive, I get an error message that says it's inaccessible. Now, I am not sure where to move those files.
Would be be ok to run Picasa on that computer to upload my pics to Picasa Web?
Would it be ok to run iTunes and sync my iPod one last time to retrieve all of my music?
Thanks so much, again and again, Janice
Hi.
You don't need to click stuff to get your computer infected. Unfortunately it's enough to visit a website with malicious code taking advantage of a newly discovered security exploit.
Do you need any help with the reinstall?
I am wondering about changing info r/t to my modem, also...like the WEP key, etc. Comcast customer. That would mean, of course, reconnecting the RJ45 cable.This is a good idea. WPA2-PSK offers the best level of security, but you might need to use WPA-AES for compatibility reasons. Make sure you use a secure password/passphrase. The old WEP encryption system is not secure.
When I connect it up, can I safely upload all my pics to Picasa Web? And other data and music files to some alternate temp backup location or to a USB drive?In this case backups of pictures, data and music can be done as you describe. You can run rkill as previously described to stop the fake anti virus installed on your computer. This might make it easier to perform the backups. If you still can't access the cd-burner, I'll be happy to suggest some troubleshooting of the problem.
I'd be grateful if you could reply to this post so that I know you have read it and, if you have no further questions, the thread can then be closed.
There are a couple of things you should do immediately after installing Windows and before surfing the net:
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. You need to visit the Microsoft Update site (http://update.microsoft.com/microsoftupdate) repeatedly and perform the update until no further important updates are offered. This will make sure all the updates released since your computer was delivered is installed.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it and allow the ActiveX control to install.
Make sure automatic updates for Windows XP is enabled to keep your system updated (get the latest patches from Microsoft to fix bugs and security holes):
Go to Start > Control Panel > Automatic Updates and select one of these options:
Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
Select Download updates for me, but let me choose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.
Install and update an Anti Virus
New viruses come out every minute, so it is essential that you have the latest signatures for your anti virus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Here are a few FREE alternatives if you have not paid for a product:
Avira AntiVir Personal (http://www.free-av.de/en/download/1/avira_antivir_personal__free_antivirus.html)- Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.
avast! Free Antivirus (http://www.avast.com/free-antivirus-download) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
Microsoft Security Essentials (http://www.microsoft.com/security_essentials/) - Microsoft's free Anti Virus program
Secure your computer further:
Consider using the following programs to secure your computer further:
Hosts File
Please use the following for the added protection: MVPS Hosts (http://www.mvps.org/winhelp2002/hosts.htm), you will find more information regarding hosts files there. A simple explanation of what a Hosts file does is here (http://forum.malwareremoval.com/viewtopic.php?t=22187) (includes a description on how to use HostsXpert to easily download and manage your hosts file).
Malwarebytes Anti-Malware
Download from here (http://www.malwarebytes.org/). Update and perform a quick scan 1-2 times a week.
WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes a snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE (http://www.winpatrol.com/).
It is ABSOLUTELY ESSENTIAL to keep Windows and all of your security programs up to date.
Read these articles to learn more about how to protect yourself while on the internet:
So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279) by Tony Klein.
Miekies' prevention suggestions (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
janicelg
2010-07-23, 20:49
vict0r,
Here is my plan:
1. Run rkill again
2. Reconnect computer to modem
3. Offload pics to Picasa Web
4. Disconnect from modem
5. Offload music and data files to cds/dvds if I can access my cd drive.
Do you have suggestions for how I can gain access to the cd drive, if rkill doesn't take care of that? Remember, I can't use Task Manager because I have been locked out of it by the very mean viruses.
Your post lists MVPS, Malwarebytes, and WinPatrol. Do you recommend running all three of these programs? I am running Spybot and Malwarebytes now, on both of my computers.)
Once those steps are completed, I'll wipe and reload the OS. I think I can do that without problems.
Again, my thanks, vict0r. I couldn't have managed all of this without your help.
Janice
Hi, that seems to be a good plan. :)
You might want to change the password for Picasa from a clean computer after the upload.
If the drive does not work after you have run rkill, then first check devicemanager (Start -> Run > devmgmt.msc) if it reports any problems with the device driver for the drive (there should not be a yellow exclamation mark by the device). You might want to reinstall the driver and possibly run Fixpolicies (see below) to access the devicemanager.
