How to remove a stubborn Virus/Malware/Trojan

[sshai.m]

Hi,

My computer is infected, and no matter what I did (Working on it 2 days already), the problem still occurs.

Problem description:

1. An error message is popping up after windows finish loading. This is the message - "RUNDLL | Error loading augry.vko. The specified module could not be found"

Problem 2. When I open a folder for example "c:\my folder's\mymusic", the folder/window is getting closed and desktop disappears and appears again.

Which means that I can't use the files in this folder.

I tried to "Clean" this infection by doing many many things:

1. Used Hiren's cd and run different tests like: Malwarebytes' Anti-Malware, Spybot - Search & Destroy. Also Microsoft Security Essentials, AVG scan, NOD32 online scan etc.

2. I did the scans above also in SAFE MODE and in XP mini OS (Available in Hiren's CD).

These scans did find many infections and I think that also cleaned all of them.. (Sort of..)

3. I run also ComboFix but the problem still occurs.

ComboFix showed me this 2 messages:

System file is infected !! Attempting to restore

"X:\i386\system32\lpk.dll"

System file is infected !! Attempting to restore

"X:\i386\system32\imm32.dll"

But in the second Scan I did with ComboFix - It didn't show it anymore.

4. I did restored the com via the Microsoft "Restore point" method.

But the problem/VIRUS still occurs!

This is the ComboFix logs:

**Log number 1:ComboFix 10-07-23.01 - Shai.m 07/24/2010 3:21.2.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.958.746 [GMT 3:00]

Running from: c:\documents and settings\Shai.m\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\program files\Shared

.

((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))

.

2010-07-24 01:35 . 2010-07-24 01:38 -------- d-----w- C:\Hiren cd

2010-07-23 23:28 . 2010-07-23 23:28 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-22 18:24 . 2010-07-22 18:24 54016 ----a-w- c:\windows\system32\drivers\vvptwoik.sys

2010-07-22 17:42 . 2010-07-22 17:42 -------- d-----w- c:\program files\Trend Micro

2010-07-22 17:34 . 2010-07-22 17:36 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-07-22 17:32 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-07-22 13:25 . 2010-07-22 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-22 13:25 . 2010-07-22 13:31 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-21 11:16 . 2010-07-21 11:16 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

2010-07-21 11:16 . 2010-07-21 11:16 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll

2010-07-20 22:49 . 2010-07-20 22:49 22662 ----a-w- c:\windows\msyuv.dll

2010-07-15 18:45 . 2010-07-15 18:45 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-07-15 18:45 . 2010-07-15 18:45 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-07-15 18:45 . 2010-07-15 18:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-15 18:43 . 2010-07-15 18:43 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll

2010-07-15 18:43 . 2010-07-15 18:43 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe

2010-07-15 18:43 . 2010-07-15 18:43 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-07-15 18:43 . 2010-07-15 18:43 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-07-13 20:32 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-09 19:23 . 2010-07-09 19:23 -------- d-----w- c:\windows\system32\winrm

2010-07-09 19:23 . 2010-07-09 19:24 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-23 23:37 . 2008-12-10 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon

2010-07-23 23:17 . 2008-11-27 22:21 -------- d-----w- c:\program files\palmOne

2010-07-23 23:12 . 2009-01-29 16:53 -------- d-----w- c:\program files\LogMeIn

2010-07-23 17:38 . 2010-01-08 20:41 -------- d-----w- c:\documents and settings\Shai.m\Application Data\Malwarebytes

2010-07-23 17:38 . 2010-01-08 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-22 18:54 . 2008-11-27 22:47 -------- d-----w- c:\documents and settings\Shai.m\Application Data\vlc

2010-07-21 11:12 . 2008-11-28 17:06 -------- d-----w- c:\documents and settings\Shai.m\Application Data\Skype

2010-07-16 20:41 . 2008-11-28 00:34 -------- d-----w- c:\documents and settings\Shai.m\Application Data\dvdcss

2010-07-15 18:45 . 2010-02-05 20:48 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-15 18:44 . 2010-02-05 20:48 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-07-14 13:42 . 2010-02-05 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-07-09 19:28 . 2008-11-27 22:52 -------- d-----w- c:\program files\Microsoft.NET

2010-06-19 04:28 . 2010-06-19 04:13 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-14 14:31 . 2008-11-27 21:13 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

2010-06-09 12:35 . 2008-07-24 16:45 13408 ----a-w- c:\windows\system32\drivers\radpms.sys

2010-06-09 12:35 . 2009-01-29 16:53 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2010-06-09 12:35 . 2009-01-29 16:53 29568 ----a-w- c:\windows\system32\LMIport.dll

2010-06-09 12:35 . 2009-01-29 16:53 87424 ----a-w- c:\windows\system32\LMIinit.dll

2010-06-04 18:53 . 2009-11-06 15:35 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-03 06:02 . 2010-02-05 20:48 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-29 16:52 . 2008-12-09 15:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-29 12:33 . 2008-12-09 15:23 -------- d-----w- c:\program files\Google

2010-05-14 13:26 . 2003-02-21 04:42 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-05-14 13:26 . 2003-03-18 20:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-05-06 20:12 . 2010-05-06 20:12 366 ----a-w- c:\windows\MMD.MSP

2010-05-04 17:20 . 2001-08-18 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2009-07-18 10:28 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2001-08-18 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 08:14 . 2008-11-28 00:57 89240 ----a-w- c:\documents and settings\Shai.m\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-02 05:22 . 2001-08-18 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2006-09-21 53248]

"S3Trayp"="S3trayp.exe" [2006-10-09 176128]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

"NPSStartup"="" [bU]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-15 18:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2008-06-18 11:47 24692 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-06-09 12:35 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Push Client.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Push Client.LNK

backup=c:\windows\pss\Push Client.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Shai.m^Start Menu^Programs^Startup^ESET NOD32 Antivirus.lnk]

path=c:\documents and settings\Shai.m\Start Menu\Programs\Startup\ESET NOD32 Antivirus.lnk

backup=c:\windows\pss\ESET NOD32 Antivirus.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shai.m^Start Menu^Programs^Startup^HotSync Manager.lnk]

path=c:\documents and settings\Shai.m\Start Menu\Programs\Startup\HotSync Manager.lnk

backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]

2009-05-18 09:10 102400 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

2008-12-10 17:46 2841824 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

2008-04-14 03:42 110592 ------w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax]

c:\program files\Innovative Solutions\DriverMax\devices.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-12 14:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

c:\program files\Messenger\msmsgs.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

2009-11-11 08:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-10 21:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-10-26 22:16 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

c:\program files\Common Files\Real\Update_OB\realsched.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aswUpdSv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=

"d:\\Program Files\\eMule\\emule.exe"=

"c:\\Program Files\\Nero\\Nero 7\\ODD Toolkit\\ODDUpdate.exe"=

"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=

"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"5900:TCP"= 5900:TCP:vnc 1

"5800:TCP"= 5800:TCP:vnc 2

"5662:TCP"= 5662:TCP:Emule TCP Port

"5672:UDP"= 5672:UDP:Emule UDP Port

"5672:TCP"= 5672:TCP:Emule tcp Port-5672

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [14/09/2009 02:11 28672]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/02/2010 23:48 216400]

S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/02/2010 23:48 243024]

S1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [18/08/2008 14:27 34312]

S1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [18/06/2008 14:46 2235760]

S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/07/2010 21:45 308136]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]

S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [18/06/2008 14:46 47504]

S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [13/11/2009 17:20 233472]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856]

S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [18/06/2008 14:46 121136]

S2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [18/06/2008 14:46 673872]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [13/11/2009 17:20 36608]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [09/04/2008 10:28 80256]

S3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [04/04/2008 08:30 70016]

S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [24/07/2008 19:45 13408]

S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [01/10/2006 15:37 26624]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [18/08/2001 15:00 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

S4 gupdate;שירות Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/04/2010 13:57 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 10:57]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 10:57]

2010-07-23 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 18:40]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm

TCP: {6494B30A-7D47-4DD9-9B7F-A8DBBCD331F3} = 192.115.106.35,62.219.186.7

DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.mekusharim.co.il/ImageUploader5.cab

FF - ProfilePath - c:\documents and settings\Shai.m\Application Data\Mozilla\Firefox\Profiles\Shai_Profile\

FF - prefs.js: browser.startup.homepage - hxxp://search.speedbit.com/

FF - prefs.js: keyword.URL - hxxp://www.google.co.il/search?q=

FF - component: c:\documents and settings\Shai.m\Application Data\Mozilla\Firefox\Profiles\Shai_Profile\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-179605362-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FEBC97D3-1007-547F-1E1D-A6B1BE24AEE6}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(240)

c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(1008)

c:\windows\system32\WININET.dll

.

