Jump to content

Recommended Posts

I am infected with xp Anti-Spyware 2011 and also Window Security Center apparently. Avira anti-virus and Malwarebytes are both on the PC.

I saw the post by fcrider, so I downloaded and ran the DDS scan.

See the DDS.txt report below. Should I post the file "attach" that DDS also produced?

I tried to update my Malwarebytes to the latest it but it fails to run.

I downloaded and ran TDSSkiller many times. It found "No threats", even though the virus screen popped up while it was scanning. I have the log file. I could post that if it would be helpful.

I saw a reference to eset-online-scanner. But my Internet Explorer won't run so I can't run that.

I've been booting into Safe Mode to run the above efforts at removal.

Help. How can I clean these? How should I proceed?

**************************

.

DDS (Ver_11-05-19.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by Peter at 21:07:06 on 2011-05-21

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.803 [GMT -7:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Norton Internet Worm Protection *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

F:\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uWindow Title = Windows Internet Explorer provided by MSN & Bing

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

mWindow Title = Windows Internet Explorer provided by Comcast

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Mozilla Quick Launch] "c:\program files\netscape\netscape\Netscp.exe" -turbo

uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [oVlLshwOTG] c:\documents and settings\all users\application data\oVlLshwOTG.exe

uRun: [Ezixerebevamiku] rundll32.exe "c:\windows\msfxclau.dll",Startup

mRun: [smapp] c:\program files\analog devices\soundmax\Smtray.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe

mRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe

mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [<NO NAME>]

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"

mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2

mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe"

mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe

mRun: [seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [udizu] rundll32.exe "c:\windows\uyehafil.dll",Startup

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\peter\startm~1\programs\startup\snsicon.lnk - c:\program files\slideshw\Snsicon.exe

uPolicies-explorer: NoDesktop = 1 (0x1)

uPolicies-system: DisableTaskMgr = 1 (0x1)

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Enqueue in Star Downloader - c:\program files\star downloader\sdieenq.htm

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: turbotax.com

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174945250796

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174945525562

DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://olympus.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37645.6895138889

DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://www.imgag.com/cp/install/Crusher.cab

DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://resultsevents.webex.com/client/T27L/webex/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora_on_c\EuShlExt.dll

LSA: Authentication Packages = msv1_0 relog_ap

.

============= SERVICES / DRIVERS ===============

.

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-5 11608]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-5 136360]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-5 269480]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-5 61960]

S2 dmsmbios;dmsmbios;c:\windows\system32\dmsmbios.sys [2000-5-2 16480]

S2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]

S2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]

S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-8-23 1251720]

S2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2002-8-29 5120]

S3 PCIDATA;PCIDATA;\??\d:\pcidata.sys --> d:\PCIDATA.sys [?]

S3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1558000]

.

=============== Created Last 30 ================

.

2011-05-21 23:56:30 344576 ----a-w- c:\documents and settings\all users\application data\17227556.exe

2011-05-21 16:50:11 0 ----a-w- c:\windows\Tkugupa.bin

2011-05-21 16:50:10 -------- d--h--w- c:\documents and settings\peter\local settings\application data\{0CBD3B7E-D61E-4A2F-B798-EC4FAE360865}

2011-05-21 16:48:14 424448 ----a-w- c:\documents and settings\all users\application data\oVlLshwOTG.exe

2011-05-21 16:48:00 331776 --sha-w- c:\documents and settings\peter\local settings\application data\avg.exe

.

==================== Find3M ====================

.

2011-03-29 08:00:49 59 ------w- c:\windows\wpd99.drv

.

============= FINISH: 21:08:01.76 ======

Link to post
Share on other sites

Hello and :welcome:

Indeed some malware showing there, so lets start removing it. :)

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

After many tries I was able to download combofix, copy it to the infected computer and get it to run. On the early tries the virus loaded, rank, and seemed to interfere or cancel Combofix. but with the latest version it ran smoothly and now I'm working without any sign of the virus program. See

I was able to get my destop icons back after looking up solutions on the web. They were all hjdden.

Do you know how to restore the list in Programs under the Start button? It's empty. I can get to the app executables by going into Explorer --> Program Files --> hunt-for-the-folder-and-find-the executable, but that's a real nuisance. There's lots of programs and I can't remember them all. Really need to get them back into the Start button Programs menu.

Thank you for your prompt reply today. It worked, except for the Programs menu.