If there is no problem with the driver, then you can try this excellent and free software which is good at detecting devices: http://infrarecorder.org/. Please verify that your backups are good before you wipe the drive.
Try this to temporarily fix taskmanager:
Please Download FixPolicies.exe, a self-extracting ZIP archive from Here (http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe) and Save it to your Desktop.
Double-click FixPolicies.exe.
Click the "Install" button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.exe.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box should briefly appear and then close. This should enable the taskmanager, at least until the malware infection resets the registry policy keys again. You can run this as many times as you like. A permanent fix requires removing the infection.
If you could not get the drive to work previously, then please try again after running Fixpolicies.
It is possible we need to remove the interfering infection to get the drive to work or you might have to use a usb storage to backup your files (flash drive or external hard drive).
Your post lists MVPS, Malwarebytes, and WinPatrol. Do you recommend running all three of these programs? I am running Spybot and Malwarebytes now, on both of my computers.)You can run all three, however do not run Winpatrol if you use Teatimer (part of Spybot Search&Destroy). Winpatrol, the paid version of MBAM and likely any other realtime anti malware solutions will conflict with Teatimer.
janicelg
2010-07-27, 15:48
vict0r, I'll try all of that. If any problems, I'll repost. Would I start a new thread or continue with this one?
I'll see if I can get to that today, but after today, I'm going to be away from my computer for a week. I need to get this mess out of my mind for a bit.
Thanks, Janice
Hi
Thanks for letting me know.
Threads are normally closed after 4 days of inactivity and you might have to start a new thread if you do not post within the limit.
janicelg
2010-08-01, 00:13
I think I am set, vict0r.
Thanks to infrarecorder.org, I was able of offload everything. What a great tool! Without it, I couldn't access my cd/dvd drive, even with your other suggestions.
I am ready to begin the wipe and (clean) OS installation of the original Win XP, but will upgrade immediately to Win 7 to match my laptop. (Nuisance to do it that way, but it's cheaper to do it that way than to purchase the full Win 7 installation pkg.) Once I have done that, I'll deal with Comcast and resetting or changing my SSID / WEP information.
Then, of course, add all the antivirus and malware protection.
Then, install the programs I use and need.
Does that order sound about right?
Once again, dear vict0r, THANKS!!!
Janice:thanks:
Hi.
I'm sorry about the delay.
I believe you have to activate Windows XP before you upgrade to Windows 7. To play it safe, keep the computer disconnected from any network until you have installed an anti-virus. You can activate by phone, then upgrade to "7" and then immediately install the anti-virus, preferably pre-downloaded to a cd. When you connect to the internet for the first time with the fresh install, please update the anti virus and Windows immediately.
I will try to reply more quickly if you have any further questions related to this problem. Please post back anyway to let me know so this thread can be closed.
janicelg
2010-08-06, 18:50
Greetings, vict0r,
I have wiped and reinstalled / authenicated Win XP. Not in any hurry to do the install of the upgrade to Win 7. I have not yet reinstalled all my programs. Using Norton Security Suite provided by Comcast and the Malwarebytes program. Will be installing Spybot and WinP later today. I thought perhaps it might be wise to send you a new DDS report.
Please let me know if there is anything else I need to do; otherwise, I consider this thread completed.
Thank you again and again!