Completion time: 2010-07-24 03:33:55

ComboFix-quarantined-files.txt 2010-07-24 00:33

Pre-Run: 9,946,996,736 bytes free

Post-Run: 9,912,045,568 bytes free

- - End Of File - - 10AD2FE20DD9CEB2D6EE7572C8E76529

Screenshots of the viruses which has been found by several Anti virus/malware softwares:

1. The error message:

2. Malwarebytes' Anti-Malware - Result from one on the tests I had run:

3. Spybot - Search & Destroy - Results:

4. Microsoft Security Essentials - Results:

I uploaded a RAR folder which contains the Log files, and Screenshots of some of my experience since 3 days ago.

http://www.multiupload.com/6LJ6PMTAMK

Attached the HijackThis log file.

Thanks Fr helping me!

Shai

[sshai.m]

Attached HijackThis Log.

Thanks!!!

hijack.txt

[screen317]

Hi and welcome to Malwarebytes.

In the future please post logs directly into your reply instead of attaching them; also please do not wrap them in quote tags.

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\drivers\vvptwoik.sys

Post the results in your reply.

Next, update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

[sshai.m]

Hi,

You right!

c:\windows\system32\drivers\vvptwoik.sys was a Virus!

I deleted it.. Cause didn't find anything on it in Google so I assumed that it is not a system file.

Except this, I have 2 more files which found as Infected in Virus Total:

1. File 1: msyuv.dll

Link

2. File 2: ctfhogy.sys

Link to VirosTotal Log

I just searched for ctfhogy.sys but couldn't find it in any folder. So probably it has been removed in one of the Scans.

MBAM and ComboFix didn't find msyuv.dll as Infected. (Scan in Safe mode, last update definition).

I uninstalled AVG via the AVG Removal Tool, and installed Avast (For the boot scan - Didn't scan yet).

I didn't run DDS by sUBs but I will do it soon.

hijackthis log analyzer shows that everything is pretty much good (I think..) not sure actually :0 See the log below.

I read that msyuv.dll is a Microsoft important file.. So I doubt how can I deal with such a Stubborn virus?

Can I replace it with a clean file instead? download msyuv.dll from a safe website (Don't have the CD here..) and replace it with the infected one?

I have Hiren's CD so I can boot with Mini XP and do these changes for a system files..

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:25:57, on 25/07/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [s3Trayp] S3trayp.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: ???? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {3BF72F68-72D8-461D-A884-329D936C5581} (Image Uploader Combo Control) - http://www.mekusharim.co.il/ImageUploader5.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227825830893

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1227828791109

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O17 - HKLM\System\CCS\Services\Tcpip\..\{6494B30A-7D47-4DD9-9B7F-A8DBBCD331F3}: NameServer = 192.115.106.35,62.219.186.7

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe

O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)

--

End of file - 7123 bytes

Please advice,

Thanks!!!

Shai

[screen317]

Hi Shai,

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  msyuv.dll
  ctfhogy.sys

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please don't do anything on your own. Run DDS as I requested and we will proceed from there.

-screen317

[sshai.m]

Hi,

After searching for a fix with different Softwares, I found 1 software which Fixed the Malware.

The "Holy"Software is - SpyHunter 4. (Cost money.. - I paid)

SpyHunter Log:

THREATS

================================================================================

=========

msyuv.dll c:\windows\msyuv.dll 22662 660c3c42f7df32c8da6c42d5b6478a10

a HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*::a

b HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll::b

================================================================================

=========

Screenshot of Registry:

screenshot of the file which I assumed that created by Spyhunter into my folder (Dunno y.. maybe backup):

Virus Total screenshot of the infected DLL file:

It is funny.. cause non of the "Strong" anti malwares softwares could help me.

For all the way - I knew which file is infected - msyuv.dll, but was hard to heal/cure it. (in Safe mode the malware keeps run)

I scan and clean with Spyhunter.

Now, I run a full scan again and left the house. Hope to see more results when I come back

Thanks for the recommendation about SystemLook.exe.

Question:

Is it make sense that the Malware damaged the DLL file even though Spyhunter "Cured/fixed" the file?

And maybe I should repair it or something?

I think that I discovered something:

The msyuv.dll belongs to Video decoder/action (Read in Google).

I discovered that when I opened a Folder with Movies inside (AVI files..), the folder is closed immediate (The Malware symptom).

After I cleaned the Malware, I tried to open the Movies folder - I did it with no problem, and it didn't shut down/got closed.

BUT - The small lamp on the PC case, showed that the PC is "working hard".. (Task manager didn't show any HIGH process.. looks OK)

Question 2 Please (If relevant):

How to replace the msyuv.dll (The fixed one) with a "Brand new" file from Microsoft website? OR From the XP CD? How to do it?

