Jump to content

Another XP Home Security 2012 problem - MBAM and other antiviruses won't run


Recommended Posts

Hi,

I'm another person who got hit by XP Home Security. I've spent a few hours researching and tried a bunch of stuff. I found a list of manual registry entries to remove regarding browser redirection and removal of the offending .EXE. I even got MBAM to run once in Safe Mode, but it still didn't solve the problem. and now can't get to run again, even after unintstalling and reinstalling.

Currently, I can't get MBAM or any other anti-malware or antivirus to install/run. I've tried to install both Avira and AVG free versions. Avira will install but then will not scan. AVG will not install - an error about some problem with the installation process (sorry about not having the exact words but I haven't been printing screens). I've also tried to get super portable antispyware to run, but same symptom.

MBAM will start a scan, but then it will stop after a few seconds. Then, if you try to run it again, a message is displayed something like "You may not have the proper permissions to run this program." I've tried a registry import which is supposed to fix that, and I can't add it but no luck.

Per instructions from other threads about this problem, Here is the AswMBRfix log. After it ran, the "Fix" button became enabled, but I did not click it (based on other threads about this same problem, you did not specify to click "Fix".

I then tried to run OTL, but it ran for 2 seconds, then disappeared.

aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software

Run date: 2011-07-25 08:35:56

-----------------------------

08:35:56.890 OS Version: Windows 5.1.2600 Service Pack 3

08:35:56.890 Number of processors: 2 586 0xE08

08:35:56.890 ComputerName: RSARITZKYLAPTOP UserName: Administrator

08:35:58.062 Initialize success

08:36:15.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

08:36:15.796 Disk 0 Vendor: ST980825AS 8.02 Size: 76319MB BusType: 3

08:36:15.812 Device \Driver\atapi -> DriverStartIo 8a78431b

08:36:17.828 Disk 0 MBR read successfully

08:36:17.843 Disk 0 MBR scan

08:36:17.859 Disk 0 TDL4@MBR code has been found

08:36:17.875 Disk 0 Windows XP default MBR code found via API

08:36:17.890 Disk 0 MBR hidden

08:36:17.906 Disk 0 MBR [TDL4] **ROOTKIT**

08:36:17.921 Disk 0 trace - called modules:

08:36:17.937 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xf76eef00]<<

08:36:17.953 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7c2870]

08:36:17.968 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8a591cf8]

08:36:17.984 \Driver\00000400[0x8a591e20] -> IRP_MJ_CREATE -> 0xf76eef00

08:36:19.265 Scan finished successfully

08:36:32.281 Disk 0 MBR has been saved successfully to "F:\MBR.dat"

08:36:32.312 The log file has been saved successfully to "F:\aswMBR.txt"

Thanks. appreciate advice as to next steps.

Ron

Hi,

Trying to provide as much info as possible, since the aswMBR log showed "ROOTKIT", I did run the GMER Rootkit scanner. Here is the log. IT too, will not run a full scan - just the initial scan.

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit quick scan 2011-07-25 09:00:22

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST980825AS rev.8.02

Running: GMER rootkit scanner bwnf9msx.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agxoiuog.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A78431B

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A78431B

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A78431B

---- Threads - GMER 1.0.15 ----

Thread System [4:680] F750BD20

Thread System [4:684] F750BD20

Thread System [4:688] F76EF985

Thread System [4:692] F76EF985

---- EOF - GMER 1.0.15 ----

One more piece of information. I am running in safe mode when the above items were run. Also, a process called WINLOGON is consuming about 50% of the CPU. I saw a reference to this file name on some other threads.

Thanks

Ron

Merged

LDT

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

-screen317

Link to post
Share on other sites

Thanks - will do. While I was waiting for a response, I was able to run Kaspersky's rescue disk from CD and it found several viruses. However, although I thought I was "clean", once I booted back into XP and tried to install Kaspersky/Avira/AVG/Malwarebytes, the same problem occured - the EXE's will not run.

Will follow your suggestions and post the results later. Thanks for the reply.

Ron

Link to post
Share on other sites

OK. Here are the log files you requested. Just as an information update, my (hopefully remaining) problems are (a) Any antivirus .EXE is prevented from running, and (b) Google search results are redirected to other search pages when you click on the link. I have not had the XP Home Security 2010 messages pop up.

Here is the log from TDSKiller - it tried to repair RCFOX.exe (which I don't recognize but I haven't researched yet).

