help

[venus_n]

MY DDS log




DDS (Ver_10-03-17.01) - NTFSx86
Run by Antivirus at 0:50:54.62 on Mon 09/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222.41 [GMT 5.5:30]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Antivirus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
TCP: {7CC2FDD7-4E5F-41FE-93F0-688524BE22B2} = 202.56.215.54,202.56.215.55
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\antivi~1\applic~1\mozilla\firefox\profiles\b335fjj7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-7 163280]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-9 267432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-7 19024]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-9 60936]
S2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]

=============== Created Last 30 ================

2010-09-09 12:34:27 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-09-09 11:27:14 0 d-----w- c:\windows\system32\NtmsData
2010-09-09 11:01:34 0 d-----w- c:\docume~1\antivi~1\applic~1\Avira
2010-09-09 07:42:16 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-09 07:42:11 0 d-----w- c:\program files\Avira
2010-09-08 08:22:57 0 d-sh--w- c:\documents and settings\antivirus\IECompatCache
2010-09-08 08:12:16 0 d-sh--w- c:\documents and settings\antivirus\PrivacIE
2010-09-08 08:11:17 0 d-sh--w- c:\documents and settings\antivirus\IETldCache
2010-09-08 08:09:06 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-09-08 08:08:16 0 dc-h--w- c:\windows\ie8
2010-09-08 05:50:58 0 d-sh--w- c:\documents and settings\antivirus\UserData
2010-09-07 15:50:46 0 d-----w- c:\program files\common files\ODBC
2010-09-07 15:50:43 0 d-----w- c:\program files\common files\SpeechEngines
2010-09-07 15:50:17 0 d-----r- c:\documents and settings\all users\Documents
2010-09-07 13:26:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-09-07 13:16:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-07 11:33:38 0 d-----w- c:\program files\Microsoft ActiveSync
2010-09-07 10:59:18 0 d-----w- c:\program files\VideoLAN
2010-09-07 10:57:28 0 d-----w- c:\program files\Kundli
2010-09-07 10:30:09 0 d-sh--w- c:\documents and settings\all users\DRM
2010-09-07 10:29:48 0 d--h--w- c:\program files\WindowsUpdate
2010-09-07 10:28:53 0 d-----w- c:\program files\common files\MSSoap
2010-09-07 10:27:20 0 d-----w- c:\program files\Online Services
2010-09-07 10:27:12 0 d-----w- c:\program files\Messenger
2010-09-07 10:27:09 0 d-----w- c:\program files\MSN Gaming Zone
2010-09-07 10:26:35 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-09-07 10:27:45 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 0:51:22.28 ===============


http://forums.spybot.info/showthread.php?t=59400

 

[shelf life]

hi venus_n,

If you still need help. We will start with a download. Link and directions:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

 

[venus_n]

On clicking the Malwarebytes link in your reply, the page that opened was http://www.malwarebytes.org/mbam.php . There was no download link on the page, and no pop-up of download.

 

[venus_n]

Ok this time i clicked i saw a link to download.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4618

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

9/15/2010 1:48:53 PM
mbam-log-2010-09-15 (13-48-53).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 149554
Time elapsed: 13 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[shelf life]

hi,

ok, that log looks like a good start anyway. Do you have two antivirus installed, Avira and Avast? So you are getting E-mails that you think are not really from Yahoo support, but somebody else?

 

[venus_n]

Yes i am getting them in my yahoo mailbox.

I had installed avast but my local computer man here said to me that its no good so he had removed it. Now the icon is not visible of avast. Then after that i got avira installed.

Did i install the true malwarebytes. You said the setup icon will be named mbam-setup.exe. Mine was mbam-setup-1.46.exe

 

[venus_n]

I had installed avast but my local computer man here said to me that its no good so he had removed it. Now the icon is not visible of avast. Then after that i got avira installed.

Thats all before i contacted you or joined here.

 

[shelf life]

You said the setup icon will be named mbam-setup.exe

my directions are a little old. You installed the correct file.

I had installed avast but my local computer man here said to me that its no good

Nothing wrong with Avast AV. Do you see Avast listed in the add/remove programs panel?

so he had removed it. Now the icon is not visible of avast

If Avast was uninstalled then you should not see the icon by the clock.

The reason for all this is that two AV's are one to many on a computer. More is not better in this case. One AV per computer.

You can keep Malwarebytes, note that the free version must be updated manually and a scan started manually. Its good practice to check for updates every few days or so even if you dont scan with it at that time. If its not kept updated it will soon be worthless. Updates help to cover the new malware threats.

how do you know the e-mails arent from yahoo support. do they answer your question or provide help at all? could help central be like a community page where other users can answer questions?

 

[venus_n]

Avast is neither near the clock nor in the add-remove programs nor on any icon on the desktop nor listed in the start-up menu, the one which opens on clicking start.

Such mails that seem to be from Yahoo have been circulating around from a while and other yahoo members are receiving similar. I read somewhere on the yahoo site that to check if such mails are from Yahoo you have to look for the purple Y sign. This purple Y sign is the same which you see on several places on the yahoo site. If you see the mail listed in the inbox, the Y sign is to be in front of the mail in the same line as the mail. But the ones i get dont have the Y sign.

These mails that claim to be from yahoo try to answer my questions but haven't answerd any question completely. Helpcentral is not a community. Its a place with pre-written questions&answers, search for questions, FAQ's, different sections for different yahoo products, contact us forms.It is through those contact us forms that i asked my question.

What i write below happened according to india time.

I formatted windows on 7th of this month in the afternnon and installed Avast from a friend's CD(safe, he uses it).He was here that time with the CD. I mean he was here during the format. He gave the CD generously to me because he didnt want me to have virus on my computer and assured me that as long as i keep the avast in my computer, nothings gonna happen. It had many features.