Is this a good idea?

Question 2 Please (If relevant):

How come non of the softwares found this Malware? Really sad..

thanks for helping me,

Shai

[screen317]

Shai,

SpyHunter is rogue software; see this:

http://www.mywot.com/en/scorecard/enigmasoftware.com

That is why I wanted you to follow my instructions and not do anything on your own. We were going to fix this and I was going to collect a sample for our database.

So please run SystemLook the way I requested, and post its log, so we can proceed to fix the issue.

[sshai.m]

Shai,

SpyHunter is rogue software; see this:

http://www.mywot.com/en/scorecard/enigmasoftware.com

That is why I wanted you to follow my instructions and not do anything on your own. We were going to fix this and I was going to collect a sample for our database.

So please run SystemLook the way I requested, and post its log, so we can proceed to fix the issue.

Oops. Sorry.

I will do what you told me to do once I will be next to the computer.

Or maybe I can do it via LogMeIn?

The face that I installed spyHunter, mens that I am infected now with a new malware?

And weird that this is the only software which deals with the Malware i had on my com..

[screen317]

Oops. Sorry.

I will do what you told me to do once I will be next to the computer.

Or maybe I can do it via LogMeIn?

Sure, you can use LogMeIn if you want.

The face that I installed spyHunter, mens that I am infected now with a new malware?

Not really 'malware,' but I would try to get your money back.

And weird that this is the only software which deals with the Malware i had on my com..

Remember this?

THREATS

================================================================================

=========

msyuv.dll c:\windows\msyuv.dll 22662 660c3c42f7df32c8da6c42d5b6478a10

a HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*::a

b HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll::b

It created those last two to make you think it was detecting threats. I'll check out the msyuv.dll issue more as I get more information on it.

-screen317

[sshai.m]

Hi,

I run DDS and SystemLook.

These are the results of SystemLook scan:

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 01:57 on 27/07/2010 by Shai.m (Administrator - Elevation successful)

========== filefind ==========

Searching for "msyuv.dll"

C:\WINDOWS\$hf_mig$\KB975560\SP3QFE\msyuv.dll --a--c 17920 bytes [17:23 27/11/2009] [17:23 27/11/2009] AA4FF1252834649C04C512C4C4789274

C:\WINDOWS\$NtServicePackUninstall$\msyuv.dll -----c 17408 bytes [17:46 28/11/2008] [07:56 04/08/2004] 9D124E6A01DBCBEEEAE60DD19ABAC5F0

C:\WINDOWS\$NtUninstallKB975560$\msyuv.dll -----c 16896 bytes [01:02 11/02/2010] [03:42 14/04/2008] CE638EFF365DA822A9C70654A40861C7

C:\WINDOWS\Driver Cache\i386\msyuv.dll -----c 17920 bytes [17:11 27/11/2009] [17:11 27/11/2009] 0F200BE1ED9DE188CA6407A3759BE7CF

C:\WINDOWS\ServicePackFiles\i386\msyuv.dll -----c 16896 bytes [07:56 04/08/2004] [03:42 14/04/2008] CE638EFF365DA822A9C70654A40861C7

C:\WINDOWS\system32\dllcache\msyuv.dll -----c 17920 bytes [17:11 27/11/2009] [17:11 27/11/2009] 0F200BE1ED9DE188CA6407A3759BE7CF

C:\WINDOWS\system32\msyuv.dll --a--- 17920 bytes [22:36 17/08/2001] [17:11 27/11/2009] 0F200BE1ED9DE188CA6407A3759BE7CF

C:\WINDOWS\system32\ReinstallBackups\0036\DriverFiles\i386\msyuv.dll --a--c 17408 bytes [01:08 28/11/2008] [07:56 04/08/2004] 9D124E6A01DBCBEEEAE60DD19ABAC5F0

Searching for "ctfhogy.sys"

No files found.

