PDA

View Full Version : XP Anti-Virus 2011



triplerip
2011-04-08, 22:58
Hi, I would appreciate some help to remove this. I can only boot to safe mode with command line without the spyware kicking in whenever i try to execute any application. Appreciated.

----------------------------------------------------------------------------
.
DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL
Run by Administrator at 20:27:59.46 on 08/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.684 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
C:\dds.com
.
============== Pseudo HJT Report ===============
.
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
mSearchURL = hxxp://internetsearchservice.com
mSearchAssistant = hxxp://internetsearchservice.com
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - d:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - d:\program files\orbitdownloader\orbitcth.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - d:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {14A6B963-7C6C-414B-B5BD-9CD0929F928F} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - d:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - d:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - d:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {58472BC6-BEA3-42d4-8917-7A8BCB0711B5} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - d:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - d:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - d:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - d:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - d:\program files\orbitdownloader\GrabPro.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - d:\program files\windows live\toolbar\wltcore.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - d:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [kdx] d:\program files\kontiki\KHost.exe -all
uRun: [DellSupport] "d:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [NeroHomeFirstStart] "d:\program files\common files\ahead\lib\NMFirstStart.exe"
mRun: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
mRun: [NBKeyScan] "d:\program files\nero\nero 7\nero backitup\NBKeyScan.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IAAnotif] d:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [dscactivate] "d:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DLPSP] "d:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [DellSupportCenter] "d:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [4oD] "d:\program files\kontiki\KHost.exe" -all
mRun: [NeroFilterCheck] d:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Windows UDP Control Center] fxsteller.exe
mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] d:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [UpdatePDRShortCut] "d:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "d:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [MSC] "d:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [ISTray] "d:\program files\spyware doctor\pctsGui.exe" /hideGUI
mRun: [PCTools FGuard] d:\program files\spyware doctor\bdt\FGuard.exe
dRun: [DWQueuedReporting] "d:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: d:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - d:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - d:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - d:\program files\orbitdownloader\orbitdm.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - d:\program files\panasonic\photofunstudio -viewer-\PhAutoRun.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\documents and settings\siubhan\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC} - d:\program files\java\jre6\bin\npjpi160_10.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - d:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - d:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - d:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - d:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: d:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182113919142
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.infuzer.com/IDC/client/player/isetup1.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/en/10/install/gtdownde.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - d:\progra~1\intern~2\SspNG.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - d:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
STS: {d1577581-2ed7-469f-99b1-72c1339e0ee0} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - d:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0kas99cf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: d:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: d:\program files\spyware doctor\bdt\firefox\platform\winnt_x86-msvc\components\libheuristic.dll
FF - plugin: d:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: d:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: d:\program files\microsoft\office live\npOLW.dll
FF - plugin: d:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - d:\program files\google\google gears\Firefox
FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - d:\program files\spyware doctor\bdt\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore;hotcore;d:\windows\system32\drivers\hotcore.sys [2007-6-18 30820]
R0 hotcore2;hotcore2;d:\windows\system32\drivers\hotcore2.sys [2007-6-18 30808]
R0 hotcore3;hotcore3;d:\windows\system32\drivers\hotcore3.sys [2007-11-10 39472]
R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [2011-4-4 239168]
R0 pctDS;PC Tools Data Store;d:\windows\system32\drivers\pctDS.sys [2011-4-5 338880]
S1 MpFilter;Microsoft Malware Protection Driver;d:\windows\system32\drivers\MpFilter.sys [2009-6-18 165264]
S1 MpKsl1843257a;MpKsl1843257a;\??\d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33fa6659-69b2-491e-93a1-0b1fe7e86598}\mpksl1843257a.sys --> d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33fa6659-69b2-491e-93a1-0b1fe7e86598}\MpKsl1843257a.sys [?]
S1 MpKsl3bcf647a;MpKsl3bcf647a;d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{368b78d7-6efe-4727-8404-a019636dc065}\MpKsl3bcf647a.sys [2011-4-4 28752]
S1 MpKsl9c5f8434;MpKsl9c5f8434;\??\d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33fa6659-69b2-491e-93a1-0b1fe7e86598}\mpksl9c5f8434.sys --> d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33fa6659-69b2-491e-93a1-0b1fe7e86598}\MpKsl9c5f8434.sys [?]
S2 Browser Defender Update Service;Browser Defender Update Service;d:\program files\spyware doctor\bdt\BDTUpdateService.exe [2011-4-4 247760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;d:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DLSDB;Dell Printer Status Database;d:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2007-6-17 135168]
S2 fssfltr;FssFltr;d:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-24 54752]
S2 gupdate1c91bf0ec9959c6;Google Update Service (gupdate1c91bf0ec9959c6);d:\program files\google\update\GoogleUpdate.exe [2008-9-21 133104]
S2 NetProbe;NetProbe Packet Driver;d:\windows\system32\drivers\NetProbe.sys [2008-3-6 5365]
S2 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2011-4-4 366840]
S2 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2011-4-4 1150936]
S2 ssoftnt4;ssoftnt4;d:\windows\system32\drivers\ssoftnt4.sys [2004-5-21 114944]
S2 Symantec Core LC;Symantec Core LC;d:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-8-5 585728]
S3 CX88VID;Conexant 2388x AvStream Video Capture;d:\windows\system32\drivers\cxavsvid.sys [2007-6-18 286720]
S3 cxbu0wdm;CardMan 3x21;d:\windows\system32\drivers\cxbu0wdm.sys [2008-1-15 97792]
S3 fsssvc;Windows Live Family Safety Service;d:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;d:\windows\system32\drivers\SWUSBFLT.SYS [2007-6-17 3968]
S3 USBDFU;USBDFU;d:\windows\system32\drivers\usbdfu.sys --> d:\windows\system32\drivers\usbdfu.sys [?]
S3 V0060VID;Creative WebCam Live! Ultra;d:\windows\system32\drivers\V0060Vid.sys [2007-7-1 196409]
S3 WinRM;Windows Remote Management (WS-Management);d:\windows\system32\svchost.exe -k WINRM [2003-7-16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;d:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-06 19:14:52 19 ----a-w- d:\docume~1\admini~1\locals~1\applic~1\ong.exe
2011-04-05 18:10:39 656320 ----a-w- d:\windows\system32\drivers\pctEFA.sys
2011-04-05 18:10:39 338880 ----a-w- d:\windows\system32\drivers\pctDS.sys
2011-04-04 18:26:02 28752 ----a-w- d:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{368b78d7-6efe-4727-8404-a019636dc065}\MpKsl3bcf647a.sys
2011-04-04 17:19:08 767952 ----a-w- d:\windows\BDTSupport.dll0443.old
2011-04-04 17:19:08 767952 ----a-w- d:\windows\BDTSupport.dll
2011-04-04 17:19:08 2000848 ----a-w- d:\windows\PCTBDCore.dll
2011-04-04 17:19:08 1652688 ----a-w- d:\windows\PCTBDCore.dll0443.old
2011-04-04 17:19:08 1533904 ----a-w- d:\windows\PCTBDRes.dll
2011-04-04 17:19:08 149456 ----a-w- d:\windows\SGDetectionTool.dll0443.old
2011-04-04 17:19:08 149456 ----a-w- d:\windows\SGDetectionTool.dll
2011-04-04 17:16:23 251560 ----a-w- d:\windows\system32\drivers\pctgntdi.sys
2011-04-04 17:16:17 239168 ----a-w- d:\windows\system32\drivers\PCTCore.sys
2011-04-04 17:16:17 160448 ----a-w- d:\windows\system32\drivers\PCTAppEvent.sys
2011-04-04 17:16:15 70536 ----a-w- d:\windows\system32\drivers\pctplsg.sys
2011-04-04 17:16:07 -------- d-----w- d:\program files\Spyware Doctor
2011-04-04 17:16:07 -------- d-----w- d:\program files\common files\PC Tools
2011-04-04 17:16:07 -------- d-----w- d:\docume~1\alluse~1\applic~1\PC Tools
2011-04-04 17:16:07 -------- d-----w- d:\docume~1\admini~1\applic~1\PC Tools
2011-04-03 01:02:54 6792528 ----a-w- d:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{368b78d7-6efe-4727-8404-a019636dc065}\mpengine.dll
2011-03-17 20:21:57 83249512 ----a-w- d:\program files\common files\windows live\.cache\wlcE8.tmp
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- d:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- d:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- d:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- d:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- d:\windows\system32\shimgvw.dll
2004-10-01 14:00:16 40960 ----a-w- d:\program files\Uninstall_CDS.exe
.
============= FINISH: 20:29:20.45 ===============

