dwm.exe virus, is my computer clean?

[Rennin]

So I am helping my parents remove a virus from their computer. I, while computer literate, do not have a lot of expierence dealing with viruses. According to the AVG logs the virus was dectect on their computer and several files were removed including:

documents and settings\user(there were mutiple files for each/most users of the comp)\local settings\temp\dwm.exe

documents and settings\user\lApplication Data\Microsoft\svchost.exe

documents and settings\user\lApplication Data\Microsoft\windows\shell.exe

There virus scan was setup weekly and the next week it detected and removed the same files. The virus had set their LAN settings to proxy so when the virus was deleted this time, their internet stopped working, and that is when I got a phone call...

Anyway, I ran AVG and it removed several of these files again. I ran mbam and it also detected some additional files (not sure if they were all from the virus, who knows how long since they had checked for spyware, etc.)

I ran these scans again today and they all came back clear. My concern is that if AVG caught the virus before and it came back, that it is not really gone.

So I am posting the post recent mbam logs, GMER and DDS in the hopes that someone can tell me if the infection has been cleared or is I still have some more work to do.

Thanks a bunch in advance.

DDS (Ver_10-11-10.01) - NTFSx86

Run by Joyce at 16:59:02.79 on Fri 11/19/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.403 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\HPZipm12.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Joyce\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=127.0.0.1:50370

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [uIUCU] c:\docume~1\joyce\locals~1\temp\UIUCU.EXE -CLEAN_UP -S

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activate.myfairpoint.net/sdccommon/download/FairPoint/tgctlcm.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-9 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-9 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-9 243024]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-5-9 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-8 24652]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]

=============== Created Last 30 ================

2010-11-18 13:44:04 -------- d-----w- c:\docume~1\joyce\applic~1\Malwarebytes

2010-11-18 13:43:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-18 13:43:47 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

2010-11-18 13:43:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-18 13:43:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

============= FINISH: 16:59:33.73 ===============

Attach.zip

mbam_log_2010_11_19__12_12_37_.txt

[negster22]

Hi Rennin,

I think the infected files have been removed but some remaining registry entries may be creating your described problems.

Let's see of this helps restore your internet access:

Create this called and save it to your Desktop as fix.reg as follows

Open Notepad

Click Format and UNCheck Wordwrap (disable)

Copy/Paste the following text into Notepad

Set the "Save as Type" to "All Files", and the "Save" this file to your Desktop as Fix.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" =-

Double-click Fix.reg and respond Yes to the prompt to add the information into the registry.

Disable the proxy settings in Internet Explorer:

1) Under

[Rennin]

Hi Negster22,

Thanks for the quick response. I edited the registry as you instructed and changed the LAN settings and the internet is working fine again.

I suspect that there are still some additional registry entries from the virus, as I noticed when I look at start-up items there is still a entry for dwm.exe (it is currently unchecked, and the file it references was deleted). The location is listed under SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows. I checked in that folder of the registry but I guess I'm not exactly sure what I'm looking for. Not sure if it is excessively important, but it's atleast unpleasent to still have the virus file on my startup programs list.

[negster22]

You're Welcome!!

We can run a couple more troubleshooting programs that will dig deeper:

Download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your AVG antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• After the automatic "quick" scan is finished (a few seconds), Copy the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.
  

Keep your antivirus and antimalware programs you OFF (disabled) for the next step

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and NOT after it is on your computer.
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  
• For Firefox
  • Open Firefox and click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
    

  [*]For Internet Explorer:

  • When downloading, choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it iexplore.exe
    

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  

1. Double click on the renamed combofix.exe (iexplore.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back ARKQ.txt and C:\Combofix.txt

[Rennin]

I disabled AVG as per the your instructions. I ran GMER and have included the log below (it indicates some AVG processes still running, but I triple checked the instructions to make sure I disable everything it said to). I could not get Combofix to run as it stated that it would not run unless AVG had been uninstalled.

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit quick scan 2010-11-21 09:16:34

Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e SAMSUNG_HD160JJ/P rev.ZM100-34

Running: syzsg1md.exe; Driver: C:\DOCUME~1\Joyce\LOCALS~1\Temp\uflcqpob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

[negster22]

Your Anti-Rootkit log is clean. It just shows a lot of AVG "activity".

Open a Command Prompt (Start -> Run -> Type cmd and hit Enter) :

Copy/paste the following (exactly as it is written) and then hit Enter:

Regedit /E "%userprofile%\desktop\WindowsKey.txt" "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows"

It should create a file on your desktop called WindowsKey.txt

Copy/Paste the contents of WindowsKey.txt in your next reply.

Please perform a scan with the ESET online virus scanner:

http://www.eset.com/onlinescan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
  
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  
• Check the "Yes, I accept the terms of use" box.
  
• Click "Start"
  
• Approve the installation of the ActiveX control that's required to enable scanning
  
• Make sure the box to
  • Remove found threats. is CHECKED!!
    
  • Click "Start"
    

  [*]Allow the definition data base to install

  [*]Click "Scan"

When the scan is done, please post the scan report in your next reply. It can be found in this location:

C:\Program Files\EsetOnlineScanner\log.txt

Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

[Rennin]

The text of windowskey.txt is:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

"DebugOptions"="2048"

"Documents"=""

"DosPrint"="no"

"NetMessage"="no"

"NullPort"="None"

"Programs"="com exe bat pif cmd"

"Load"=""

"Device"="HP Officejet 6300 series,winspool,Ne01:"

The results of the ESET scan were:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=9b0cc21df51e7b41b6b1275c43721bde

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-11-22 02:27:46

# local_time=2010-11-21 09:27:46 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=1024 16777191 100 0 16010024 16010024 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=134065

# found=9

# cleaned=9

# scan_time=3847

C:\Documents and Settings\Paul_Orig\Local Settings\Temporary Internet Files\Content.IE5\85770EUQ\img[1].htm HTML/TrojanClicker.IFrame.AIW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul_Orig\Local Settings\Temporary Internet Files\Content.IE5\85770EUQ\img[2].htm HTML/TrojanClicker.IFrame.AIW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul_Orig\Local Settings\Temporary Internet Files\Content.IE5\93HVTTC3\img[1].htm HTML/TrojanClicker.IFrame.AIW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul_Orig\Local Settings\Temporary Internet Files\Content.IE5\93HVTTC3\img[2].htm HTML/TrojanClicker.IFrame.AIW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul_Orig\Local Settings\Temporary Internet Files\Content.IE5\93HVTTC3\img[3].htm HTML/TrojanClicker.IFrame.AIW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul_Orig\Local Settings\Temporary Internet Files\Content.IE5\G52Q9BPP\img[1].htm HTML/TrojanClicker.IFrame.AIW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul_Orig\Local Settings\Temporary Internet Files\Content.IE5\RWLCP4BQ\img[1].htm HTML/TrojanClicker.IFrame.AIW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul_Orig\Local Settings\Temporary Internet Files\Content.IE5\RWLCP4BQ\img[2].htm HTML/TrojanClicker.IFrame.AIW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul_Orig\Local Settings\Temporary Internet Files\Content.IE5\RWLCP4BQ\img[3].htm HTML/TrojanClicker.IFrame.AIW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[negster22]

That Windows Key looks good.

The ESET scan detections are all in temporary internet files (internet cache) so we should clean out your temp files, and then we can finish up since things are looking pretty good from this side!

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

• Close any open windows.
  
• Double click the TFC icon to run the program
  
• TFC will close all open programs itself in order to run,
  
• Click the Start button to begin the process.
  
• Allow TFC to run uninterrupted.
  
• The program should not take long to finish it's job
  
• Once its finished it should automatically reboot your machine,
  
• if it doesn't, manually reboot to ensure a complete clean
  

It's normal after running TFC cleaner that the PC will be slower to boot the first time.