Popups, commandservice warnings, desktop weird, dxclib303562752.dll, etc

[Tensai]

Btw, is it safe for me to be on the net like this. I mean, last time I scanned my comp with ewido, I didn't come across Backdoor.Ciadoor.13, and had all highly critical viruses deleted (comp froze when I clicked 'apply all', but still finished the activity at least partly)... a day later, without doing anything but being connected to the net, I scan and suddenly there's a new dangerous virus on my comp? Does something on my comp keep downloading new threats, or can someone send this stuff to me without my knowledge? If so, couldn't it be possible that even as I type, or as I wait for your next instructions, my computer has downloaded new viruses again without my knowledge, and that the logs I posted up above aren't up to date anymore?

Getting a bit paranoid here sorry.

[Mr_JAk3]

Hi again

We've got most of the bugs removed so it is looking good
AVG Anti-Spy propably was able to clean the findings earlier but it just looked like it was freezed...

I think that this is false positive:
C:\Program Files\mIRC\mirc.exe -> Backdoor.Ciadoor.13 : Cleaned with backup (quarantined).

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

So you still have starnge desktop icons...

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[Tensai]

Thx for helping. I just scanned my comp with that online scanner, it skipped 2files for some reason and had identified 17 spyware files.
I then proceded to disinfect the files, but after one file it kept sticking with 'disinfecting and sending sample... 2 of 17''.... went out for a bit, came back, and still the same. So it looks like I'll have to start over. Gotta sleep now, will do it tomorrow evening, sorry for the delay. Have a nice sunday!

[Mr_JAk3]

Ok thanks and same for you too

Yes, scan again with F-Secure and post it's log to here when ready

[Tensai]

Well I tried again and I didn't chose to submit samples this time as I was afraid that might've caused it to stop at file 3/17 last time.
It found 10 spyware files this time (as opposed to the 17 last time), and it just kept 'disinfecting' 5/10... nothing freezes, I can do everything on my comp without slowdown, but I simply had to click cancel again because it just seems to stop... It's strange though, the log says it only disinfected 1 file while it DID reach file 5/10, and the previous log also said it only disinfected 1 file while it reached 3/17.. I'll try again, but is there perhaps another way of doing this? Seems like the scanners don't work right for me.

In the mean time, I'll just show you my two logfiles of the two cleans that didn't finish:

Scanning Report
Saturday, November 04, 2006 21:39:07 - 01:05:44
Computer name: MAGGIE-PC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 17 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System (Submitted)
System
System
System
System
System
System
System
System
System
System
System
System
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 24492
System: 4097
Not scanned: 2
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 16
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-11-03
F-Secure Libra: 2.4.1, 2006-11-02
F-Secure Orion: 1.2.37, 2006-11-03
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-29
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics


and:

Scanning Report
Monday, November 06, 2006 20:44:33 - 21:35:10
Computer name: MAGGIE-PC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 10 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System (Submitted)
System
System
System
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 25640
System: 4117
Not scanned: 2
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 9
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-11-06
F-Secure Libra: 2.4.1, 2006-11-04
F-Secure Orion: 1.2.37, 2006-11-06
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-29
F-Secure Draco: 1.0.35, 2006-10-31
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics


Also yes, I still have problems with my icons. They're all highlighted. Like when you click on something with your mouse, it's highlighted in blue. Every icon has this problem on my desktop, even when I create new files/icons/whatever on it. This is the combofix log:


Administrator - 06-11-06 21:41:06.70 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-06 to 2006-11-06 ))))))))))))))))))))))))))))))))))


2006-11-04 12:50 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-01 18:59 99,328 --a------ C:\WINDOWS\system32\t5rdv.dll
2006-11-01 18:59 35,840 --a------ C:\WINDOWS\system32\ecesq.dll
2006-11-01 18:59 33,792 --a------ C:\WINDOWS\system32\cpwiuy.dll
2006-11-01 18:59 28,672 --a------ C:\WINDOWS\system32\t3odm.dll
2006-10-28 15:57 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2006-10-28 15:57 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2006-10-28 15:57 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2006-10-28 15:57 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-06 20:39 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-11-04 12:50 -------- d-------- C:\Program Files\Grisoft
2006-11-01 23:43 -------- d--h----- C:\Program Files\Online Services
2006-11-01 23:41 -------- d--h----- C:\Program Files\ComPlus Applications
2006-11-01 22:39 -------- d-------- C:\Program Files\mIRC
2006-11-01 22:38 -------- d--h----- C:\Program Files\Windows NT
2006-11-01 22:25 -------- d-------- C:\Program Files\Lavasoft
2006-11-01 22:25 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-11-01 19:23 -------- d-------- C:\Program Files\Ultra Video Splitter
2006-11-01 18:59 -------- d--h----- C:\Program Files\Windows Media Player
2006-10-29 01:27 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2006-10-28 15:57 -------- d-------- C:\Program Files\Winamp
2006-10-27 21:20 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-27 21:19 -------- d-------- C:\Program Files\Disc2Phone
2006-10-27 20:55 -------- d--h----- C:\Program Files\Internet Explorer
2006-10-22 13:08 -------- d-------- C:\Program Files\SopCast
2006-10-22 13:08 -------- d-------- C:\Documents and Settings\Administrator\Application Data\SopCast
2006-10-19 12:00 -------- d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2006-09-26 20:09 -------- d-------- C:\Program Files\PPLive
2006-09-23 18:15 -------- d-------- C:\Program Files\MSN Messenger
2006-09-23 18:11 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2006-09-23 18:09 -------- d-------- C:\Documents and Settings\Administrator\Application Data\PPLive
2006-09-23 18:08 -------- d--h----- C:\Program Files\Common Files
2006-09-23 18:08 -------- d-------- C:\Program Files\Common Files\Synacast
2006-09-23 17:42 -------- d-------- C:\Program Files\TVAnts
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 16:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-06 21:41:59.20
C:\ComboFix.txt ... 06-11-06 21:41
C:\ComboFix2.txt ... 06-11-03 20:19