-=End Of File=-

These are the results of DDS.scr scan ( I know I need to completely remove AVG.. I installed Avast for the Boot Scan and I think to keep Avast and to remove AVG):

DDS (Ver_10-03-17.01) - NTFSx86

Run by Shai.m at 8:53:58.39 on Tue 07/27/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.958.404 [GMT 3:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

svchost.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

C:\WINDOWS\system32\FsUsbExService.Exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\S3trayp.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Your Uninstaller 2006\uruninstaller.exe

C:\Program Files\Your Uninstaller 2006\uruninstaller.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\Software\Anti virus\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =

uSearch Bar =

uStart Page = hxxp://www.google.co.il/

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [VTTimer] VTTimer.exe

mRun: [s3Trayp] S3trayp.exe

mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.mekusharim.co.il/ImageUploader5.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227825830893

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227828791109

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: {6494B30A-7D47-4DD9-9B7F-A8DBBCD331F3} = 192.115.106.35,62.219.186.7

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shai.m\applic~1\mozilla\firefox\profiles\shai_profile\

FF - prefs.js: browser.startup.homepage - hxxp://search.speedbit.com/

FF - prefs.js: keyword.URL - hxxp://www.google.co.il/search?q=

FF - component: c:\documents and settings\shai.m\application data\mozilla\firefox\profiles\shai_profile\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-25 165456]

R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2008-6-18 2235760]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-25 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-25 40384]

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-11-13 233472]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-1-29 47640]

R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2008-6-18 121136]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-25 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-25 40384]

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-11-13 36608]

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-9-14 28672]

R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-4-9 80256]

R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2008-4-4 70016]

R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-7-24 13408]

R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2008-11-28 634880]

R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]

S4 gupdate;????? Google Update (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-07-25 22:50:08 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP

2010-07-25 22:27:43 0 d-----w- c:\program files\Enigma Software Group

2010-07-25 22:26:54 0 d-----w- c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP

2010-07-25 19:34:37 38848 ----a-w- c:\windows\avastSS.scr

2010-07-25 19:33:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-07-25 18:56:18 3743885 ----a-r- C:\ComboFix.exe

2010-07-25 18:35:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-25 18:35:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-24 01:35:53 0 d-----w- C:\Hiren cd

2010-07-24 00:53:51 0 d-----w- c:\windows\system32\wbem\Repository

2010-07-23 23:59:19 0 d-sha-r- C:\cmdcons

2010-07-23 23:55:23 98816 ----a-w- c:\windows\sed.exe

2010-07-23 23:55:23 77312 ----a-w- c:\windows\MBR.exe

2010-07-23 23:55:23 256512 ----a-w- c:\windows\PEV.exe

2010-07-23 23:55:23 161792 ----a-w- c:\windows\SWREG.exe

2010-07-22 17:42:45 0 d-----w- c:\program files\Trend Micro

2010-07-22 17:32:03 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-07-22 13:25:19 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-07-22 13:25:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-07-14 00:06:07 127 ----a-w- c:\windows\system32\MRT.INI

2010-07-13 20:32:07 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-09 19:23:45 0 d-----w- c:\windows\system32\winrm

2010-07-09 19:23:19 0 dc-h--w- c:\windows\$968930Uinstall_KB968930$

==================== Find3M ====================

2010-06-09 12:35:26 13408 ----a-w- c:\windows\system32\drivers\radpms.sys

2010-06-09 12:35:08 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2010-06-09 12:35:05 87424 ----a-w- c:\windows\system32\LMIinit.dll

2010-06-09 12:35:05 29568 ----a-w- c:\windows\system32\LMIport.dll

2010-05-14 13:26:18 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-05-14 13:26:17 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 8:54:11.12 ===============

Thanks,

Shai

[sshai.m]

Remember this?

THREATS

================================================================================

=========

msyuv.dll c:\windows\msyuv.dll 22662 660c3c42f7df32c8da6c42d5b6478a10

a HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*::a

b HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll::b

It created those last two to make you think it was detecting threats. I'll check out the msyuv.dll issue more as I get more information on it.

-screen317

Hi,

Can you plese explain what do you mean with saying that "It created those last two to make you think it was detecting threats".

I didn't really understand

Thanks,

Shai

[sshai.m]

Note:

I found 2 files in folder: C:\WINDOWS\system32\drivers

Which are 0 kb.

These are the files:

1. Msft_User_PCCSWpdDriver_01_07_00.Wdf

2. MsftWdf_user_01_07_00.Wdf

Are they OK?

[screen317]

Hi,

My apologies for the delay.

a HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*::a

b HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll::b

You said these were created by SpyHunter. It then detected them as "threats." It looks like it created those entries to make you think it was working.

I found 2 files in folder: C:\WINDOWS\system32\drivers

Which are 0 kb.

These are the files:

1. Msft_User_PCCSWpdDriver_01_07_00.Wdf

2. MsftWdf_user_01_07_00.Wdf

If they're 0KB, they aren't dangerous.

Delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Run it and post its log.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!