Janice :bigthumb:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Janice at 10:42:45.85 on Fri 08/06/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2701 [GMT -5:00]
AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\OEM05Mon.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Janice\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.2.0.12\IPSBHO.DLL
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [OEM05Mon.exe] c:\windows\OEM05Mon.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280882962062
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280882953171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-8-3 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-8-3 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100719.001\BHDrvx86.sys [2010-7-19 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-8-3 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-8-3 116784]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-3 304464]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.2.0.12\ccsvchst.exe [2010-8-3 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-3 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100805.004\IDSXpx86.sys [2010-8-6 331640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-3 20952]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100805.048\NAVENG.SYS [2010-8-6 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100805.048\NAVEX15.SYS [2010-8-6 1362608]
R3 OEM05Afx;Provides a software interface to control audio effects of OEM005 camera.;c:\windows\system32\drivers\OEM05Afx.sys [2010-8-3 141376]
R3 OEM05Vfx;Creative Camera OEM005 Video VFX Driver;c:\windows\system32\drivers\OEM05Vfx.sys [2010-8-3 7424]
R3 OEM05Vid;Creative Camera OEM005 Driver;c:\windows\system32\drivers\OEM05Vid.sys [2010-8-3 235616]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2010-8-3 31616]
=============== Created Last 30 ================
2010-08-06 14:42:59 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-08-06 14:42:59 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-08-04 03:25:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-04 03:25:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-04 03:18:01 0 d-----w- c:\windows\system32\Adobe
2010-08-04 02:53:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Uninstall
2010-08-04 02:53:47 0 d-----w- c:\program files\common files\SureThing Shared
2010-08-04 02:53:14 0 d-----w- c:\program files\common files\Sonic Shared
2010-08-04 02:52:44 0 d-----w- c:\program files\Roxio
2010-08-04 02:50:52 0 d-----w- C:\MDT
2010-08-04 02:49:50 89088 ----a-w- c:\windows\system32\atl71.dll
2010-08-04 02:49:50 1047552 ----a-w- c:\windows\system32\MFC71u.dll
2010-08-04 02:37:41 0 d-----w- c:\program files\Siber Systems
2010-08-04 02:29:05 0 d-----w- c:\docume~1\janice\applic~1\Malwarebytes
2010-08-04 02:28:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-04 02:28:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-04 02:28:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-04 02:28:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-04 02:17:57 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-08-04 02:17:57 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-08-04 02:17:47 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-08-04 02:17:47 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-08-04 02:16:24 0 d-----w- c:\program files\common files\CANON
2010-08-04 02:13:56 230912 ----a-w- c:\windows\system32\CNMLM9F.DLL
2010-08-04 02:13:44 98304 ----a-w- c:\windows\system32\CNC480I.DLL
2010-08-04 02:13:44 270336 ----a-w- c:\windows\system32\CNC480L.DLL
2010-08-04 02:13:44 188416 ----a-w- c:\windows\system32\CNC480O.DLL
2010-08-04 02:13:44 1339392 ----a-w- c:\windows\system32\CNC480C.DLL
2010-08-04 02:12:49 0 d-----w- c:\program files\Canon
2010-08-04 01:52:40 0 d-----w- c:\windows\system32\scripting
2010-08-04 01:52:39 0 d-----w- c:\windows\system32\en
2010-08-04 01:52:39 0 d-----w- c:\windows\system32\bits
2010-08-04 01:52:39 0 d-----w- c:\windows\l2schemas
2010-08-04 01:48:41 0 d-----w- c:\windows\network diagnostic
2010-08-04 00:59:19 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-04 00:59:19 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-08-04 00:59:17 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-08-04 00:59:12 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-08-04 00:59:12 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-08-04 00:59:06 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-08-04 00:57:41 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-04 00:53:06 0 d-----w- c:\windows\system32\PreInstall