[Tensai]

Tell you what, I scanned for the third time, and this time I didn't even have to disinfect, it didn't find any malware on my system. Maybe during the last cleanup, it did clean everything after all although it stalled at file 5 of 10? Hmmm. This is the report. For the combofix log see my previous post.

Scanning Report
Monday, November 06, 2006 21:52:11 - 22:23:55
Computer name: MAGGIE-PC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 23872
System: 4087
Not scanned: 2
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

[Tensai]

Btw desktop problem seems solved also, switched wallpaper, switched back, and no more highlighted icons. But can you check the logs anyway, just to be sure. I need to completely trust this computer as I need to use it for some important stuff...

[Mr_JAk3]

Hi again, it is looking clean now
How is the computer running ?

I think that the icons were propably highlighted beacause the colors of you wallpaper. They wouldn't have shown otherwise....


Does your Norton include a firewall ? If not, do this:
______________________

You don't seem to a firewall running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.

These are good (free) firewalls:

• Sunbelt-Kerio
• ZoneAlarm
• Sygate
• Outpost

______________________

Now you can clean AVG's Quarantine:

• Open AVG Anti-Spyware
• Click Infections
• Click Quarantine tab
• Click Select all
• Click Remove finally
• Close the program

You can remove ComboFix.

Now you can make your hidden files hidden again.

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Check "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

=============

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Clear your system restore
  This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  
• Use ATF Cleaner
  Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  
• Use Ad-Aware
  Download and install Ad-Aware. Update it and scan your computer regularly with it.
  
• Use AVG Anti-Spyware
  Update it and scan your computer regularly with it.
  
• Use Spybot S&D
  Download and install Spybot S&D. Update it and scan your computer regularly with it.
  
• Install SpywareBlaster
  SpywareBlaster will prevent spyware from being installed.
  
• Install MVPS Hosts file
  This prevents your computer from connecting to harmful sites.
  
• Use Firefox browser
  Firefox is faster, safer and better browser than Internet Explorer.
  
• Keep your systen up-to-date
  Visit Windows Update regularly.
  
• Keep your antivirus and firewall up-to-date
  Scan your computer regularly with your antivirus.
  
• Read this article by TonyKlein
  So how did I get infected in the first place?
  
• Stand Up and Be Counted !
  The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

[Tensai]

Hi again, it is looking clean now
How is the computer running ?

I think that the icons were propably highlighted beacause the colors of you wallpaper. They wouldn't have shown otherwise....

Hello again! The computer is running fast now, and I don't have to wait ages for the desktop etc to load when rebooting.
What do you mean with the colors of my wallpaper? I just remember that before it was fine, but when I tried to install some new software I downloaded from a shady bt site... suddenly then popups came, desktop icons got highlighted no matter what color of wallpaper I used... But I think you helped me fix the problem when I followed your instructions, but I had to switch wallpapers for it to be normal again. I switched it back to the same wallpaper right after and all's well.

I still have a few questions, can you pls answer them:

-Is it possible for you to check how I got the virus? To pinpoint which file did it for me? I think it's this software I downloaded from a bt site, but I'm not 100% sure. These files that caused it are probably still on my computer... are they cleansed now (since ewido, etc didn't delete them) and can I run them now? Or should I delete.

-Why did norton not find all those viruses before I ran the file (I always scan everything and auto-protect was on), and why did norton not find the viruses afterwards that ewido and f-secure scanner did? Does this mean I can't trust norton anymore?

-during your instructions when I wanted to be sure a system.exe wasn't in my windows folder, I messed around a bit with my search option and accidently set the 'action' that when I double-click drive icons/files, they won't open but instead a 'find' window will pop up... I did this when I clicked on 'show all extensions' in tools, folder options, file types, advanced... the 'find' command is now set in 'actions', and I want to change it to 'open' again...

Sorry to bother you, but I'm trying to be sure I'm safe to log onto accounts and stuff again... thx a bunch...

[Mr_JAk3]

Hi again

Do you remember that what did you exactly do in Folder options ?

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the Windows Registry Editor Version 5.00) :

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Drive\shell]
@="(value not set)"

[HKEY_CLASSES_ROOT\Directory\shell]
@="none"

Make sure there are NO blank lines before Windows Registry Editor Version 5.00
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Reboot the computer and try if the drives/folders open normally.

Please let me know

So you think you have the infected installers on your computer. I really recommend that you delete those and download the proper versions from the authors original homepage. Otherwise you'll get infected again.

Not any antivirus is 100% proof. Best results you get by using multiple scanners, like Norton and AVG Antispyware. But remember to use only 1 active antivirus at the same time.