Hi there:

I started a thread, but it was closed before I could send my latest reply. I'm helping my mother in law with her computer. The previous thread was:

http://forums.spybot.info/showthread.php?p=401958#post401958

Attached are fresh DDS Logs...

Thanks. Please be patient, as I cannot get access to this computer every day.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 20:20:02.34 on Fri 04/29/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.407 [GMT -4:00]
.
AV: Internet Antivirus 2011 *Enabled/Updated* {E0D8D2E5-F1BC-4203-9EE8-B63D4BA4B397}
FW: Internet Antivirus 2011 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\ykg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner.YOUR-780C524461\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.everythingy.com/ie/home
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:25514
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: Free Ride Games Toolbar: {f92a9fe4-2850-4198-b9d5-279880e49b16} - c:\program files\free_ride_games\tbFree.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: PriceGongBHO Class: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.1.0\PriceGongIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Free Ride Games Toolbar: {f92a9fe4-2850-4198-b9d5-279880e49b16} - c:\program files\free_ride_games\tbFree.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
TB: {A057A204-BACC-4D26-E3F4-0BBF89EF7186} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0
uRun: [Walgreens PhotoShow Media Manager] c:\progra~1\walgre~1\walgre~1\data\xtras\mssysmgr.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MotiveBBM] -AppKey=ATT-SST -URL=\\Start.htm?vendorID=ATT-SST,ConnectivityRequired=true,flowId=HOMEPAGE -windowcontext=ATT-SST
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
dRun: [Power2GoExpress] NA
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\owner~1.you\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1297102260018
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll, c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 secure-plus-payments.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-4-18 206256]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
S0 olermogj;olermogj;c:\windows\system32\drivers\bbkgx.sys --> c:\windows\system32\drivers\bbkgx.sys [?]
S1 a498cc84;a498cc84;c:\windows\system32\drivers\a498cc84.sys [2009-7-7 0]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-3 136176]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2005-1-9 14336]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2011-4-18 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2011-4-18 1097096]
.
=============== Created Last 30 ================
.
2011-04-19 00:12:51 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-04-19 00:12:27 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-04-19 00:12:27 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-04-19 00:12:05 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-04-19 00:12:05 -------- d-----w- c:\program files\common files\PC Tools
.
==================== Find3M ====================
.
.
============= FINISH: 20:22:16.37 ===============

Hi,

Those DDS logs are really old. Please do a fresh run with DDS and post back the logs.


Please be patient, as I cannot get access to this computer every day.
If delay longer than 3 days is expected please inform us beforehand so we won't archive topic as inactive.

Attached are fresh logs. Thanks.

Hi,

Please post also existing c:\ComboFix.txt file contents.

Here you go...

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:



Driver::
olermogj
a498cc84
File::
c:\windows\system32\drivers\bbkgx.sys
c:\windows\system32\drivers\a498cc84.sys
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:25514
BHO: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one ((Adobe Reader X + 10.0.1 update for it)) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 25 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u25-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

You should also update (or uninstall if not used) Firefox.


* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish.



Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Attached is the new combofix log, the dds log and attach.txt. I will have to post the ESET log later because I am unable to remain with the computer while it runs.

The ESET scan did not produce a log. There were no threats found. See the previous message for the other logs that were requested.

Thanks...

Hi,

1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Hi there:

There were no threats found when scaning with TDSKiller. Attached is the report. Thanks again!

Good. How's the system running now?

My mother-in-law is reporting a few issues related to the mouse, but that may be hardware related. I'll get over there sometime in the next day or two and report back here.

Thanks very much for your help so far.

Ok. Shall wait for your status report then :)

The mouse seems to be ok to me. There are still problems with the sound, but perhaps it is unrelated to the malware. What do you think?

Hi,

What kind of issue there is with the sound?

In general, there is still no sound (ie, at startup, etc.). Also, when she tries to play a game she gets an error message. I plan to check on this again tonight and give you the specific error message.

Ok. Please check also if device manager has any items with an exclamation mark.

Ok, here are some observations:

When the system is booted up, the folder C:\Windows\System32 is always displayed. It is not in the startup folder, so I'm not sure why this is happening.

There are no exclamation points in the device manager under sound. The sound card seems to be a Realtek HD Audio device.

In Control Panel | Sounds & Audio Devices applet, it shows "No audio device"

In Control Panel | Realtek HD Sound applet, this applet will play when the demo button is clicked.

When a game is run, the error is "Direct Sound failed to initialize."

In Windows Media Player (v11), when a music file is played the error is "Windows Media Player cannot play this file because there is a problem with your sound device. There might not be a sound device installed on you computer, it might be in use by another program, or it might not be functioning properly."

With the exception of the system32 folder popping up at startup, I suspect the sound problem is some sort of conflict and not some sort of malware.

Thanks for any further ideas...

Hi,

Let's see if installing Windows service pack 3 and other important updates offered by Windows update helps with those remaining problems. When done, please post fresh dds logs.

Give me another day or two. Thanks.

Ok, thanks for the heads up.

SP 3 has been applied. Attached are the new logs.

Hi,

Are the sound (and some other) issues still there?

Yes..........

Hi,

Installing this (http://support.gateway.com/support/drivers/getFile.asp?id=20551&dscr=Realtek%20HD%205.10.0.5152%20Audio%20Driver&uid=306586037) audio driver may help. Uninstall previous Realtek High Definition Audio Driver from add/remove programs first.

Thanks, will check on this soon.

It didn't work. After I installed, the sound applet in control panel didn't recognize a sound device. I rebooted and the hardware wizard indicated new hardware. I allowed it to search for and install the driver. It reinstalled a realtek sound driver, but that did not do any good either. I'm assuming this is all we can do. Thanks for your help.

Hi,

Do you recall if this issue was present before we started cleaning or did it appear at some point during the process? Please see if Windows Update offers any DirectX related components and install those.

This issue was already present before we started cleaning. It was one of the symptoms that I thought indicated malware.

I've already installed everything from Windows update that I think could help. I didn't recall seeing any updates there for DirectX.

Hi,

Probably best to post at other forum with area for non-malware related issues then. For example Tech Support Guy (http://forums.techguy.org) has areas for such issues too.

Uninstall ComboFix before that:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK