Jakemaxcat

AVG Free updated, full scan run, nothing found. I assume that means it is virus free. Thanks for all your help.

Combofix run with CFscript, log attached. Malwarebytes updated and run, found 1 infection, (spyware.onlinegames), and selected to fix it. log attached. Combofixlog24Jun2010.txt mbam_log_2010_06_24__13_47_13_.txt

Combofix run with CFscript, log attached. Malwarebytes updated and run, found 1 infection, (spyware.onlinegames), and selected to fix it. log attached.

Combofix run ok, log attached. Combofixlog.txt

The Themed32.dll not found error has gone away. There is another new error I get, but I don't it is related to this problem. (I think it is self inflicted...sorry). "Error loading C:\WINDOWS\uxarbiyixevoyoh.dll. The specified module could not be found." mbam log:- Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4222 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 21/06/2010 23:55:10 mbam-log-2010-06-21 (23-55-10).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 224929 Time elapsed: 1 hour(s), 10 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 4 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yrumegemida (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0001025.exe (Worm.Prolaco) -> No action taken. ================================================== I have attached the DDS.txt and Attach.txt files as requested. Attach22Jun.txt DDS22Jun.txt

Is there a problem with pound signs on the forum? btw, Dell wanted 60GBP for a copy of the XP Home CD, which I think is criminal. They should have supplied it when the laptop was new, but it wasn't on the packing list.

Not sure what happened to the rest of that... btw, Dell wanted

I ran SFC.exe which finished without finding any missing files. I borrowed an XP Home CD, which I put in the drive and attempted to run recovery, but was stopped as I didn't know the Admin password. (It wasn't blank) After rebooting, the GUI was back, so I plugged an ethernet cable in to get the latest Malwarebytes database and ran a scan which found 5 objects:- 3 occurrences of Trojan.Agent in the Registry, Backdoor.Bot also in the registry and Worm.Prolaco in a system restore file. I haven't attempted to remove them as I will wait for you suggestion as to the next action to take since the GUI is back. btw, Dell wanted

I didn't expect to fix the problem by editing the startup list, but I was hoping to use it to prevent AVG starting so that I could run Combofix. Avira Antivir didn't work. BitDefender ran ok, but didn't find anything. Are there any of the others that are more likely to be successful for a problem like this?

Well that didn't go well....what could go wrong did go wrong. There is no GUI to mention and no system tray. In normal mode every time I tried to end the AVG processes, they just restarted. Went back into safe mode, this time the AVG processes ended with Task Manager. I then started Combofix from the command prompt, but it said that AVG was still active and warned me that unpredictable results may occur if I continued, so I went for plan B. Plan B, Use the Avira Antivir Rescue System CD. Downloaded exec and burnt CD ok. Changed Dell laptop boot order to boot from CD, Linux came up ok. I selected Option 1: Boot AntiVir Rescue System (default). As it is a Dell, the screen resolution was wrong (i.e. can't see the British flag or start scanner button). I used "CTRL + ALT + BACKSPACE" to exit the graphical interface and then entered the command manually. ==> antivir -allfiles -z -ren /mnt/ Scan time 00:00:01 Rebooted, still same as before. Is there a safe place I can download msconfig for XP, then I could update the startup list and prevent AVG from coming up and be able to run Combofix ? Thanks.

Just to clarify the situation. The Dell laptop Inspiron won't connect to the internet, in fact it doesn't appear to have a usable desktop. It is started in safe mode with a command prompt. The access to this forum is via a clean PC. I am using a memory stick to transfer the downloaded diagnosis program files (e.g. dss.scr, combofix etc) to the C: drive of the infectect laptop and sending the results/log back via the stick. XP Home was pre-installed on the laptop when bought new and Dell didn't supply the installation CD. I have contacted Dell requesting it be sent. Situation so far and questions:- 1) done, combofix copied to a folder on the C: drive. (I have no desktop) 2) there is no system tray and the instructions to temporarily disable security tools seem to be applicable only if you have one. I was able to go into windows task manager and kill processes such as AVG*.exe. When I attempted to kill AAWService.exe it just restarts. There is a process running called lsass.exe, which I believe is bad. Should I attempt to kill it or leave it? The other running processes are:- taskmgr.exe cmd.exe wmiprvse.exe ZCfgSvc.exe UNSECAPP.EXE svchost.exe (x3) services.exe winlogon.exe csrss.exe smss.exe system system Idle Process SYSTEM 3) I haven't run Combofix yet, I will wait till you confirm what action I should take for step 2. Thanks.

I am attempting to fix a Dell Inspiron 510m with XP Home, AVG free, Windows firewall. The symptoms were that it was slow and had problems connecting to the internet. I ran Malwarebytes, which detected :- Spyware.onlinegames worm.prolaco Trojan.Agent Trojan.swisyn Malware.Trace Rootkit.Agent (which after reading the forum, appears to be a nasty one). The removal using Malwarebytes and all seemed to be going well until the reboot. Got the error message, "The application has failed to start as themed32.dll was not found. Reinstalling the application may fix this problem". I tried to restore, but either the system checkpoint files have been deleted or unable to access them. I am able to start windows in safe mode with a command prompt. It was then that I found the Malwarebytes forum. Defogger finished with no errors. Defogger didn't ask me to restart (as per the instructions), but I did it anyway. Ran the dds.scr file. Got the failure message due to themed32.dll missing about 100 times, to which I clicked ok each time. DDS.txt ==> DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL Run by Bob at 17:36:45.35 on 16/06/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.354 [GMT 1:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\system32\ZCfgSvc.exe C:\Dellfix2\dds.scr ============== Pseudo HJT Report =============== uSearch Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background uRun: [kdx] c:\program files\kontiki\KHost.exe -all mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe IE: &MSN Search - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll/search.htm IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://sell-vehicle.ebay.co.uk/images/eps/eBay_Enhanced_Picture_Control_v1-0-3-50.cab DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,84/mcinsctl.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cab DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll Notify: req - c:\windows\system32\req.dll Notify: Sebring - c:\windows\system32\LgNotify.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-4 64160] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 216200] S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-22 29584] S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-17 242896] S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-27 390528] S1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-6-7 59240] S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-6-7 166632] S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-1 916760] S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-1 308064] S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-27 54752] S2 gupdate1c989ff22fd18c0;Google Update Service (gupdate1c989ff22fd18c0);c:\program files\google\update\GoogleUpdate.exe [2009-2-8 133104] S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-6-7 840936] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-18 24652] S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864] =============== Created Last 30 ================ 2010-06-16 16:19:25 0 ----a-w- c:\documents and settings\bob\defogger_reenable 2010-06-14 12:29:31 0 d-----w- C:\Dellfix2 2010-06-14 12:27:59 1677 ----a-w- C:\Dellfix 2010-06-14 08:18:18 50477 ----a-w- C:\Defogger.exe 2010-06-14 08:18:18 3707422 ----a-w- C:\ComboFix.exe 2010-06-14 08:18:18 293376 ----a-w- C:\qzb3qivg.exe 2010-06-13 16:30:37 0 d-----w- c:\windows\LastGood.Tmp 2010-06-13 09:25:15 0 d-----w- C:\78b3d2db2c8339f5c3 2010-06-12 20:15:33 0 d-----w- C:\6a81e9c1698b693065ba9f 2010-06-10 07:31:58 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-06-01 09:53:21 0 d--h--w- C:\$AVG 2010-06-01 09:51:58 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9 2010-06-01 09:50:57 0 d-----w- c:\windows\SxsCaPendDel ==================== Find3M ==================== 2010-06-13 13:11:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-06-01 09:52:51 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-06-01 09:52:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-05-12 10:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys 2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys 2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll 2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll 2010-04-06 03:52:46 2462720 ------w- c:\windows\system32\dllcache\WMVCore.dll 2008-10-22 21:59:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102220081023\index.dat ============= FINISH: 17:40:34.15 =============== attach.txt should be attached to this post. I didn't see an ark.txt file and am not sure where the malwarebytes logs are. How can I fix this? Thanks, Attach.txt