2011/07/29 22:06:32.0312 2332 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11

2011/07/29 22:06:32.0859 2332 ================================================================================

2011/07/29 22:06:32.0859 2332 SystemInfo:

2011/07/29 22:06:32.0859 2332

2011/07/29 22:06:32.0859 2332 OS Version: 5.1.2600 ServicePack: 3.0

2011/07/29 22:06:32.0859 2332 Product type: Workstation

2011/07/29 22:06:32.0859 2332 ComputerName: RSARITZKYLAPTOP

2011/07/29 22:06:32.0859 2332 UserName: ron

2011/07/29 22:06:32.0859 2332 Windows directory: C:\WINDOWS

2011/07/29 22:06:32.0859 2332 System windows directory: C:\WINDOWS

2011/07/29 22:06:32.0859 2332 Processor architecture: Intel x86

2011/07/29 22:06:32.0859 2332 Number of processors: 2

2011/07/29 22:06:32.0859 2332 Page size: 0x1000

2011/07/29 22:06:32.0859 2332 Boot type: Normal boot

2011/07/29 22:06:32.0859 2332 ================================================================================

2011/07/29 22:06:33.0593 2332 Initialize success

2011/07/29 22:06:38.0984 2596 ================================================================================

2011/07/29 22:06:38.0984 2596 Scan started

2011/07/29 22:06:38.0984 2596 Mode: Manual;

2011/07/29 22:06:38.0984 2596 ================================================================================

2011/07/29 22:06:39.0531 2596 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/07/29 22:06:39.0593 2596 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/07/29 22:06:39.0640 2596 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/07/29 22:06:39.0734 2596 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys

2011/07/29 22:06:39.0937 2596 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2011/07/29 22:06:40.0046 2596 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/07/29 22:06:40.0078 2596 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/07/29 22:06:40.0140 2596 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/07/29 22:06:40.0187 2596 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/07/29 22:06:40.0343 2596 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2011/07/29 22:06:40.0437 2596 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2011/07/29 22:06:40.0468 2596 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2011/07/29 22:06:40.0515 2596 b57w2k (1ca87e228e9aed459d6439b9ace5089c) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/07/29 22:06:40.0593 2596 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/07/29 22:06:40.0656 2596 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/07/29 22:06:40.0734 2596 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/07/29 22:06:40.0781 2596 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/07/29 22:06:40.0828 2596 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/07/29 22:06:40.0859 2596 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/07/29 22:06:40.0875 2596 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/07/29 22:06:40.0921 2596 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys

2011/07/29 22:06:41.0000 2596 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/07/29 22:06:41.0046 2596 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/07/29 22:06:41.0125 2596 CVirtA (72f820e457bc8a1c61aeb86df89dd41a) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2011/07/29 22:06:41.0203 2596 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/07/29 22:06:41.0281 2596 DisplayLinkGA (f0e77744f12cc3348e31c0b9afbe867e) C:\WINDOWS\system32\DRIVERS\DisplayLinkGAport.sys

2011/07/29 22:06:41.0343 2596 DisplayLinkmirror (b1d85ea325c796374bdb4cf59f07bbfd) C:\WINDOWS\system32\DRIVERS\DisplayLinkmirrorport.sys

2011/07/29 22:06:41.0406 2596 DisplayLinkUsbPort (941278fb27fac782d26a10bbf2d28d96) C:\WINDOWS\system32\DRIVERS\DisplayLinkUsbPort.sys

2011/07/29 22:06:41.0484 2596 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2011/07/29 22:06:41.0515 2596 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2011/07/29 22:06:41.0546 2596 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS

2011/07/29 22:06:41.0578 2596 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2011/07/29 22:06:41.0593 2596 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2011/07/29 22:06:41.0625 2596 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2011/07/29 22:06:41.0671 2596 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

2011/07/29 22:06:41.0703 2596 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2011/07/29 22:06:41.0718 2596 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2011/07/29 22:06:41.0796 2596 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/07/29 22:06:41.0890 2596 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/07/29 22:06:41.0937 2596 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/07/29 22:06:41.0968 2596 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/07/29 22:06:42.0031 2596 DNE (812f9714b6d2d93078bf4d126167c5ba) C:\WINDOWS\system32\DRIVERS\dne2000.sys

2011/07/29 22:06:42.0093 2596 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/07/29 22:06:42.0140 2596 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2011/07/29 22:06:42.0156 2596 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2011/07/29 22:06:42.0218 2596 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/07/29 22:06:42.0250 2596 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/07/29 22:06:42.0281 2596 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/07/29 22:06:42.0312 2596 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/07/29 22:06:42.0343 2596 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/07/29 22:06:42.0375 2596 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/07/29 22:06:42.0406 2596 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/07/29 22:06:42.0437 2596 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/07/29 22:06:42.0484 2596 guardian2 (7dadeb7f2215b1f883267cad67f091c1) C:\WINDOWS\system32\Drivers\oz776.sys

2011/07/29 22:06:42.0531 2596 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/07/29 22:06:42.0578 2596 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/07/29 22:06:42.0687 2596 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys

2011/07/29 22:06:42.0765 2596 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys

2011/07/29 22:06:42.0812 2596 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/07/29 22:06:42.0921 2596 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/07/29 22:06:43.0031 2596 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2011/07/29 22:06:43.0203 2596 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/07/29 22:06:43.0296 2596 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/07/29 22:06:43.0343 2596 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/07/29 22:06:43.0390 2596 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/07/29 22:06:43.0453 2596 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/07/29 22:06:43.0484 2596 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/07/29 22:06:43.0515 2596 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/07/29 22:06:43.0546 2596 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/07/29 22:06:43.0593 2596 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/07/29 22:06:43.0609 2596 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/07/29 22:06:43.0640 2596 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/07/29 22:06:43.0671 2596 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/07/29 22:06:43.0750 2596 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/07/29 22:06:43.0906 2596 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys

2011/07/29 22:06:43.0937 2596 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

2011/07/29 22:06:44.0000 2596 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

2011/07/29 22:06:44.0140 2596 Lvckap (bd0d8c9e3aef163dafa0a3c27106d049) C:\WINDOWS\system32\drivers\Lvckap.sys

2011/07/29 22:06:44.0359 2596 lvmvdrv (c2ad4603075b1c58d92b6bb00e08e958) C:\WINDOWS\system32\drivers\lvmvdrv.sys

2011/07/29 22:06:44.0531 2596 LVPrcMon (4fd5a6335fb4fc1f758088b2f90613fe) C:\WINDOWS\system32\drivers\LVPrcMon.sys

2011/07/29 22:06:44.0562 2596 LVUSBSta (c0883f7914afa7feaa41ada0d513ac16) C:\WINDOWS\system32\drivers\lvusbsta.sys

2011/07/29 22:06:44.0625 2596 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/07/29 22:06:44.0765 2596 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/07/29 22:06:44.0828 2596 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/07/29 22:06:44.0875 2596 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/07/29 22:06:44.0953 2596 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/07/29 22:06:44.0984 2596 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/07/29 22:06:45.0109 2596 MRxDAV (e3f17e1ea5256709d4e97ef0da04b3c9) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/07/29 22:06:45.0187 2596 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/07/29 22:06:45.0281 2596 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/07/29 22:06:45.0343 2596 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/07/29 22:06:45.0390 2596 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/07/29 22:06:45.0421 2596 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/07/29 22:06:45.0484 2596 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/07/29 22:06:45.0546 2596 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/07/29 22:06:45.0578 2596 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/07/29 22:06:45.0625 2596 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/07/29 22:06:45.0656 2596 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/07/29 22:06:45.0687 2596 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/07/29 22:06:45.0734 2596 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/07/29 22:06:45.0765 2596 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/07/29 22:06:45.0781 2596 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/07/29 22:06:45.0843 2596 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/07/29 22:06:45.0890 2596 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/07/29 22:06:45.0921 2596 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/07/29 22:06:46.0062 2596 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/07/29 22:06:46.0109 2596 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/07/29 22:06:46.0171 2596 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/07/29 22:06:46.0359 2596 nv (5796a04ccc99542fdfb43f2accd803df) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/07/29 22:06:46.0593 2596 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/07/29 22:06:46.0609 2596 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/07/29 22:06:46.0687 2596 palmmdm (836e48de7630d419f6ad2728d79a2615) C:\WINDOWS\system32\DRIVERS\palmmdm.sys

2011/07/29 22:06:46.0734 2596 PalmUSBD (dc450992eba6f914080c1f7fbeeed72c) C:\WINDOWS\system32\drivers\PalmUSBD.sys

2011/07/29 22:06:46.0796 2596 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2011/07/29 22:06:46.0812 2596 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/07/29 22:06:46.0859 2596 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/07/29 22:06:46.0890 2596 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/07/29 22:06:46.0968 2596 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/07/29 22:06:47.0031 2596 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/07/29 22:06:47.0250 2596 PID_0928 (238e89ca013cdd3ac5be63b144423f5c) C:\WINDOWS\system32\DRIVERS\LV561AV.SYS

2011/07/29 22:06:47.0312 2596 pnetmdm (750318586b5ea1e7f48e2dbe54074c7e) C:\WINDOWS\system32\DRIVERS\pnetmdm.sys

2011/07/29 22:06:47.0359 2596 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/07/29 22:06:47.0390 2596 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/07/29 22:06:47.0421 2596 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/07/29 22:06:47.0484 2596 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/07/29 22:06:47.0640 2596 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/07/29 22:06:47.0703 2596 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/07/29 22:06:47.0750 2596 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/07/29 22:06:47.0765 2596 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/07/29 22:06:47.0828 2596 RCFOX (a2cd4b61064123d687d95ab9b6c92fb6) C:\WINDOWS\system32\Drivers\RCFOX.sys

2011/07/29 22:06:47.0843 2596 RCFOX - detected Rootkit.Win32.ZAccess.c (0)

2011/07/29 22:06:47.0859 2596 rcvpn (bca39c96b11318cbc2797c4b842e22e4) C:\WINDOWS\system32\DRIVERS\rcvpn.sys

2011/07/29 22:06:47.0921 2596 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/07/29 22:06:47.0953 2596 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/07/29 22:06:47.0984 2596 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/07/29 22:06:48.0031 2596 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/07/29 22:06:48.0062 2596 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/07/29 22:06:48.0125 2596 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2011/07/29 22:06:48.0281 2596 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/07/29 22:06:48.0343 2596 ser2plms (227df2e68510d25462ee80136722374e) C:\WINDOWS\system32\DRIVERS\ser2plms.sys

2011/07/29 22:06:48.0390 2596 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/07/29 22:06:48.0421 2596 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/07/29 22:06:48.0484 2596 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/07/29 22:06:48.0562 2596 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/07/29 22:06:48.0687 2596 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/07/29 22:06:48.0734 2596 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/07/29 22:06:48.0796 2596 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/07/29 22:06:48.0859 2596 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2011/07/29 22:06:48.0953 2596 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys

2011/07/29 22:06:49.0078 2596 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/07/29 22:06:49.0125 2596 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/07/29 22:06:49.0156 2596 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/07/29 22:06:49.0281 2596 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/07/29 22:06:49.0343 2596 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/07/29 22:06:49.0390 2596 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/07/29 22:06:49.0421 2596 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/07/29 22:06:49.0453 2596 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/07/29 22:06:49.0531 2596 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/07/29 22:06:49.0625 2596 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/07/29 22:06:49.0671 2596 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/07/29 22:06:49.0718 2596 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/07/29 22:06:49.0765 2596 USBCCID (ca16635aac61993a27ebeeb3f683fa8e) C:\WINDOWS\system32\DRIVERS\usbccid.sys

2011/07/29 22:06:49.0796 2596 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/07/29 22:06:49.0828 2596 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/07/29 22:06:49.0859 2596 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/07/29 22:06:49.0890 2596 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/07/29 22:06:49.0921 2596 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/07/29 22:06:49.0953 2596 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys

2011/07/29 22:06:50.0031 2596 vcdrom (bfa4ae30b3ac10e9223830bf103f5a3f) C:\Masters\virtualcd\VCdRom.sys

2011/07/29 22:06:50.0062 2596 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/07/29 22:06:50.0093 2596 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/07/29 22:06:50.0156 2596 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/07/29 22:06:50.0234 2596 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys

2011/07/29 22:06:50.0296 2596 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/07/29 22:06:50.0390 2596 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys

2011/07/29 22:06:50.0500 2596 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys

2011/07/29 22:06:50.0562 2596 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/07/29 22:06:50.0687 2596 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2011/07/29 22:06:50.0734 2596 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/07/29 22:06:50.0796 2596 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/07/29 22:06:50.0843 2596 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/07/29 22:06:50.0921 2596 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/07/29 22:06:51.0078 2596 MBR (0x1B8) (99bf1ef585e2fe54d718ee5398a4f857) \Device\Harddisk1\DR2

2011/07/29 22:06:51.0953 2596 Boot (0x1200) (26588e65c88f9cd823e6d196ff6f519e) \Device\Harddisk0\DR0\Partition0

2011/07/29 22:06:51.0968 2596 Boot (0x1200) (c5e033ad258a9bd11d1a03ad23c818f4) \Device\Harddisk1\DR2\Partition0

2011/07/29 22:06:51.0968 2596 ================================================================================

2011/07/29 22:06:51.0968 2596 Scan finished

2011/07/29 22:06:51.0968 2596 ================================================================================

2011/07/29 22:06:52.0000 2320 Detected object count: 1

2011/07/29 22:06:52.0000 2320 Actual detected object count: 1

2011/07/29 22:07:04.0703 2320 RCFOX (a2cd4b61064123d687d95ab9b6c92fb6) C:\WINDOWS\system32\Drivers\RCFOX.sys

2011/07/29 22:07:04.0703 2320 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\RCFOX.SYS) error 1813

2011/07/29 22:07:06.0281 2320 Backup copy not found, trying to cure infected file..

2011/07/29 22:07:06.0421 2320 C:\WINDOWS\system32\Drivers\RCFOX.sys - Cure failed (FFFFFFFF)

2011/07/29 22:07:06.0421 2320 C:\WINDOWS\system32\Drivers\RCFOX.sys - processing error

2011/07/29 22:07:06.0421 2320 Rootkit.Win32.ZAccess.c(RCFOX) - User select action: Cure

And here is DDS.TXT. I haven't reviewed it in detail but noticed the registry entry directing .EXE files to cvo.exe, which was the original XP Home Security virus file, which I believe I have been able to delete, but this registry entry may be re-appearing. I am going to remove/correct it. I am happy to remove any other drivers/installations that you believe may be contributing to the problem.

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by ron at 22:12:25 on 2011-07-29

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1590 [GMT -7:00]

.

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\CameraAssistant.exe

C:\WINDOWS\system32\ElkCtrl.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mSearch Bar = hxxp://www.google.com

uInternet Settings,ProxyServer = http=127.0.0.1:57152

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: H - No File

uWinlogon: Shell=explorer.exe,c:\documents and settings\ron.corp\application data\dwm.exe

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {87BC7B22-B7F7-4D78-970F-970C5C6604B8} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"

uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [\\tracyxp\EPSON Artisan 50 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiffa.exe /fu "c:\docume~1\ron~1.cor\locals~1\temp\E_S5F.tmp" /EF "HKCU"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [pdfFactory Dispatcher v2] c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe

mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect

mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

dRun: [3271138868] c:\documents and settings\networkservice\local settings\application data\cvo.exe

dRun: [updchecker] c:\documents and settings\networkservice\application data\updchecker.exe

dRun: [7Dsg2rFtekKD9FLBb8bQ] c:\documents and settings\networkservice\application data\microsoft\oulwsvm.exe

StartupFolder: c:\docume~1\ron~1.cor\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

uPolicies-system: DisableChangePassword = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

LSP: mswsock.dll

Trusted Zone: cbhinc.biz

Trusted Zone: cbhinc.com

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {06D59DC6-5304-432D-A1CE-67E531410F9F} - hxxp://sp.cbhinc.com/BusinessPortal/UI/ResultViewer/Scripts/MBFWebBehaviors.cab

DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} - hxxps://vpn.directed.com/XTSAC.cab

DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - hxxps://connectpbg.mcgplc.com/postauthI/epi.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155861334269

DPF: {9437EF71-9276-432D-AA74-CF8DA12EF11B} - hxxps://na1.salesforce.com/dwnld/mailmerge/AXMailMerge.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: Interfaces\{7AC112B9-8D6F-4D43-B876-38A6329F4236} : NameServer = 12.238.189.39,12.238.189.40

TCP: Interfaces\{7AC112B9-8D6F-4D43-B876-38A6329F4236} : DhcpNameServer = 172.16.8.20 172.16.8.19

TCP: Interfaces\{97C9367A-CCB2-4CCB-B432-B0FF4D3E9A6A} : DhcpNameServer = 192.168.0.120 192.168.110.60

TCP: Interfaces\{CCC5843D-73A1-48C8-BBA1-9005700DA330} : DhcpNameServer = 172.16.8.20 172.16.8.19

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-7-28 11608]

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2010-4-5 101528]

R1 vcdrom;Virtual CD-ROM Device Driver;c:\masters\virtualcd\VCdRom.sys [2007-12-14 8576]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-7-28 136360]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-7-28 66616]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-2-1 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-6-28 47640]

R3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [2007-3-9 25704]

R3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [2007-3-9 23400]

R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2010-4-5 24876]

S0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys --> c:\windows\system32\drivers\sonyhcb.sys [?]

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-7-29 269480]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 DisplayLinkService;DisplayLink Service;c:\program files\displaylink core software\DisplayLinkService.exe [2007-12-20 439656]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]

S2 slapd-rsaritzkyData;Sun ONE Directory Server 5.2 (rsaritzkyData);C:/Program Files/Sun/MPS/bin/slapd/server/ns-slapd.exe --> C:/Program Files/Sun/MPS/bin/slapd/server/ns-slapd.exe [?]

S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort.sys [2009-2-14 20992]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]

S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys --> c:\windows\system32\drivers\ngfilter.sys [?]

S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys --> c:\windows\system32\drivers\nglog.sys [?]

S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys --> c:\windows\system32\drivers\ngvpn.sys [?]

S3 palmmdm;Palm Modem;c:\windows\system32\drivers\palmmdm.sys [2006-1-30 9728]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2006-1-1 8576]

S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys --> c:\windows\system32\drivers\sonyhcs.sys [?]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== File Associations ===============

.

exefile="c:\documents and settings\networkservice\local settings\application data\cvo.exe" -a "%1" %*

.

=============== Created Last 30 ================

.

2011-07-28 18:33:36 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-07-28 18:33:36 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-07-28 18:26:00 -------- d-----w- c:\windows\system32\NtmsData

2011-07-28 18:25:31 -------- d-----w- c:\documents and settings\ron.corp\application data\Avira

2011-07-28 14:05:58 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-07-28 14:05:57 -------- d-----w- c:\program files\Avira

2011-07-28 14:05:57 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-07-27 20:38:54 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2011-07-27 05:04:10 -------- d-----w- C:\hj

2011-07-27 04:58:19 -------- d-----w- C:\mal

2011-07-27 04:26:03 92672 ----a-w- c:\windows\system32\KillBox.exe

2011-07-27 04:06:21 -------- d-----w- C:\!KillBox

2011-07-27 02:43:56 -------- d-----w- c:\program files\Sunbelt Software

2011-07-25 15:01:15 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-07-25 06:45:34 -------- d--h--w- c:\documents and settings\all users\application data\Common Files

2011-07-25 06:39:47 -------- d-----w- c:\documents and settings\all users\application data\MFAData

2011-07-25 00:46:31 -------- d--h--w- c:\windows\PIF

2011-07-24 17:32:23 9466208 ----a-w- C:\mbam.exe

2011-07-24 17:31:58 8068864 ----a-w- C:\microsoft_security_essentials_mseinstall.exe

2011-07-24 15:50:29 -------- d-----w- c:\program files\MPAccess

2011-07-24 05:25:57 0 ----a-w- c:\windows\Bdedetekol.bin

2011-07-24 05:25:55 -------- d-----w- c:\documents and settings\ron.corp\local settings\application data\{C9D1812A-506D-4DD2-82C0-AB48F5E5B46F}

2011-07-24 05:22:03 -------- d-----w- C:\QUARANTINE

2011-07-13 05:47:29 -------- d-----w- c:\documents and settings\ron.corp\local settings\application data\PCHealth

2011-07-12 05:05:34 -------- d-----w- c:\windows\system32\winrm

2011-07-12 05:05:27 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$

2011-07-11 17:31:27 -------- d-----w- C:\TEMP

.

==================== Find3M ====================

.

2011-07-24 16:07:53 22528 ----a-w- c:\windows\system32\WLTRYSVC.EXE

2011-07-24 16:07:53 1253376 ----a-w- c:\windows\system32\BCMWLTRY.EXE

2011-07-09 18:04:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-06 23:32:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2011-07-06 23:32:36 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll

2011-07-06 23:32:28 87424 ----a-w- c:\windows\system32\LMIinit.dll

2011-07-06 23:32:28 29568 ----a-w- c:\windows\system32\LMIport.dll

2011-05-20 23:38:49 71 ----a-w- C:\StartMySQL.bat

.

============= FINISH: 22:13:32.95 ===============

Thanks again in advance.

Ron

Link to post
Share on other sites

OK, I ran Combofix. It corrected a couple of issues, and I was able to correct a few more after it ran:

1. It removed RCFOX.EXE which is the SonicWall VPN executable. When I tried to reinstall, rundll.exe would not run (window pops up saying which program do you want to open this file with). So the EXE file association was still messed up.

2. I manually went into the registry and deleted the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe - that fixed the EXE problem (well, at least I could reinstall the VPN.

3. I had removed Spybot during this ordeal, so when trying to reinstall, 2 files in the Spybot directory could not be deleted (file in use). So I booted to a Knoppix CD and deleted those files. I haven't reinstalled Spybot yet.

4. In line 550 of the ComboFix log, I noticed it has:

exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\cvo.exe" -a "%1" %*

I found a couple of registry entries (HKU\.DEFAULT\Software\Classes\exefile\shell\open\command\Default is one of them) that still reference cvo.exe. I removed those entries.

My VPN is reinstalled and working. Machine seems to be running but if you see any other suspicious entries in the logs that should be corrected, please let me know:

The ComboFix.log is 600+ lines so when I entered this reply, the forum said the post was too long. So I am attaching the ComboFix log.

Here's the DDS.txt file however:

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by ron at 14:57:39 on 2011-08-03

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1362 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\ElkCtrl.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mSearch Bar = hxxp://www.google.com

uInternet Settings,ProxyServer = http=127.0.0.1:57152

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: IECatcher Class: {0682e46a-7040-4049-a6fd-0bcfbc673ad8} - c:\program files\flashdownloader\IntQd.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"

uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [\\tracyxp\EPSON Artisan 50 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiffa.exe /fu "c:\docume~1\ron~1.cor\locals~1\temp\E_S5F.tmp" /EF "HKCU"

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [pdfFactory Dispatcher v2] c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe

mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect

mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

StartupFolder: c:\docume~1\ron~1.cor\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

uPolicies-system: DisableChangePassword = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: cbhinc.biz

Trusted Zone: cbhinc.com

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {06D59DC6-5304-432D-A1CE-67E531410F9F} - hxxp://sp.cbhinc.com/BusinessPortal/UI/ResultViewer/Scripts/MBFWebBehaviors.cab

DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} - hxxps://vpn.directed.com/XTSAC.cab

DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - hxxps://connectpbg.mcgplc.com/postauthI/epi.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155861334269

DPF: {9437EF71-9276-432D-AA74-CF8DA12EF11B} - hxxps://na1.salesforce.com/dwnld/mailmerge/AXMailMerge.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{7AC112B9-8D6F-4D43-B876-38A6329F4236} : NameServer = 12.238.189.39,12.238.189.40

TCP: Interfaces\{7F283F24-B6DE-432A-AB0B-793AADA2715B} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{97C9367A-CCB2-4CCB-B432-B0FF4D3E9A6A} : DhcpNameServer = 192.168.0.120 192.168.110.60

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]

R1 vcdrom;Virtual CD-ROM Device Driver;c:\masters\virtualcd\VCdRom.sys [2007-12-14 8576]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]

R3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [2007-3-9 25704]

R3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [2007-3-9 23400]

S0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys --> c:\windows\system32\drivers\sonyhcb.sys [?]

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 DisplayLinkService;DisplayLink Service;c:\program files\displaylink core software\DisplayLinkService.exe [2007-12-20 439656]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]

S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-2-1 374152]

S2 slapd-rsaritzkyData;Sun ONE Directory Server 5.2 (rsaritzkyData);C:/Program Files/Sun/MPS/bin/slapd/server/ns-slapd.exe --> C:/Program Files/Sun/MPS/bin/slapd/server/ns-slapd.exe [?]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-7-30 1025352]

S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort.sys [2009-2-14 20992]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]

S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys --> c:\windows\system32\drivers\ngfilter.sys [?]

S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys --> c:\windows\system32\drivers\nglog.sys [?]

S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys --> c:\windows\system32\drivers\ngvpn.sys [?]

S3 palmmdm;Palm Modem;c:\windows\system32\drivers\palmmdm.sys [2006-1-30 9728]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2006-1-1 8576]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]

S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys --> c:\windows\system32\drivers\sonyhcs.sys [?]

S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [2009-3-4 21016]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== File Associations ===============

.

exefile="c:\documents and settings\networkservice\local settings\application data\cvo.exe" -a "%1" %*

.

=============== Created Last 30 ================

.

2011-08-03 21:43:40 -------- d-----w- C:\ComboFix

2011-07-30 17:27:28 -------- d-----w- c:\documents and settings\ron.corp\application data\EMCO

2011-07-30 17:26:57 -------- d-----w- c:\program files\EMCO

2011-07-30 17:19:07 -------- d-----w- c:\program files\VS Revo Group

2011-07-30 16:03:56 -------- d-----w- C:\$AVG

2011-07-30 15:43:32 -------- d-----w- c:\documents and settings\ron.corp\application data\AVG10

2011-07-30 15:41:02 -------- d-----w- c:\documents and settings\all users\application data\AVG Security Toolbar

2011-07-30 15:39:52 -------- d-----w- c:\windows\system32\drivers\AVG

2011-07-30 15:39:52 -------- d-----w- c:\documents and settings\all users\application data\AVG10