redcar92
2011-04-09, 01:29
Hello Triplerip and welcome to Safer Networking.
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

Please observe these rules while we work: Read the entire procedure It is important to perform ALL actions in sequence. If you don't know, stop and ask! Don't keep going on. Please reply to this thread. Do not start a new topic. Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it. Remember, absence of symptoms does not mean the infection is all gone. Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.

Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

Stay with this topic until I give you the all clean post.

Thanks,
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)

triplerip
2011-04-09, 13:10
Thanks for your offer Bill. Happy to sign up on those ground rules. Ready when you are...

redcar92
2011-04-09, 17:50
Hello Triplerip,
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).


Extract the contents of the zipped file to desktop.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, copy/paste in your reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Logs to post:
GMER.txt

Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)

triplerip
2011-04-10, 11:52
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-10 09:49:28
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxddakog.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF74326E6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7410F68]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7411230]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF74330A0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF743342A]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7431924]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF743396E]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF7432AA4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF74109D8]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 108 804E2774 5 Bytes [68, 0F, 41, F7, 30] {PUSH 0x30f7410f}
.text ntoskrnl.exe!_abnormal_termination + 10E 804E277A 2 Bytes [41, F7]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs F2BAE400

---- EOF - GMER 1.0.15 ----

redcar92
2011-04-12, 02:04
Hello Triplerip,
Good news, no rootkit :bigthumb:
Next
***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
Download Combofix from any of the links below. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CFRCNeeded.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CF2.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)

triplerip
2011-04-13, 00:32
Hello Bill

Since I could not boot to safe mode with networking, I chose to run ComboFix from Safe mode command prompt. Turned out I did not have the recovery console installed as I did not have the network drivers loaded could not download this from the Microsoft site. I continued the scan and this produced the first log file.

I then decided to try run in Safe mode - with networking. This time I was able to start up ComboFix without the malware taking control. I was able to install the recovery console and proceeded with the scan. This produced the second log file.

I await your analysis and advice on next steps.

thank you

redcar92
2011-04-13, 18:40
Hello Triplerip,

Next

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:



DDS::
BHO: {14A6B963-7C6C-414B-B5BD-9CD0929F928F} - No File Fake Alert
BHO: {58472BC6-BEA3-42d4-8917-7A8BCB0711B5} - No File Rogue Security
mRun: [Windows UDP Control Center] fxsteller.exe Backdoor Trojan
STS: {d1577581-2ed7-469f-99b1-72c1339e0ee0} - No File


Save this as "CFScript.txt", and as* Type: All Files (*.*) in the same location as ComboFix.exe


http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CFscript.png

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next
Please go to one of the below sites to scan the following files:
jotti.org (http://virusscan.jotti.org/)
Kaspersky Virus File Scanner (http://www.kaspersky.com/scanforvirus.html )
Virus Total (http://www.virustotal.com)

click on Browse, and upload the following file for analysis:
d:\documents and settings\Administrator\Local Settings\Application Data\ong.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

Logs to post:

Combofix.txt
File scan results
How is you PC behaving now



Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)

triplerip
2011-04-13, 22:12
Bill

I have attached the results you requested as a zip file.

I can now boot to safe mode with networking and fire up a browser without an issue. I haven't attempted a full reboot fearing the problem might recur.

What's next?

thank you again

David

redcar92
2011-04-16, 01:57
Hello Triplerip,
Looking better, I think you can safley boot up normal mode now.

Your logs indicate that you have Peer-to-Peer software installed on your PC. Peer-to-Peer sites like LimeWire are a major source of malware problems. It is in your best interest to avoid the sites. I strongly recommend that you remove this (these) program(s) by:


Click Start
Click Control Panel
Click Add/Remove Programs
Select Limewire 4.16.6 program
Click Remove

Note: Often removal questions are stated so as to dissuade you from removing the program, please be careful.
Should you decide to not remove Peer – to – Peer software, do not use it until we are done. Continued use of this software will eventually infect you again. Continued use may result in no help received from WTT in the future.

Next
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/mbam/mbam-setup.exe).

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Next
Please use Internet Explorer to download and run the following scan: Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click on List of found threats.
Click Export to text file
Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.

Logs to Post:

mbam.txt
Eset result
How is you PC behaving now.

Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)

triplerip
2011-04-16, 21:11
Bill

I am attaching the files you requested. I realise now reviewing your instructions I missed the one about not enabling ESET to remove found threats.

I removed limewire are suggested.

I booted up to normal mode but could not run any executables. e.g. when accessing control panel items I get a message "rundl32.exe - application not found". Also when trying to fire up firefox, it asks which application to use to open the file firefox.exe with. Looks like some registry damage.

Appreciate your efforts on this.

thank you

David

redcar92
2011-04-17, 01:05
Hello Triplerip,
Let's do this please.
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

By the way it make my job much easier if you could copy/paste the logs into your reply.
Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)

triplerip
2011-04-17, 16:25
Bill

Here you go:


exeHelper by Raktor
Build 20100414
Run at 13:14:31 on 04/17/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

I have rebooted a couple of times and can now run applications normally.

thank you!

David

redcar92
2011-04-20, 23:28
Hello Triplerip,
Please do the following:
Double click dds.scr to run the tool.
When done, two DDS.txt's will open.
Save both reports to your desktop.
Please include the contents of the following in your reply using Copy / Paste:
DDS.txt we do not need the attach.txt.

Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)

redcar92
2011-04-23, 15:23
Hey David,
How are doing with the DDS log?
Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)

ken545
2011-04-29, 12:57
Due to inactivity, this thread will now be closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.