Peter Stoel, Corvallis OR

----------

ComboFix 11-05-21.03 - Peter 05/22/2011 21:27:46.1.1 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.804 [GMT -7:00]

Running from: c:\computer\ComboFix.exe

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\17227556.exe

c:\documents and settings\All Users\Application Data\oVlLshwOTG.exe

c:\documents and settings\Peter\Application Data\Adobe\plugs

c:\documents and settings\Peter\Application Data\Adobe\plugs\mmc1370984.txt

c:\documents and settings\Peter\Application Data\Adobe\plugs\mmc1408859.txt

c:\documents and settings\Peter\Application Data\Adobe\plugs\mmc223.exe

c:\documents and settings\Peter\Application Data\Adobe\plugs\mmc252.exe

c:\documents and settings\Peter\Application Data\Adobe\shed

c:\documents and settings\Peter\Application Data\Adobe\shed\thr1.chm

c:\documents and settings\Peter\Local Settings\Application Data\{0CBD3B7E-D61E-4A2F-B798-EC4FAE360865}

c:\documents and settings\Peter\Local Settings\Application Data\{0CBD3B7E-D61E-4A2F-B798-EC4FAE360865}\chrome.manifest

c:\documents and settings\Peter\Local Settings\Application Data\{0CBD3B7E-D61E-4A2F-B798-EC4FAE360865}\chrome\content\_cfg.js

c:\documents and settings\Peter\Local Settings\Application Data\{0CBD3B7E-D61E-4A2F-B798-EC4FAE360865}\chrome\content\overlay.xul

c:\documents and settings\Peter\Local Settings\Application Data\{0CBD3B7E-D61E-4A2F-B798-EC4FAE360865}\install.rdf

c:\documents and settings\Peter\Local Settings\Application Data\avg.exe

c:\documents and settings\Peter\My Documents\DPE.DUS

c:\documents and settings\Peter\WINDOWS

c:\windows\msfxclau.dll

c:\windows\uyehafil.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))

.

.

2011-05-22 00:03 . 2011-05-22 00:04 -------- d-----w- c:\documents and settings\Administrator

2011-05-21 16:50 . 2011-05-21 16:50 0 ----a-w- c:\windows\Tkugupa.bin

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-22 05:13 . 2002-08-29 12:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys

2011-03-16 22:59 . 2010-08-06 00:02 137656 ------w- c:\windows\system32\drivers\avipbb.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Mozilla Quick Launch"="c:\program files\Netscape\Netscape\Netscp.exe" [2004-08-04 526224]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-27 90112]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2002-09-27 4214784]

"nwiz"="nwiz.exe" [2002-09-27 446464]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2003-01-25 155648]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]

"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-25 147456]

"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]

"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-29 26112]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe" [2007-06-15 149024]

"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-08-14 2245984]

"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-25 1325848]

"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]

"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-25 136472]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-05 281768]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

.

c:\documents and settings\Peter\Start Menu\Programs\Startup\

Snsicon.lnk - c:\program files\SLIDESHW\Snsicon.exe [2005-3-6 73728]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-6-28 25214]

America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-12-6 36953]

HotSync Manager.lnk - c:\program files\PalmDesktop\Hotsync.exe [2008-1-3 1392640]

hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]

Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-2-23 110592]

officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudora_on_C\EuShlExt.dll" [2005-08-09 86016]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=

"c:\\Documents and Settings\\Peter\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/5/2010 5:02 PM 136360]

R2 dmsmbios;dmsmbios;c:\windows\system32\dmsmbios.sys [5/2/2000 6:42 AM 16480]

R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 8:56 PM 431384]

R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 1:02 PM 1213728]

R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/29/2002 5:00 AM 5120]

R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 6:13 PM 1558000]

S3 PCIDATA;PCIDATA;\??\d:\pcidata.sys --> d:\PCIDATA.sys [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

mWindow Title = Windows Internet Explorer provided by Comcast

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Enqueue in Star Downloader - c:\program files\Star Downloader\sdieenq.htm

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: turbotax.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-oVlLshwOTG - c:\documents and settings\All Users\Application Data\oVlLshwOTG.exe

HKCU-Run-Ezixerebevamiku - c:\windows\msfxclau.dll

HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe

HKLM-Run-Udizu - c:\windows\uyehafil.dll

SafeBoot-klmdb.sys

AddRemove-ComcastHSI - c:\program files\support.com\uninstall\chsi_uninstaller.exe

AddRemove-TurboTax Basic 2006 - f:\taxes\Tax2006\TurboTax Basic 2006\TaxUnst.EXE

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-22 21:37

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3808)

c:\windows\system32\WININET.dll

c:\program files\Iomega\DriveIcons\IMGHOOK.DLL

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Maxtor\Schedule2\schedul2.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

c:\progra~1\COMMON~1\AOL\ACS\acsd.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Norton Ghost\Agent\VProSvc.exe

c:\windows\System32\nvsvc32.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\wanmpsvc.exe

c:\program files\Iomega\AutoDisk\ADService.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\System32\msdtc.exe

.

