Thread: "Antivir" virus problem

    "Antivir" virus problem

    Hello all,

    I am having some issues with a virus on a friend's computer. When running normally (i.e. not in safe mode), the virus continually pops up warnings of infection, instructing me to purchase their software to remove them. It also blocks me from running any programs/executables (unless I'm in safe mode). I am currently scanning the computer with spybot S&D, and wanted to post the DDS here as well to see if there's anything else that would be beneficial to do.


    DDS (Ver_10-03-17.01) - FAT32x86 NETWORK
    Run by Administrator at 13:51:46.45 on Tue 08/10/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.373 [GMT -4:00]

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2OKMNO4B\HijackThis[1].exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
    BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    BHO: 1 (0x1) - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [NeroHomeFirstStart] "c:\program files\common files\nero\lib\NMFirstStart.exe"
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [VTTimer] ;;;VTTimer.exe
    mRun: [Chrome3] c:\program files\s3graphics\chrome3\Chrome3.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [BisonMnt] c:\windows\bisonc07\BisonM07.exe
    mRun: [IdeaNotesUser] c:\program files\ddni\lenovo idea notes\DDNIMSGUser.exe
    mRun: [VeriFaceManager] c:\program files\lenovo\verifaceiii\PManage.exe
    mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe
    mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe
    mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
    mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [LXBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBXtime.dll,_RunDLLEntry@16
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ojljnoql] c:\documents and settings\lois anne davis\local settings\application data\gxutgtxuw\rtsvixvtssd.exe
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ps-link.lnk - c:\program files\airlink101\airlink101 ps software\PsLink.exe
    IE: {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} -
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://
    Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-10-29 9472]
    R3 BusRMUSB;Remote USB Bus;c:\windows\system32\drivers\BusRMUSB.sys [2010-2-11 43008]
    R3 vcrdrx32;VIA MSP Cardreader Host Controller;c:\windows\system32\drivers\vcrdrx32.sys [2009-10-29 93440]
    S2 DDNIMSGService;DDNIMSGService;c:\program files\ddni\lenovo idea notes\DDNIMSGService.exe [2009-1-17 172720]
    S2 DDNIService;DDNIService;c:\program files\ddni\dibs\DDNIService.exe [2009-10-29 160432]
    S2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [2009-3-26 315392]
    S2 FHPService;FHPService;c:\program files\lenovo\onekey app\onekey recovery\FHPService.exe [2008-7-23 169256]
    S2 S3LoadSv;S3LoadSv;c:\program files\s3graphics\chrome3\s3loadsv.exe [2009-10-29 69632]
    S2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\lenovo\onekey app\system repair\UpdateMonitor.exe [2009-10-29 430080]
    S2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2009-10-29 48144]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-10-29 1684736]
    S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2009-10-29 560640]
    S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2009-10-29 82928]

    =============== Created Last 30 ================

    2010-08-10 17:15:35 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-10 17:15:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-08-10 17:10:38 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
    2010-08-10 17:09:46 0 d-sh--w- c:\documents and settings\administrator\IETldCache
    2010-08-10 16:59:52 0 d-----w- c:\docume~1\admini~1\applic~1\ID Vault
    2010-07-18 02:09:49 0 d-----w- c:\program files\iPod
    2010-07-18 02:09:31 0 d-----w- c:\program files\iTunes
    2010-07-18 02:09:31 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-07-18 01:59:08 0 d-----w- c:\program files\Bonjour
    2010-07-14 02:05:58 0 d-sh--w- C:\FOUND.006

    ==================== Find3M ====================

    2010-07-27 06:30:36 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
    2010-06-14 14:31:20 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe
    2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2009-10-29 18:54:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
    2009-12-26 05:13:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122620091227\index.dat

    ============= FINISH: 13:53:11.50 ===============

    Thanks for you help,



    spybot scan completed and deleted several files. The malware doesn't appear to be affecting the computer any longer (no more pop ups, warnings, etc. and executables/other programs run fine). However, it appears as though the internet no longer works. I have a strong connection and have tried all the usual tricks but to no avail, just get the 'internet explorer cannot find this page' page.




    Still no luck getting the internet to run. Is it possible some bit of the malware is still affecting the system? Should I post another log?

    After some searching I found some others on this forum with the same malware, and found the step-by-step on bleeping computer. Would it be advisable to go through these steps even though antivir doesn't appear to be active (visually, at least)?

    Thanks again,

    Please post fresh dds.txt & attach.txt contents.
    Due to inactivity, this thread will now be closed.

    Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.

    If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.
