View Full Version : Had Malware Doctor problem and then it got better, or so I thought
tigerdood
2010-08-21, 05:41
Here are the details of my problem. Hope someone can help. I began getting weird popups in my FireFox browser saying my computer was infected and to download Malware Doctor. (later found out it was a virus). Then AVG 9.0 told me I had trojans and viruses. I ran the following tools to help clean my laptop:
AVG 9.0
Spybot search and Destroy
CWS Shredder
AdAware
Malware Bytes
After running these programs I had no more notifications of problems, BUT I am still getting a popup from AVG 9.0 telling me (a few minute after starting my computer) that a Trojan was blocked. Now my computer is running a little slower and I am fearful of logging into my online bank account due to fears of a virus getting my personal banking or email passwords.
To make things worse I cant download the DDS files program (the files download as a Binary file and wont run?) Not sure what is going on but would appreciate the help.
I run Windows XP.
Forgot to mention that I am still getting popup windows in FireFox with links to spam sites.
-----------------------------------
Any chance I can get some help?
-----------------------------------
Waiting for help in the Malware Forum FOUR days or longer? (http://forums.spybot.info/showthread.php?t=1137)
Hello & Welcome to Safer-Networking
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
In the meantime please note the following:
Any recommendations made are for your computer problems only and should NOT be used on any other computer.
Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
If you get stuck or are unsure of something please ask for a further explanation, do not guess.
It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.Please note that the forum is very busy and if I don't hear from you within four days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
Thanks
DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
Double-Click on dds.scr and a command window will appear. This is normal
Shortly after two logs will appear, DDS.txt & Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next replyGmer
Download GMER Rootkit Scanner from here (http://www.gmer.net/download.php) & save it to your desktop.
Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
http://i28.photobucket.com/albums/c227/tetonbob/gmer_th.gif (http://i28.photobucket.com/albums/c227/tetonbob/gmer_screen2-1.gif)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ... IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Do not run any programs while Gmer is running.
NOTE: If you cannot run GMER as indicated above, save a scan from the initial startup scan.
Before scanning, make sure all other running programs are closed & no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan
Double click the gmer.exe file
The program will begin to run & perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No
After the "initial scan" is complete, click on the Save button, save the log file to your desktop & post it in your replyTo post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
tigerdood
2010-08-26, 03:28
Thanks for the help! Well I ran into a problem right at the start. I cant download the DDS or the GMER programs. My laptop is old but I dont think its THAT old.
Here is a screen shot of the icons when I download them onto my laptop.
http://i36.tinypic.com/ncmqew.jpg
What should I do?
So is the problem actually downloading them or running them?
If it is downloading them, try downloading from a known clean computer then transfer them to the infected machine via some type of removable media - a cd would be the safest way.
If it is running them, then it may be a file association error. Do you get any error messages?
You could try renaming DDS to DDS.com or DDS.pif
Same with Gmer change the Gmer file extension to .com or .pif
tigerdood
2010-08-26, 07:36
Here is the error when I try to download the DDS file #1
http://i38.tinypic.com/bgxowx.jpg
Here is the screen when I try to download the DDS file #2
http://i36.tinypic.com/n1s2lc.jpg
Here is the screen when I try to download the Gmer file
http://i38.tinypic.com/2klmdd.jpg
I tried adding the .com and .pif extensions and it still doesn't work. I can download other items but not these programs. I dont have access to another computer to download these files onto a cd. I have AVG running, could it be that its blocking these files from downloading? If I turn it off how vulnerable will my computer be?
Thanks
Hi
We'll try one more thing before trying another set of tools. Re-boot your computer & when it restarts quickly tap the f8 key to bring up the Windows Advanced Options Menu. Scroll down to Safe mode with Networking & press Enter. This will bring you into Safe Mode but still give you Internet access.
Delete the copies of DDS & Gmer you already have & try to download & run them again from within Safe Mode
tigerdood
2010-08-27, 07:57
Thanks fo the suggestion! I was able to download the links for DDS and Gmer in safe mode with network like you suggested. But there is bad news, when I ran the Gmer program it took 3 hours to scan and then when it was done, there was no link to save the file (because the screen was cut off in safe mode). Any suggestions?
I was however able to get the 2 DDS logs. They are both below:
DDS ATTACH log
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/5/2007 6:40:45 PM
System Uptime: 8/26/2010 7:34:32 PM (0 hours ago)
Motherboard: Hewlett-Packard | | 002A
Processor: Mobile Intel(R) Celeron(R) CPU 1.80GHz | WMT478/NWD | 1794/mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 28 GiB total, 5.989 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP435: 5/21/2010 7:36:08 PM - System Checkpoint
RP436: 6/7/2010 8:12:50 PM - System Checkpoint
RP437: 6/8/2010 9:33:44 PM - System Checkpoint
RP438: 6/10/2010 8:50:04 PM - System Checkpoint
RP439: 6/11/2010 11:47:00 PM - System Checkpoint
RP440: 6/14/2010 8:00:41 PM - System Checkpoint
RP441: 6/17/2010 10:31:18 PM - System Checkpoint
RP442: 6/19/2010 10:32:25 PM - System Checkpoint
RP443: 7/8/2010 9:34:35 PM - Avg8 Update
RP444: 7/10/2010 10:32:32 AM - Avg8 Update
RP445: 7/10/2010 10:35:08 AM - Avg8 Update
RP446: 7/15/2010 7:56:02 PM - System Checkpoint
RP447: 7/16/2010 8:45:27 PM - System Checkpoint
RP448: 7/19/2010 7:31:31 PM - System Checkpoint
RP449: 7/19/2010 9:34:13 PM - Removed Logitech Vid.
RP450: 7/19/2010 9:35:44 PM - Removed Logitech Vid.
RP451: 7/19/2010 9:38:20 PM - Removed Logitech Vid.
RP452: 7/19/2010 10:36:38 PM - Removed Logitech Vid.
RP453: 7/19/2010 10:41:18 PM - Removed Bonjour
RP454: 7/21/2010 12:12:54 PM - 7-21-10
RP455: 7/22/2010 10:00:42 PM - Installed AVG 9.0
RP456: 7/26/2010 10:21:52 PM - Avg8 Update
RP457: 7/26/2010 10:31:30 PM - Avg Update
RP458: 8/17/2010 10:21:14 PM - System Checkpoint
RP459: 8/21/2010 7:23:41 PM - System Checkpoint
==== Installed Programs ======================
Ad-Aware
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
AVG 9.0
Compatibility Pack for the 2007 Office system
Hotfix for Windows XP (KB909394)
iTunes
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech Video Enumerator
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.11)
MVision
Skype™ 4.2
Spybot - Search & Destroy
upapp
Update for Windows XP (KB898461)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows XP Service Pack 2
==== Event Viewer Messages From Past Week ========
8/26/2010 7:39:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/26/2010 7:35:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 cdudf_xp Fips intelppm
8/26/2010 7:35:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/22/2010 12:52:37 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
8/22/2010 12:52:37 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Ati HotKey Poller service to connect.
8/22/2010 12:52:37 PM, error: Service Control Manager [7000] - The Ati HotKey Poller service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/22/2010 12:52:34 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
8/22/2010 12:52:34 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
==== End Of File ===========================
Here is the DDS log
DS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by JR at 19:42:55.72 on Thu 08/26/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.623 [GMT -5:00]
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\TEMP.CPQ73745201364\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
uWindow Title = Microsoft Internet Explorer provided by Compaq
uSearch Bar = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=1c02&lc=0409
mDefault_Page_URL = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
uInternet Connection Wizard,ShellNext = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_03\bin\npjpi150_03.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\temp~1.cpq\applic~1\mozilla\firefox\profiles\h8dy4cw1.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-6 52872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-6 243024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1355416]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2003-3-7 16512]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-6 216400]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-6 29584]
S2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-26 921952]
S2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-26 308136]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [2003-3-7 26112]
S3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [2003-3-7 291328]
S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2003-3-7 244608]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;c:\windows\system32\drivers\Express.sys [2003-3-7 57344]
=============== Created Last 30 ================
2010-08-05 02:36:16 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-03 04:47:05 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-02 04:54:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-29 04:54:42 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-29 04:52:23 0 d-----w- c:\program files\Lavasoft
==================== Find3M ====================
2010-08-27 00:15:48 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-27 03:29:09 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-27 03:29:03 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-27 03:28:08 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-27 03:28:03 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-07-19 03:13:10 0 ----a-w- c:\windows\system32\drivers\rhckjr.sys
============= FINISH: 19:45:06.85 ===============
Hi
WARNING!!!