**************************************************************************

.

Completion time: 2011-05-22 21:41:49 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-23 04:41

.

Pre-Run: 47,420,755,968 bytes free

Post-Run: 47,347,503,104 bytes free

.

- - End Of File - - 1B0EA6FE318BDDDE9423A1A90DDF0985

Link to post
Share on other sites

Do you know how to restore the list in Programs under the Start button? It's empty. I can get to the app executables by going into Explorer --> Program Files --> hunt-for-the-folder-and-find-the executable, but that's a real nuisance. There's lots of programs and I can't remember them all. Really need to get them back into the Start button Programs menu.
The start menu shortcuts were moved to a temp folder. Since we ran Combofix, the temp folder is emptied, which means that the shortcuts are gone. Would you have mentioned this particular problem in your first post, I'd have asked you to run unhide.exe before running Combofix, but unfortunately at this point the only thing you can do is manually copying the shortcuts back (right click the executable and select Create Shortcut. Copy the shortcut to the Start menu folder for the program and rename it as desired).

How are things running at this point?

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


File::
c:\windows\Tkugupa.bin

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi Elise,

I was able to restore the Programs menu! It was just a matter of unhiding (removing the check from the check box) on the properties of a folder, I think it was Start Menu. But wasn't easy to figure that out. Seems like a miracle.

So the Start button is back to normal.

I followed your instructions.

ComboFix log is attached.

Peter

ComboFix_log.txt

Link to post
Share on other sites

Attach.txt is here. Peter

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-05-19.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 1/24/2003 3:33:54 PM

System Uptime: 5/23/2011 8:52:51 AM (2 hours ago)

.

Motherboard: Intel Corporation | | D845PESV

Processor: Intel® Pentium® 4 CPU 2.40GHz | J2E1 | 2400/133mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 75 GiB total, 44.179 GiB free.

D: is CDROM ()

F: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1789: 2/22/2011 6:35:20 PM - System Checkpoint

