brucebot
2010-07-29, 14:39
i can't post
I'm so sorry. My computer is deeply infected. It wont let me post the DDS logs, it gives me an internet error. I can't even email them from yahoo account. I will try to post them here but do you please have any suggestions
It started with Win32/FakeSpypro then it told me Win32/Patched.DX on a critical file
Again very sorry I see I can not edit posts so those first two will have to stay.
My home computer seems deeply infected to the point it won't let me post the DDS files here, nor would it let me email them trhough yahoo. I was able to email them through gmail.
Problem started when I received what I believe to be Win32/FakeSpypro while on a website. Was able to switch accounts on computer and run AVG in safe mode which reported Win32/Patched.DX on file C:\\windows\system32\driver\tcpip.sys which is white listed as a critical system file so it did not heal. Additional scans showed trojan horse cryptic.AQW also Exploit Phoenix Exploit Kit (Type1112). Currently all scans (Spybot, AdAware, MWB, AVG)come up clean when running in regular mode. Although while running Spybot Resident Shield showed Trojan Horse Dropper.Generic2 in spybot.exe (or similar), I did clean that one. When running in safe mode AVG still picks up the Win32/Patched.DX. With their advice tried to replace the tcpip.sys file but it maintained the original. They are now advising to replace the file in a way that seems way too complicated for me to attempt.
Here is the DDS file and the .txt attachment. I'm not sure why it still mentions Norton, I uninstalled that long ago. I know it leaves things behind but Revo Uninstaller doesn't show anything. I sure hope my other AV isn't working properly because of that.
I will have to hope I can read replies and am able to run scans or fixes suggested. I know I won't be able to post form the infected computer but be assured I will do my best. Thank you
DDS (Ver_10-03-17.01) - NTFSx86
Run by Bruce at 6:12:45.79 on Thu 07/29/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.670 [GMT -5:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FW: Norton Internet Security *enabled* {825036E0-9F94-4752-8789-8B92454AF49B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Bruce\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 <http://search.yahoo.com/search?p=%7BsearchTerms%7D&ei=utf-8&fr=b1ie7>
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn7\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - No File
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn7\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn7\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: c:\windows\system32\igfxtray.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: &Google Search
IE: &Yahoo! Search
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel
IE: Google Sidewiki...
IE: Similar Pages
IE: Translate into English
IE: Yahoo! &Dictionary
IE: Yahoo! &Maps
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: chase.com Trusted Zone: chase.com\*.chaseonline Trusted Zone: chase.com\chaseonline Trusted Zone: chase.com\www Trusted Zone: fidelity.com\guidance Trusted Zone: fidelity.com\www Trusted Zone: gailborden.info\innovative Trusted Zone: gailborden.info\search Trusted Zone: gailborden.info\www Trusted Zone: vanguard.com Trusted Zone: yahoo.com
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {46C66BBD-E667-4DAD-9682-58050E7C9FDC} - hxxp://www.cdpass.com/cdkey/CDPass.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213825210359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38210.8758449074
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - hxxp://www.livemetallica.com/nugster/dlControl.CAB
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: winmm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\system32\srrstr.
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 A known bad url was replaced by VIPRE
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\bruce\applic~1\mozilla\firefox\profiles\ncaq0swn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - plugin: c:\documents and settings\bruce\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\bruce\my documents\my downloads\netscape6\nppl3260.dll FF - plugin: c:\documents and settings\bruce\my documents\my downloads\netscape6\nprjplug.dll FF - plugin: c:\documents and settings\bruce\my documents\my downloads\netscape6\nprpjplug.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - HiddenExtension: XULRunner: {2E29E0D3-7645-46A4-AAF7-F8D2077E0E60} - c:\documents and settings\bruce\local settings\application data\{2E29E0D3-7645-46A4-AAF7-F8D2077E0E60}
FF - HiddenExtension: XULRunner: {555DD3E3-4087-4762-BF85-5733FE9A3DD9} - c:\documents and settings\ellen\local settings\application data\{555DD3E3-4087-4762-BF85-5733FE9A3DD9}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com <http://www.firefox.com/> "); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-4 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-26 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-26 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-26 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-26 297752]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-6-12 20968]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2004-8-11 86098]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]
=============== Created Last 30 ================
2010-07-29 03:28:32 0 d-----w- c:\docume~1\bruce\applic~1\Malwarebytes
2010-07-29 03:28:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 03:28:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-29 03:28:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-29 03:28:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-29 00:35:28 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-28 11:24:49 0 ----a-w- c:\documents and settings\bruce\sfcdetails.text