You are running a version of Windows that is no longer supported. You need to be aware that once an operating system is no longer supported there will be no further Microsoft Updates issued for that operating system. If you are running XP SP2, or running Vista with no Service Packs installed, be forewarned that those unpatched operating systems will soon become prime targets for malware infestations unless you take steps to bring them up to date by installing the required Service Pack for your system.
http://windows.microsoft.com/en-us/windows/help/what-does-end-of-support-mean
Support for Windows Vista without any service packs ended on April 13, 2010. To continue support, make sure you've installed Windows Vista SP2.
Support for Windows XP with Service Pack 2 (SP2) ended on July 13, 2010. To continue support, make sure you've installed Windows XP Service Pack 3 (SP3).
IMPORTANT: The above mentioned Service Packs should only be installed on a malware free computer.
So wait until I have given the All Clean.
NOTE: 64 bit Windows XP SP2 will still receive security updates as there is no SP3 for 64 bit XP.
Support for Windows XP SP1 ended on October 10, 2006.
Leave Gmer for now. We'll come back to it if needed.
Stay in Safe Mode with Networking for this next instruction as you will need to download another tool. If ComboFix needs to reboot the computer, make sure you boot back to Safe Mode to allow it to finish. Once it has produced it's log, then re-boot back to Normal Mode:
ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**IMPORTANT !!! Save ComboFix.exe to your Desktop**
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click on ComboFix.exe & follow the prompts
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Consolehttp://img.photobucket.com/albums/v666/sUBs/Query_RC.gif
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next replyA word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
To post in next reply:
ComboFix log
Update on how the computer is running
tigerdood
2010-08-28, 20:47
Thanks so much for all your help! If this works then you guys have saved me from purchasing a new laptop. Is there a place I can make a donation for your help?
I'm still testing out my computer but so far everything seems to be running ok (after Combofix I reactivated my AVG 9 virus detection) and below is the log file.
Is it ok to download the service packs you referenced?
COMBO FIX FILE
ComboFix 10-08-27.03 - JR 2008 08/28/2010 12:08:10.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.605 [GMT -5:00]
Running from: c:\documents and settings\TEMP.CPQ73745201364\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\certstore.dat
c:\windows\system32\dfttuyo.txt
c:\windows\system32\Install.txt
----- BITS: Possible infected sites -----
hxxp://download.yimg.com
Infected copy of c:\windows\system32\drivers\pcmcia.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-28 )))))))))))))))))))))))))))))))
.
2010-08-27 00:39 . 2010-08-27 00:39 -------- d-----w- c:\documents and settings\TEMP.CPQ73745201364\Local Settings\Application Data\AVG Security Toolbar
2010-08-27 00:36 . 2010-08-27 00:36 -------- d-----w- c:\documents and settings\TEMP.CPQ73745201364\Local Settings\Application Data\Mozilla
2010-08-05 02:36 . 2010-08-05 02:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-03 04:47 . 2010-08-03 04:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-02 18:25 . 2010-08-02 18:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-02 04:54 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-28 17:23 . 2010-03-28 19:27 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-24 04:24 . 2010-03-28 17:34 -------- d-----w- c:\documents and settings\JR 2008\Application Data\Skype
2010-08-03 13:39 . 2007-10-30 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-29 04:55 . 2010-07-29 04:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-29 04:52 . 2010-07-29 04:52 -------- d-----w- c:\program files\Lavasoft
2010-07-29 04:52 . 2009-01-04 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-29 04:46 . 2010-07-23 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-07-27 03:29 . 2009-01-07 02:19 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-27 03:29 . 2010-07-27 03:29 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-27 03:29 . 2009-01-07 02:19 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-27 03:28 . 2009-01-07 02:19 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-27 03:28 . 2009-01-07 02:20 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-07-23 03:01 . 2010-07-23 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-23 03:01 . 2009-01-07 02:19 -------- d-----w- c:\program files\AVG
2010-07-21 04:18 . 2007-06-05 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-21 04:18 . 2008-07-10 04:25 -------- d-----w- c:\program files\FolderAccess