RP1790: 2/23/2011 7:00:01 PM - System Checkpoint

RP1791: 2/27/2011 7:20:56 PM - System Checkpoint

RP1792: 2/28/2011 7:30:58 PM - System Checkpoint

RP1793: 3/1/2011 8:23:02 PM - System Checkpoint

RP1794: 3/2/2011 8:38:35 PM - System Checkpoint

RP1795: 3/3/2011 9:14:16 PM - System Checkpoint

RP1796: 3/4/2011 9:21:46 PM - System Checkpoint

RP1797: 3/5/2011 10:57:52 PM - System Checkpoint

RP1798: 3/7/2011 11:53:45 AM - System Checkpoint

RP1799: 3/8/2011 3:10:19 PM - System Checkpoint

RP1800: 3/9/2011 6:01:28 PM - Software Distribution Service 3.0

RP1801: 3/10/2011 6:36:39 PM - System Checkpoint

RP1802: 3/11/2011 10:06:32 PM - System Checkpoint

RP1803: 3/12/2011 11:43:34 PM - System Checkpoint

RP1804: 3/14/2011 2:07:20 AM - System Checkpoint

RP1805: 3/15/2011 9:56:43 AM - System Checkpoint

RP1806: 3/16/2011 4:12:12 PM - System Checkpoint

RP1807: 3/17/2011 4:46:10 PM - System Checkpoint

RP1808: 3/18/2011 5:37:50 PM - System Checkpoint

RP1809: 3/19/2011 6:03:32 PM - System Checkpoint

RP1810: 3/20/2011 6:36:00 PM - System Checkpoint

RP1811: 3/21/2011 7:44:13 PM - System Checkpoint

RP1812: 3/24/2011 8:39:33 PM - System Checkpoint

RP1813: 3/25/2011 8:56:16 PM - System Checkpoint

RP1814: 3/26/2011 3:59:26 PM - Removed Palm Desktop by ACCESS

RP1815: 3/26/2011 4:06:42 PM - Installed Palm Desktop by ACCESS

RP1816: 3/27/2011 4:34:38 PM - System Checkpoint

RP1817: 3/28/2011 5:16:24 PM - System Checkpoint

RP1818: 3/29/2011 6:07:53 PM - System Checkpoint

RP1819: 3/30/2011 6:26:28 PM - System Checkpoint

RP1820: 3/31/2011 6:27:26 PM - System Checkpoint

RP1821: 4/1/2011 12:50:59 AM - Removed Adobe Reader 9.4.2.

RP1822: 4/1/2011 12:51:19 AM - Installed Adobe Reader X (10.0.1).

RP1823: 4/2/2011 9:12:57 AM - System Checkpoint

RP1824: 4/3/2011 10:34:48 AM - System Checkpoint

RP1825: 4/6/2011 10:25:15 AM - System Checkpoint

RP1826: 4/7/2011 10:57:06 AM - System Checkpoint

RP1827: 4/9/2011 9:22:26 AM - System Checkpoint

RP1828: 4/10/2011 3:06:52 PM - System Checkpoint

RP1829: 4/11/2011 3:17:38 PM - System Checkpoint

RP1830: 4/12/2011 4:28:11 PM - System Checkpoint

RP1831: 4/15/2011 3:20:01 PM - System Checkpoint

RP1832: 4/15/2011 11:45:37 PM - Software Distribution Service 3.0

RP1833: 4/16/2011 10:16:06 AM - Software Distribution Service 3.0

RP1834: 4/18/2011 2:55:40 PM - System Checkpoint

RP1835: 4/19/2011 4:03:19 PM - System Checkpoint

RP1836: 4/20/2011 6:28:19 PM - System Checkpoint

RP1837: 4/21/2011 9:46:48 PM - System Checkpoint

RP1838: 4/22/2011 9:50:59 PM - System Checkpoint

RP1839: 4/23/2011 10:31:01 PM - System Checkpoint

RP1840: 4/24/2011 11:01:53 PM - System Checkpoint

RP1841: 4/25/2011 11:02:21 PM - System Checkpoint

RP1842: 4/26/2011 11:30:43 PM - System Checkpoint

RP1843: 4/27/2011 11:48:14 PM - Software Distribution Service 3.0

RP1844: 4/29/2011 11:56:33 AM - System Checkpoint

RP1845: 4/30/2011 12:33:51 PM - System Checkpoint

RP1846: 5/1/2011 1:04:47 PM - System Checkpoint

RP1847: 5/2/2011 1:09:19 PM - System Checkpoint

RP1848: 5/3/2011 1:22:58 PM - System Checkpoint

RP1849: 5/4/2011 4:44:47 PM - System Checkpoint

RP1850: 5/5/2011 5:07:48 PM - System Checkpoint

RP1851: 5/6/2011 5:29:31 PM - System Checkpoint

RP1852: 5/7/2011 8:01:35 PM - System Checkpoint

RP1853: 5/8/2011 8:48:31 PM - System Checkpoint

RP1854: 5/9/2011 10:30:24 PM - System Checkpoint

RP1855: 5/10/2011 10:30:44 PM - System Checkpoint

RP1856: 5/11/2011 11:27:29 PM - System Checkpoint

RP1857: 5/12/2011 2:37:39 AM - Software Distribution Service 3.0

RP1858: 5/13/2011 11:57:42 AM - System Checkpoint

RP1859: 5/14/2011 12:57:39 PM - System Checkpoint

RP1860: 5/15/2011 5:53:00 PM - System Checkpoint

RP1861: 5/16/2011 6:28:58 PM - System Checkpoint

RP1862: 5/17/2011 7:28:58 PM - System Checkpoint

RP1863: 5/18/2011 7:53:30 PM - System Checkpoint

RP1864: 5/19/2011 7:59:52 PM - System Checkpoint

RP1865: 5/20/2011 8:37:44 PM - System Checkpoint

RP1866: 5/23/2011 12:01:03 AM - Configured Microsoft Office Home and Student 2007

.

==== Installed Programs ======================

.

Acrobat.com

Acronis

Link to post
Share on other sites

Hi Peter,

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 6.
  • Look for "JDK 6 Update 25 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-6u25-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.