On the same day (7th), around 7pm , i don't remember exact time, i think it was around 7 pm, i called up the computer man to install internet drivers which are required for internet to function. When this idiot looking man came, he on his own completely uninstalled avast without asking. When i asked him why. he made excuses including he said its useless. I asked him to install it back, he was jittery and randomly searched through his CD'S and loaded an avast, an avira, internet drivers, and went.

Well then i took a break. I was offline. Infact i hadn't gone online till now after the format . not even to check the drivers he had loaded. I hadn't gone online till next day morning (8th this month).

Ok after my break on 7th, i came back to my computer to see how the new windows looks and i noticed this about the avast and avira the idiot had loaded. Avast was only a memory testing version and avira had a liscence expiry date 2008 and couldn't be updated so it hadn't been updated since 2008. I called back and screamed.

After 2 days that is 9th this month, I sent the computer to a new technician to install fresh antivirus. It was with them from about 12:00 in the afternoon to 7:00 in the evening. They brought back the computer with fresh avira in it.

After 9th, i have not installed or downloaded myself anything from internet, CD, or whatever. Neither has the computer been sent to any more technicians or more technicians been called over since 9th.

Yes i did download DDS, ERUNT, and MBAM according to the directions i have received from your forum after i joined the forum.

 

[venus_n]

Ok after my break on 7th, i came back to my computer to see how the new windows looks and i noticed this about the avast and avira the idiot had loaded. Avast was only a memory testing version and avira had a liscence expiry date 2008 and couldn't be updated so it hadn't been updated since 2008. I called back and screamed.

That was on 7th itself, after the break. I hadnt gone online till then, and was offline while checking, infact i was offline till 8th morning.

 

[shelf life]

hi,

Avast is neither near the clock nor in the add-remove programs nor on any icon on the desktop nor listed in the start-up menu

Must be uninstalled then.

Do the E-mails have this in the return field?

So Avira is up to date and you have recently scanned with it as a check for any possible malware on your computer?

 

[venus_n]

You had said that only one AV should be on one computer,so to uninstall either avira or avast. But i didn't because i dont know where to uninstall avast from, since i dont see the icon on the desktop or add/remove programs or startup menu. or near the clock.

Is avast still on my computer?

I dont remember if this key symbol was there in front of from address.

Avira is up to date, or can say up to yesterday date. i updated it yesterday. I havent scanned with it recently because what i understood from forum rules is that i cant do anything like that without being instructed to by my helper, as it may kill evidence of infection.

 

[shelf life]

i dont know where to uninstall avast from

If you dont see it in the add/remove programs panel then most likely it was uninstalled from your computer.
You could run this utility to be sure if you want to. Note that it runs in safe mode. To reach safe mode you would tap the f8 key during a computer restart. Log in to your usual account. Chose the first option from the list: safe mode. Once at the safe mode desktop run the utility. Reboot normally afterwards.

I havent scanned with it recently because what i understood...is that i cant do anything like that without being instructed to

This is the policy at many malware forums, but I do not agree with it.
Go ahead and check for updates and scan with Avira.

 

[venus_n]

If the avast was removed from my computer then how did you know that i had avast?

Before running the utility you gave to uninstall avast, i want to check which folder it is in? Do you know?

May i scan with avira before uninstalling avast with the utiliy you gave? It will not be harmful?

 

[shelf life]

I knew because of the entries in your DDS log. These may just be left over registry entries after the software was removed. You might find a folder in C:/Programs Files/Alwil/Avast, which would be the default location during the install process. This is where the Avast uninstall utility will look.

uninstalling avast with the utiliy you gave

If avast was already removed via the add/remove programs panel and since you dont see it listed in there then most likely it was uninstalled. The utility is just to make sure. It wont do any harm to run it.
You can safely scan with avira first if you want then run the utility.

 

[venus_n]

i want to check which folder it is in? Do you know?

In the above quote I meant i want to check which folder is avast in.

Ok according to your directions, I do have a folder Alwil in C:/Programs Files/ , but there are 2 avasts in it. One is avast4 and one is avast5. i mean these are two folders under alwil, avast4 and avast5. This maybe because of the story i told you. That.. first i installed my friend's good avast on 7th afternoon. Then the computer man installed only memory testing version on 7th evening.

How to check which is which among avast4 and avast5?

I updated avira just now and ran scan with avira just now and it hasn't detected any virus. Also no warnings etc. All 0's . I had ran the complete scan.

 

[shelf life]

scan with avira just now and it hasn't detected any virus

Ok good. Malwarebytes and Avira are coming up clean.

How to uninstall our software using aswClear:

1. Download aswClear5.exe on your desktop
2. Start Windows in Safe Mode
3. Open (execute) the uninstall utility
4. If you installed avast! in a different folder than the default, browse for it. (Note: Be careful! The content of any folder you choose will be deleted!)
5. Click REMOVE
6. Restart your computer

How to check which is which among avast4 and avast5?

if your concerned about #4 above dont be, it was installed to the default location. You can just boot into safe mode and run the uninstaller.

 

[venus_n]

if your concerned about #4 above dont be, it was installed to the default location

Actually i am asking about avast4 and avast5 because I want to know which one is my friend's avast, i wanna keep that one.

 

[venus_n]

Do the E-mails have this in the return field?

No, they dont.

Also please dont miss my above post.

 

[shelf life]

because I want to know which one is my friend's avast.. i wanna keep that one

If you dont see avast listed in the add/remove programs panel then it was most likely uninstalled from your machine. The Avast software has been removed, the uninstaller can leave a folder behind in C:/program files. Its just a leftover, theres really nothing to keep, Avast is non-functioning at this point.