2010-07-20 04:06 . 2010-07-20 04:06 -------- d-----w- c:\documents and settings\JR 2008\Application Data\Malwarebytes
2010-07-20 04:05 . 2010-07-20 04:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 04:05 . 2010-07-20 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-20 03:36 . 2010-03-28 19:18 -------- d-----w- c:\program files\Logitech
2010-07-20 03:11 . 2010-07-20 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-07-19 03:13 . 2010-07-19 03:06 0 ----a-w- c:\windows\system32\drivers\rhckjr.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 15:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-27 2065760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-27 03:29 12536 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^JR 2008^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\documents and settings\JR 2008\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2007-08-12 23:26 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2002-08-15 01:29 290816 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2002-10-23 21:19 176197 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Display Settings]
2002-08-15 14:26 45056 ----a-w- c:\program files\HPQ\Notebook Utilities\hptasks.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-11-03 19:56 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 18:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-02-08 07:12 488984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-02-08 07:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
2001-12-12 15:05 36864 ----a-w- c:\hp\drivers\printers\photosmart\HPHprld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QT4HPOT]
2003-01-30 22:53 106496 ----a-w- c:\program files\HPQ\One-Touch\ONETOUCH.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-04-13 08:48 36975 ----a-w- c:\program files\Java\jre1.5.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2003-01-03 13:11 577536 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2003-01-03 13:12 126976 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2003-03-07 16:57 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=3 (0x3)
"NICSer_WPC54G"=2 (0x2)
"LiveUpdate"=3 (0x3)
"HPWirelessMgr"=2 (0x2)
"HPConfig"=2 (0x2)
"gusvc"=3 (0x3)
"LckFldService"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/6/2009 9:20 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/6/2009 9:19 PM 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/6/2009 9:19 PM 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/26/2010 10:28 PM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/26/2010 10:28 PM 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 3:55 AM 1355416]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [3/7/2003 11:42 AM 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [3/7/2003 11:42 AM 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [3/7/2003 11:38 AM 16512]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [3/7/2003 11:39 AM 26112]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 10:22 PM 15008]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;c:\windows\system32\drivers\Express.sys [3/7/2003 11:39 AM 57344]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/19/2007 5:12 PM 715248]
.
Contents of the 'Scheduled Tasks' folder
2010-08-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:22]
2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\JR 2008\Application Data\Mozilla\Firefox\Profiles\d5hq0fq3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - HiddenExtension: XULRunner: {3E5880AA-84A0-4D93-93DA-52E8EFD93CE6} - c:\documents and settings\JR 2008\Local Settings\Application Data\{3E5880AA-84A0-4D93-93DA-52E8EFD93CE6}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
Notify-NavLogon - (no file)
MSConfigStartUp-070700Setup - c:\documents and settings\JR 2008\Application Data\CD0DAF0C9C56A4650FD675EEF6E0A157\070700Setup.exe
MSConfigStartUp-Cheyefoqesodamap - c:\windows\exafiziwesifi.dll
MSConfigStartUp-Fvibotoced - c:\windows\FCowcp.dll
MSConfigStartUp-MChk - c:\windows\system32\feazp.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
MSConfigStartUp-pfqykkcl - c:\documents and settings\JR 2008\Local Settings\Application Data\fmprpitlg\sptylkvtssd.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-sta - seazp.dll
MSConfigStartUp-sxuluj - c:\windows\system32\msmxjchn.dll
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-28 12:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\wdfmgr.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-08-28 12:40:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-28 17:39
Pre-Run: 6,865,301,504 bytes free
Post-Run: 7,285,133,312 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 40895D3B22D680C06CEB7012BE9D0ADD
Hi
Leave updating to Service Pack 3 for the time being. There are still signs of infection & that could cause you problems while trying to install SP 3.