2010-07-28 11:06:07 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-07-28 11:06:07 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-07-28 11:06:05 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-07-28 11:06:05 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-07-28 11:06:04 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-07-28 11:05:54 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-07-28 11:05:54 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-07-28 11:05:53 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-07-28 11:05:51 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-07-28 11:05:46 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-07-28 11:05:44 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-07-28 11:05:02 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-07-28 11:03:59 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2010-07-28 11:02:58 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2010-07-28 11:01:58 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-07-28 11:00:59 30495 -c--a-w- c:\windows\system32\dllcache\pc100nds.sys
2010-07-28 10:59:51 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-07-28 10:59:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-07-28 10:59:41 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-07-28 10:59:39 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-07-28 10:59:39 1875968 -c--a-w- c:\windows\system32\dllcache\msir3jp.lex
2010-07-28 10:59:38 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-07-28 10:59:29 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-07-28 10:59:28 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-07-28 10:59:18 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-07-28 10:59:10 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-07-28 10:59:09 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-07-28 10:59:03 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-07-28 10:59:00 34304 -c--a-w- c:\windows\system32\dllcache\migisol.exe
2010-07-28 10:57:59 18688 -c--a-w- c:\windows\system32\dllcache\irsir.sys
2010-07-28 10:56:59 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-07-28 10:55:59 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-07-28 10:54:59 8320 -c--a-w- c:\windows\system32\dllcache\dlttape.sys
2010-07-28 10:53:59 27164 -c--a-w- c:\windows\system32\dllcache\ce3n5.sys
2010-07-28 10:52:58 26624 -c--a-w- c:\windows\system32\dllcache\ativxbar.sys
2010-07-28 10:51:57 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-07-28 07:53:52 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-25 23:18:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-01 01:46:41 0 d-----w- c:\program files\Defraggler
2010-07-01 00:49:05 0 d-----w- c:\program files\Speccy
==================== Find3M ====================
2010-06-18 00:32:26 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-07 00:50:51 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 14:31:35 34952 ----a-w- c:\docume~1\bruce\applic~1\GDIPFONTCACHEV1.DAT
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2004-08-24 23:43:34 2609631 ----a-w- c:\program files\aawsepersonal.exe
============= FINISH: 6:14:44.87 ===============
_____________________
Is it possible to get an expert to comment on my DDS log to start my healing process? Thank you
_____________________
Edit
[I]Hello brucebot,
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. For that reason we may merge such posts but please do not count on it.Last edited by tashi; Yesterday at 08:48 AM. Reason: Merged posts :-)
The Waiting Room (http://forums.spybot.info/forumdisplay.php?f=37)
If you have waited four days or longer for assistance, ;)
I'm so sorry. My computer is deeply infected. It wont let me post the DDS logs, it gives me an internet error. I can't even email them from yahoo account. I will try to post them here but do you please have any suggestions
It started with Win32/FakeSpypro then it told me Win32/Patched.DX on a critical file
Again very sorry I see I can not edit posts so those first two will have to stay.
My home computer seems deeply infected to the point it won't let me post the DDS files here, nor would it let me email them trhough yahoo. I was able to email them through gmail.
Problem started when I received what I believe to be Win32/FakeSpypro while on a website. Was able to switch accounts on computer and run AVG in safe mode which reported Win32/Patched.DX on file C:\\windows\system32\driver\tcpip.sys which is white listed as a critical system file so it did not heal. Additional scans showed trojan horse cryptic.AQW also Exploit Phoenix Exploit Kit (Type1112). Currently all scans (Spybot, AdAware, MWB, AVG)come up clean when running in regular mode. Although while running Spybot Resident Shield showed Trojan Horse Dropper.Generic2 in spybot.exe (or similar), I did clean that one. When running in safe mode AVG still picks up the Win32/Patched.DX. With their advice tried to replace the tcpip.sys file but it maintained the original. They are now advising to replace the file in a way that seems way too complicated for me to attempt.
Here is the DDS file and the .txt attachment. I'm not sure why it still mentions Norton, I uninstalled that long ago. I know it leaves things behind but Revo Uninstaller doesn't show anything. I sure hope my other AV isn't working properly because of that.
I will have to hope I can read replies and am able to run scans or fixes suggested. I know I won't be able to post form the infected computer but be assured I will do my best. Thank you
DDS (Ver_10-03-17.01) - NTFSx86
Run by Bruce at 6:12:45.79 on Thu 07/29/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.670 [GMT -5:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FW: Norton Internet Security *enabled* {825036E0-9F94-4752-8789-8B92454AF49B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Bruce\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 <http://search.yahoo.com/search?p=%7BsearchTerms%7D&ei=utf-8&fr=b1ie7>
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn7\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - No File
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn7\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn7\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: c:\windows\system32\igfxtray.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: &Google Search
IE: &Yahoo! Search
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel
IE: Google Sidewiki...
