DDS data is at end of post and attached. First is a description of what happened.
Yesterday while I was looking for pictures of an actress I like, I was infected with the XP firewall virus (It seems those sites with pictures of stars are very dangerous) It took over my system and I could not run anything I booted into safe mode admin account (Other accounts could not be accessed as the virus ran in those) I ran spybot and it claimed to remove it along with 2 other things that were probably related. I then ran avira which also found a few things. I cannot find a report in spybot that details what was found and removed. I did find a report inAvira as to what was found and removed. Here is a copy of the pertinent section of that report.
Begin scan in 'C:\'
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
--> Object
[DETECTION] Is the TR/Dropper.Gen Trojan
--> [PluginsDir]/ic1.exe
[DETECTION] Is the TR/Dldr.MSIL.Agent.TJ.1 Trojan
Beginning disinfection:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to the quarantine directory under the name '564133c8.qua'.
I am concerned that it found two objects that it did not seem to do anything about.
After running Spybot and Avira I ran malwarebytes which found a registry key involving the windows security and something about disableNotify. Unfortunately Malwarebytes made no log of the session.
All of the above was done in safe mode. When I went back to my regular account the XP firewall virus was still there and prevented use of the system. I then booted back to safe mode and restored the system to a restore point 1 day prior to when the problem started. The restoration worked and I am now able to use the system but am afraid this thing may not be gone. It evaded three different and well recommended anti malware/virus tools. So I think I really need to make sure this thing is gone and do something to prevent it from happening again.
Also, I know we are not supposed to run anti virus fixes before coming here. However, I had to do all the above just to get my system back to be able to come here:(
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 20:20:12.17 on Mon 03/21/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1352 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Replay Media Catcher\FLVSrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\User\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: NXIECatcher Class: {83b80a9c-d91a-4f22-8dcf-ea7204039f79} - c:\program files\xi\netxfer\NXIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll
uRun: [TrueCrypt] "c:\program files\truecrypt\TrueCrypt.exe" /q preferences /a logon
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Ask and Record FLV Service] "c:\program files\replay media catcher\FLVSrvc.exe" /run
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Clearwire Connection Manager] "c:\program files\clearwire\connection manager\ClearwireCM.exe" -a
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
IE: Download all by NetXfer - c:\program files\xi\netxfer\NXAddList.html
IE: Download by NetXfer - c:\program files\xi\netxfer\NXAddLink.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\rv51vow5.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 52323
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-30 64288]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-26 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-26 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-26 61960]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-7-15 35088]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\clearwire\connection manager\DeviceLaunchSvc.exe [2009-11-9 107856]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-11 135664]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2009-10-1 282112]
S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2009-10-1 51712]
S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\clearwire\connection manager\RcAppSvc.exe [2009-11-9 120144]
S3 GSService;GSService;c:\windows\system32\GSService.exe [2011-3-15 122880]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
.
=============== File Associations ===============
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-03-22 00:35:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-22 00:35:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-21 11:29:50 0 ----a-w- c:\documents and settings\user\ntuser.tmp
2011-03-19 11:01:37 -------- d-----w- c:\docume~1\user\applic~1\Xi
2011-03-19 11:00:58 -------- d-----w- c:\program files\Xi
2011-03-19 05:47:36 49664 ----a-w- c:\windows\system32\CamCodec.dll
2011-03-19 05:47:36 -------- d-----w- c:\program files\CamStudio 2.6b
2011-03-15 06:24:05 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Jaksta_Technologies_Pty_L
2011-03-15 06:22:52 -------- d-----w- c:\docume~1\user\applic~1\Replay Media Catcher 4
2011-03-15 06:22:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Applian
2011-03-15 06:22:44 -------- d-----w- c:\program files\Applian Technologies
2011-03-15 05:51:33 -------- d-----w- c:\windows\SxsCaPendDel
2011-03-15 05:50:35 -------- d-----w- c:\program files\AnyMedia Player
2011-03-15 05:49:09 -------- d-----w- c:\program files\FLVCodec
2011-03-15 05:49:07 7680 ----a-w- c:\windows\system32\ff_vfw.dll
2011-03-15 05:49:06 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2011-03-15 05:49:05 -------- d-----w- c:\program files\ffdshow
2011-03-15 05:48:58 -------- d-----w- c:\program files\WinPcap
2011-03-15 05:48:52 122880 ----a-w- c:\windows\system32\GSService.exe
2011-03-15 05:48:51 -------- d-----w- c:\program files\RipTiger
2011-03-15 05:38:02 -------- d-----w- c:\docume~1\user\applic~1\Foxreal
2011-03-09 11:27:54 -------- d-----w- c:\program files\Fox
.
==================== Find3M ====================
.
2011-03-15 06:19:19 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2011-03-15 06:19:18 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2006-05-03 17:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 18:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 20:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 20:21:20.54 ===============