GooredFix
Download GooredFix from one of the locations below & save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Ensure all Firefox windows are closed
To run the tool, double-click it
When prompted to run the scan, click Yes
GooredFix will check for infections, then a log will appear. Post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt)CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:
http://forums.spybot.info/showthread.php?t=59089
Collect::
c:\windows\system32\drivers\rhckjr.sys
File::
c:\documents and settings\JR 2008\Start Menu\Programs\Startup\Antimalware Doctor.lnk
c:\windows\pss\Antimalware Doctor.lnkStartup
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^JR 2008^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
To post in next reply:
GooredFix log
ComboFix log
tigerdood
2010-08-29, 07:45
Sorry, after my last post I was so excited because I thought I was in the clear so I activated AVG 9 and ran a virus scan and deleted 2 items that were detected (http://i37.tinypic.com/2n8wl0j.jpg)
The two logs are below
GooredFix log
GooredFix by jpshortstuff (03.07.10.1)
Log created at 23:09 on 28/08/2010 (JR 2008)
Firefox version 3.5.11 (en-US)
========== GooredScan ==========
(none)
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{3E5880AA-84A0-4D93-93DA-52E8EFD93CE6} -> Success!
Deleting C:\Documents and Settings\JR 2008\Local Settings\Application Data\{3E5880AA-84A0-4D93-93DA-52E8EFD93CE6} -> Success!
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:51 05/06/2007]
C:\Documents and Settings\JR 2008\Application Data\Mozilla\Firefox\Profiles\d5hq0fq3.default\extensions\
(none)
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [03:01 23/07/2010]
"avg@igeared"="C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared" [03:01 23/07/2010]
-=E.O.F=-
ComboFix log
ComboFix 10-08-27.03 - JR 2008 08/28/2010 23:19:14.2.1 - x86
Running from: c:\documents and settings\JR 2008\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JR 2008\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\documents and settings\JR 2008\Start Menu\Programs\Startup\Antimalware Doctor.lnk"
"c:\windows\pss\Antimalware Doctor.lnkStartup"
file zipped: c:\windows\system32\drivers\rhckjr.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\rhckjr.sys
.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-29 )))))))))))))))))))))))))))))))
.
2010-08-29 04:07 . 2010-08-29 04:13 -------- d-----w- c:\windows\LastGood
2010-08-27 00:39 . 2010-08-27 00:39 -------- d-----w- c:\documents and settings\TEMP.CPQ73745201364\Local Settings\Application Data\AVG Security Toolbar
2010-08-27 00:36 . 2010-08-27 00:36 -------- d-----w- c:\documents and settings\TEMP.CPQ73745201364\Local Settings\Application Data\Mozilla
2010-08-05 02:36 . 2010-08-05 02:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-03 04:47 . 2010-08-03 04:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-02 18:25 . 2010-08-02 18:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-02 04:54 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-29 04:04 . 2010-03-28 19:27 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-24 04:24 . 2010-03-28 17:34 -------- d-----w- c:\documents and settings\JR 2008\Application Data\Skype
2010-08-03 13:39 . 2007-10-30 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-29 04:55 . 2010-07-29 04:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-29 04:52 . 2010-07-29 04:52 -------- d-----w- c:\program files\Lavasoft
2010-07-29 04:52 . 2009-01-04 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-29 04:46 . 2010-07-23 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-07-27 03:29 . 2009-01-07 02:19 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-27 03:29 . 2010-07-27 03:29 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-27 03:29 . 2009-01-07 02:19 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-27 03:28 . 2009-01-07 02:19 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-27 03:28 . 2009-01-07 02:20 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-07-23 03:01 . 2010-07-23 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-23 03:01 . 2009-01-07 02:19 -------- d-----w- c:\program files\AVG
2010-07-21 04:18 . 2007-06-05 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-21 04:18 . 2008-07-10 04:25 -------- d-----w- c:\program files\FolderAccess
2010-07-20 04:06 . 2010-07-20 04:06 -------- d-----w- c:\documents and settings\JR 2008\Application Data\Malwarebytes
2010-07-20 04:05 . 2010-07-20 04:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 04:05 . 2010-07-20 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-20 03:36 . 2010-03-28 19:18 -------- d-----w- c:\program files\Logitech
2010-07-20 03:11 . 2010-07-20 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-07-12 08:56 . 2010-07-29 04:54 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 15:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-27 2065760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-27 03:29 12536 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2007-08-12 23:26 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2002-08-15 01:29 290816 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2002-10-23 21:19 176197 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Display Settings]