2010-08-04 00:49:38 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-08-04 00:49:38 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-08-04 00:49:38 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-08-04 00:49:38 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-08-04 00:49:38 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-08-04 00:40:20 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-08-04 00:40:20 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-08-04 00:40:16 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-04 00:40:16 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-04 00:40:16 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-04 00:40:16 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-04 00:40:16 0 d-----w- c:\program files\Symantec
2010-08-04 00:40:16 0 d-----w- c:\program files\common files\Symantec Shared
2010-08-04 00:40:02 0 d-----w- c:\windows\system32\drivers\N360
2010-08-04 00:40:01 0 d-----w- c:\program files\Norton Security Suite
2010-08-04 00:39:54 0 d-----w- c:\program files\NortonInstaller
2010-08-04 00:39:54 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-08-04 00:32:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-08-04 00:14:49 0 d-sh--w- c:\documents and settings\janice\UserData
2010-08-03 23:57:07 990 ----a-w- C:\net_save.dna
2010-08-03 23:56:28 0 d-----w- c:\program files\support.com
2010-08-03 23:05:27 876544 ----a-w- c:\windows\system32\TEACico2.dll
2010-08-03 23:03:12 0 d-----w- c:\program files\common files\Logitech
2010-08-03 23:01:34 76 --sh--r- c:\windows\CT4CET.bin
2010-08-03 23:01:11 0 d-----w- c:\program files\common files\Reallusion
2010-08-03 23:00:56 0 d-----w- c:\program files\common files\Creative
2010-08-03 23:00:15 0 d-----w- c:\program files\Creative Live! Cam
2010-08-03 22:59:57 0 d-----w- c:\program files\Creative
2010-08-03 22:57:14 0 ----a-w- c:\windows\ativpsrm.bin
2010-08-03 22:55:31 0 d-----w- c:\program files\ATI Technologies
2010-08-03 22:22:21 0 d-----w- c:\program files\NetWaiting
2010-08-03 22:21:47 0 d-----w- c:\program files\Digital Line Detect
2010-08-03 22:19:49 940794 ----a-w- c:\windows\system32\LoopyMusic.wav
2010-08-03 22:19:49 146650 ----a-w- c:\windows\system32\BuzzingBee.wav
2010-08-03 22:19:48 0 d-----w- c:\windows\system32\Lang
2010-08-03 22:18:01 0 d-----w- c:\program files\Realtek
2010-08-03 22:17:56 520192 ----a-w- c:\windows\RtlExUpd.dll
2010-08-03 22:17:56 315392 ----a-w- c:\windows\HideWin.exe
2010-08-03 22:17:14 1904 ------w- c:\windows\system32\SetupBD.din
2010-08-03 22:16:29 66424 ----a-w- c:\windows\system32\NicEtCoE.dll
2010-08-03 22:16:29 62840 ----a-w- c:\windows\system32\NicInstE.dll
2010-08-03 22:16:29 2889 ----a-w- c:\windows\system32\e1e5132.din
2010-08-03 22:16:29 28536 ----a-w- c:\windows\system32\NicCo.dll
2010-08-03 22:16:29 254872 ----a-w- c:\windows\system32\drivers\e1e5132.sys
2010-08-03 22:16:29 179048 ----a-w- c:\windows\system32\e1000msg.dll
2010-08-03 22:16:29 154496 ----a-w- c:\windows\system32\Prounstl.exe
2010-08-03 22:14:07 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-08-03 22:03:30 0 d-----w- c:\windows\system32\ReinstallBackups
2010-08-03 22:03:21 0 d-----w- C:\Intel
2010-08-03 21:57:47 0 d-----w- c:\program files\Dell Support Center
2010-08-03 21:57:47 0 d-----w- c:\program files\common files\supportsoft
2010-08-03 21:55:01 0 d-----w- c:\program files\Dell
2010-08-03 21:48:12 0 d-sh--w- c:\documents and settings\all users\DRM
2010-08-03 21:48:00 0 d--h--w- c:\program files\WindowsUpdate
2010-08-03 21:47:23 0 d-----w- c:\program files\common files\MSSoap
2010-08-03 21:46:24 0 d-----w- c:\program files\Online Services
2010-08-03 21:46:20 0 d-----w- c:\program files\Messenger
2010-08-03 21:46:18 0 d-----w- c:\program files\MSN Gaming Zone
2010-08-03 21:45:52 0 d-----w- c:\program files\Windows NT
2010-08-03 16:37:53 0 d-----w- c:\program files\common files\ODBC
2010-08-03 16:37:51 0 d-----w- c:\program files\common files\SpeechEngines
2010-08-03 16:37:35 0 d-----r- c:\documents and settings\all users\Documents
==================== Find3M ====================
2010-08-03 23:03:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-08-03 23:03:49 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-08-03 21:58:36 5 ----a-w- c:\windows\system32\drivers\DELL_INS_530.MRK
2010-08-03 21:58:36 5 ----a-w- c:\windows\system32\drivers\1028_DELL_INS_530.MRK
2010-08-03 21:46:41 21640 ----a-w- c:\windows\system32\emptyregdb.dat
============= FINISH: 10:43:05.25 ===============
Please note the following:
When using Teatimer (part of Spybot S&D), then do not use Winpatrol. They do not work well together.
If you definitely want to upgrade to Windows 7, then I believe it's better to do it as soon as possible to ensure software compatibility.
Good luck and stay safe online. :)
Dakeyras
2010-08-11, 08:33
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
Note: If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.