IE: Similar Pages
IE: Translate into English
IE: Yahoo! &Dictionary
IE: Yahoo! &Maps
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: chase.com Trusted Zone: chase.com\*.chaseonline Trusted Zone: chase.com\chaseonline Trusted Zone: chase.com\www Trusted Zone: fidelity.com\guidance Trusted Zone: fidelity.com\www Trusted Zone: gailborden.info\innovative Trusted Zone: gailborden.info\search Trusted Zone: gailborden.info\www Trusted Zone: vanguard.com Trusted Zone: yahoo.com
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {46C66BBD-E667-4DAD-9682-58050E7C9FDC} - hxxp://www.cdpass.com/cdkey/CDPass.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213825210359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38210.8758449074
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - hxxp://www.livemetallica.com/nugster/dlControl.CAB
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: winmm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\system32\srrstr.
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 A known bad url was replaced by VIPRE
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\bruce\applic~1\mozilla\firefox\profiles\ncaq0swn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - plugin: c:\documents and settings\bruce\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\bruce\my documents\my downloads\netscape6\nppl3260.dll FF - plugin: c:\documents and settings\bruce\my documents\my downloads\netscape6\nprjplug.dll FF - plugin: c:\documents and settings\bruce\my documents\my downloads\netscape6\nprpjplug.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - HiddenExtension: XULRunner: {2E29E0D3-7645-46A4-AAF7-F8D2077E0E60} - c:\documents and settings\bruce\local settings\application data\{2E29E0D3-7645-46A4-AAF7-F8D2077E0E60}
FF - HiddenExtension: XULRunner: {555DD3E3-4087-4762-BF85-5733FE9A3DD9} - c:\documents and settings\ellen\local settings\application data\{555DD3E3-4087-4762-BF85-5733FE9A3DD9}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com <http://www.firefox.com/> "); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-4 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-26 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-26 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-26 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-26 297752]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-6-12 20968]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2004-8-11 86098]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]
=============== Created Last 30 ================
2010-07-29 03:28:32 0 d-----w- c:\docume~1\bruce\applic~1\Malwarebytes
2010-07-29 03:28:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 03:28:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-29 03:28:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-29 03:28:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-29 00:35:28 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-28 11:24:49 0 ----a-w- c:\documents and settings\bruce\sfcdetails.text
2010-07-28 11:06:07 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-07-28 11:06:07 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-07-28 11:06:05 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-07-28 11:06:05 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-07-28 11:06:04 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-07-28 11:05:54 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-07-28 11:05:54 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-07-28 11:05:53 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-07-28 11:05:51 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-07-28 11:05:46 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-07-28 11:05:44 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-07-28 11:05:02 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-07-28 11:03:59 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2010-07-28 11:02:58 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2010-07-28 11:01:58 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-07-28 11:00:59 30495 -c--a-w- c:\windows\system32\dllcache\pc100nds.sys
2010-07-28 10:59:51 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-07-28 10:59:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-07-28 10:59:41 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-07-28 10:59:39 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-07-28 10:59:39 1875968 -c--a-w- c:\windows\system32\dllcache\msir3jp.lex
2010-07-28 10:59:38 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-07-28 10:59:29 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-07-28 10:59:28 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-07-28 10:59:18 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-07-28 10:59:10 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-07-28 10:59:09 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-07-28 10:59:03 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-07-28 10:59:00 34304 -c--a-w- c:\windows\system32\dllcache\migisol.exe
2010-07-28 10:57:59 18688 -c--a-w- c:\windows\system32\dllcache\irsir.sys
2010-07-28 10:56:59 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-07-28 10:55:59 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-07-28 10:54:59 8320 -c--a-w- c:\windows\system32\dllcache\dlttape.sys
2010-07-28 10:53:59 27164 -c--a-w- c:\windows\system32\dllcache\ce3n5.sys
2010-07-28 10:52:58 26624 -c--a-w- c:\windows\system32\dllcache\ativxbar.sys
2010-07-28 10:51:57 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-07-28 07:53:52 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-25 23:18:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-01 01:46:41 0 d-----w- c:\program files\Defraggler
2010-07-01 00:49:05 0 d-----w- c:\program files\Speccy
==================== Find3M ====================
2010-06-18 00:32:26 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-07 00:50:51 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 14:31:35 34952 ----a-w- c:\docume~1\bruce\applic~1\GDIPFONTCACHEV1.DAT
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2004-08-24 23:43:34 2609631 ----a-w- c:\program files\aawsepersonal.exe
============= FINISH: 6:14:44.87 ===============
_____________________
Is it possible to get an expert to comment on my DDS log to start my healing process? Thank you
_____________________
Edit
[I]Hello brucebot,
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. For that reason we may merge such posts but please do not count on it.Last edited by tashi; Yesterday at 08:48 AM. Reason: Merged posts :-)
The Waiting Room (http://forums.spybot.info/forumdisplay.php?f=37)
If you have waited four days or longer for assistance, ;)