2002-08-15 14:26 45056 ----a-w- c:\program files\HPQ\Notebook Utilities\hptasks.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-11-03 19:56 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 18:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-02-08 07:12 488984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-02-08 07:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
2001-12-12 15:05 36864 ----a-w- c:\hp\drivers\printers\photosmart\HPHprld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QT4HPOT]
2003-01-30 22:53 106496 ----a-w- c:\program files\HPQ\One-Touch\ONETOUCH.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-04-13 08:48 36975 ----a-w- c:\program files\Java\jre1.5.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2003-01-03 13:11 577536 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2003-01-03 13:12 126976 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2003-03-07 16:57 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=3 (0x3)
"NICSer_WPC54G"=2 (0x2)
"LiveUpdate"=3 (0x3)
"HPWirelessMgr"=2 (0x2)
"HPConfig"=2 (0x2)
"gusvc"=3 (0x3)
"LckFldService"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/6/2009 9:20 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/6/2009 9:19 PM 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/6/2009 9:19 PM 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/26/2010 10:28 PM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/26/2010 10:28 PM 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 3:55 AM 1355416]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [3/7/2003 11:42 AM 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [3/7/2003 11:42 AM 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [3/7/2003 11:38 AM 16512]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [3/7/2003 11:39 AM 26112]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 10:22 PM 15008]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;c:\windows\system32\drivers\Express.sys [3/7/2003 11:39 AM 57344]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/19/2007 5:12 PM 715248]
.
Contents of the 'Scheduled Tasks' folder
2010-08-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:22]
2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\JR 2008\Application Data\Mozilla\Firefox\Profiles\d5hq0fq3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-28 23:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-08-28 23:33:12
ComboFix-quarantined-files.txt 2010-08-29 04:33
ComboFix2.txt 2010-08-28 17:40
Pre-Run: 7,955,673,088 bytes free
Post-Run: 7,916,666,880 bytes free
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - E2D589C2FCEE733A200217F45CB7CC2F
Upload was successful
Hi
Sorry, after my last post I was so excited because I thought I was in the clear so I activated AVG 9 and ran a virus scan and deleted 2 items that were detectedThose items were infected System Restore points. They would have caused no harm unless one of the restore points was used.
It's really not a good idea to delete anything from the System Volume Information folder, as it corrupts restore points & they are no longer usable. Having an infected restore point is better than having no restore points to fall back on if things go pear shaped.
When we're done we can clear all old restore points & create a new clean one.
In the mean time, give a me a bit to go through these latest logs.... Be back soon
Hi again
Just some information for you:
Why you should not be using MSconfig to control startups!!
1. MSconfig was designed to be used only as a temporary debugging/troubleshooting tool. It was not meant to be used for long term solutions.
2. MSconfig does not show all startups anyway.
3. If you uninstalled programs while they are being disabled with MSconfig, they will not be uninstall properly and you will have to resort to manual registry editing to properly get everything removed. MSconfig will leave orphan entries if/when installed software is uninstalled while under the control of MSconfig . When/if MSconfig is turned back to normal startup, it will give errors on boot due to those orphan entries.
4. MSconfig and Services:
If you uninstall programs while you have some of the programs services being controlled with MSconfig, the programs will not be uninstall properly and you will have to resort to manual registry editing to get everything properly removed.
When you uncheck a service in msconfig, you completely disable it. If you uncheck the wrong one, you may not be able to restart your computer.
It is safer to control services by using Control Panel, Administrative Tools, Services (this runs services.msc).
5. You can lock malware items into your registry that you may not see anymore until some point in time where you switch back to Normal Startup mode and now you can cause total reinfection of your PC with the malware. You need to remove the malware not mask it.
If you still don't understand why not to use MSconfig, see what Microsoft writes Here (http://support.microsoft.com/kb/310560)
The System Configuration utility helps you find problems with your Windows XP configuration. It does not manage the programs that run when Windows starts.
TFC (Temp File Cleaner)
Download TFC (Temp File Cleaner) by Old Timer Here (http://oldtimer.geekstogo.com/TFC.exe) & save it to your desktop.
Save any unsaved work. TFC Cleaner will close all open application windows
Double-click TFC.exe to run the program, your desktop will temporarily disappear
If prompted, click Yes to reboot
Note: Save your work.. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take any longer than a couple of minutes & may only take a few seconds. Only if needed will you be prompted to reboot.
Kaspersky Online Scan
Please make sure that all programs are closed when installing Java. Click here (http://java.sun.com/javase/downloads/index.jsp) to visit Java's website
Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
Click the orange Download JRE button to the right
Select Windows from the drop-down list for Platform
Select Multi-language from the drop-down list for Language
Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue
Click on jre-6u21-windows-i586.exe link to download it and save this to a convenient location
Double click on jre-6u21-windows-i586.exe to install Java
After the Java installation has finished, go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan
Read through the requirements and privacy statement and click on Accept button
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
When the downloads have finished, click on Settings
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan
Once the scan is complete, it will display the results. Click on View Scan Report
You will see a list of infected items there. Click on Save Report As...
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
Post this log in your next replyThis scan will take quite some time to update & scan, so be patient with it.
To post in next reply:
Kaspersky Online Scan log
Update on how the computer is running
tigerdood
2010-08-30, 09:14
Thanks. Here is the Kaspersky log.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 30, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 29, 2010 21:34:11
Records in database: 4168498
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Objects scanned: 70699
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 04:16:49
File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pcmcia.sys.vir Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP457\A0153960.bat Infected: Trojan.Win32.Agent.bdgn 1
Selected area has been scanned.
Hi
Looks good.
Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
OTC
Download OTC by Old Timer here (http://oldtimer.geekstogo.com/OTC.exe) & save it to your desktop.
Double click on OTC.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can delete the following from your desktop:
TFC.exe
GooredFix.exe
The Gmer.exe file (it will be randomly named .exe file)
Any logs that may have been saved to your desktop
Any problems?
If not you can now update your computer to Windows XP Service Pack 3. You can download it here:
Windows XP Service Pack 3 (http://www.microsoft.com/downloads/details.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en)
While your updating, you should also update both Internet Explorer & Firefox as the older versions you have are subject to exploitation:
Internet Explorer 8 (http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx)
Firefox 3.6.8 (http://www.mozilla.com/en-US/firefox/personal.html)
All Clean
Now that your system is safe we would like you to keep it that way.
Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.
Create a Clean System Restore Point
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and click OK
Ensure the boxes for Temporary Files & Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore click Clean up... and click Yes to the prompt
Click OK and Yes to confirm.
Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can find a tutorial here (http://thespykiller.co.uk/index.php/topic,5946.0.html). Keep it updated & run it regularly.
SpywareBlaster
Download and install Javacools SpywareBlaster from here (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.
Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.
Install MVPS Hosts File From Here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE (http://www.mvps.org/winhelp2002/hosts2.htm)
Web of Trust
WOT (http://www.mywot.com/), Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites: Green to go
Yellow for caution
Red to stopWOT has an addon available for both Firefox and Internet Explorer.
Install WinPatrol
Download it here (http://www.winpatrol.com/download.html)
You can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) on how to prevent Malware.
Hopefully these steps will help keep your computer clean.
tigerdood
2010-09-01, 04:53
Thanks for all your help. I'm trying to download the various items you reccomended but it's taking forever.
One link I'm having trouble with is the XP service pack 3. I went to the link but it said to not download if you're just updating 1 computer and I can't find a working link to the service pack 3 that I need?
Hi
There is absolutely no problem downloading & install that package on one computer. The only difference between downloading it or going through Windows Update is the downloaded package is slightly larger.
You appear to be not getting notification of it through Windows Update, so downloading & installing through the link provided is the way to go.
Since this issue appears to be resolved ... this Topic has been closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or Moderator a private message (pm). A valid, working link to the closed topic is also required.