2011-07-30 15:39:01 -------- d-----w- c:\program files\AVG

2011-07-30 05:50:44 -------- d-sha-r- C:\cmdcons

2011-07-30 05:48:51 256000 ----a-w- c:\windows\PEV.exe

2011-07-30 05:48:51 208896 ----a-w- c:\windows\MBR.exe

2011-07-30 05:48:50 98816 ----a-w- c:\windows\sed.exe

2011-07-30 05:48:50 518144 ----a-w- c:\windows\SWREG.exe

2011-07-28 18:26:00 -------- d-----w- c:\windows\system32\NtmsData

2011-07-27 05:04:10 -------- d-----w- C:\hj

2011-07-27 04:58:19 -------- d-----w- C:\mal

2011-07-27 04:26:03 92672 ----a-w- c:\windows\system32\KillBox.exe

2011-07-27 04:06:21 -------- d-----w- C:\!KillBox

2011-07-25 15:01:15 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-07-25 06:45:34 -------- d--h--w- c:\documents and settings\all users\application data\Common Files

2011-07-25 06:39:47 -------- d-----w- c:\documents and settings\all users\application data\MFAData

2011-07-25 00:46:31 -------- d--h--w- c:\windows\PIF

2011-07-24 17:32:23 9466208 ----a-w- C:\mbam.exe

2011-07-24 17:31:58 8068864 ----a-w- C:\microsoft_security_essentials_mseinstall.exe

2011-07-24 05:25:57 0 ----a-w- c:\windows\Bdedetekol.bin

2011-07-24 05:22:03 -------- d-----w- C:\QUARANTINE

2011-07-13 05:47:29 -------- d-----w- c:\documents and settings\ron.corp\local settings\application data\PCHealth

2011-07-12 05:05:34 -------- d-----w- c:\windows\system32\winrm

2011-07-12 05:05:27 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$

2011-07-11 17:31:27 -------- d-----w- C:\TEMP

.

==================== Find3M ====================

.

2011-07-24 16:07:53 22528 ----a-w- c:\windows\system32\WLTRYSVC.EXE

2011-07-24 16:07:53 1253376 ----a-w- c:\windows\system32\BCMWLTRY.EXE

2011-07-09 18:04:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-20 23:38:49 71 ----a-w- C:\StartMySQL.bat

.

============= FINISH: 14:57:51.29 ===============

DDS Attach.Txt is also attached as a zip file

cvo.exe was the original XP Home Security virus program, which I had already removed (the directory the above line points to is empty). However, I don't know where Combofix is getting this line - I'd like to remove it, but it's not in the registry (at least I couldn't find it by searching for "exe")

That being said, here are the ComboFix log and the DDS log.

Thanks again,

Ron

attach.zip

combofix_log_8-3-11.txt

Link to post
Share on other sites

  • Staff

Hi,

Please upload the file that ComboFix deleted so I may submit it to ComboFix's developer.

Update MBAM, run a Quick Scan, and post its log.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    cvo.exe
    :filefind
    cvo.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Sorry for the delay in responding - a few days of vacation took me away from all computers <grin>...

>Please upload the file that ComboFix deleted so I may submit it to ComboFix's developer.

I have uploaded the file that the scan quarantined, along with a "safe" working version from another computer. The file RCFOX.SYS.VIR is the one quarantined, and the one RCFOX.SYS is the "safe" one from my other computer. The 2 file versions are in the attached .ZIP file (RCFoxFiles.ZIP)

>Update MBAM, run a Quick Scan, and post its log.

No threats found in this step. Here's the log:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7367

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/3/2011 5:02:58 PM

mbam-log-2011-08-03 (17-02-57).txt

Scan type: Full scan (C:\|)

Objects scanned: 275038

Time elapsed: 45 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------

>Please download SystemLook from one of the links below and save it to your Desktop...

Nothing found - prior to this, I was able to search through the registry and found one registry entry that I had missed during my manual removal attempts - so I think we're good here. Here's the log anyway:

SystemLook 30.07.11 by jpshortstuff

Log created at 19:53 on 09/08/2011 by ron

Administrator - Elevation successful

========== regfind ==========

Searching for "cvo.exe"

No data found.

========== filefind ==========

Searching for "cvo.exe"

No files found.

-= EOF =-

>Next, please run a free online scan with the ESET Online Scanner

Here's the log. Note that these files had been detected as having viruses by a prior scan and were just in a quarantine folder, so I'm thinking this is OK. I allowed ESET to delete the files. There also were some additional files in the C:\Qoobox\Quarantine directory and subdirs - I deleted them all...

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=3e24de1a36738145b40492427913622c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-08-10 04:18:47

# local_time=2011-08-09 09:18:47 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1032 16777213 100 95 0 55282697 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=76558

# found=2

# cleaned=2

# scan_time=3622

C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.CH trojan (cleaned by deleting - quarantined)

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\RCFOX.SYS.vir a variant of Win32/Sirefef.CO trojan (cleaned by deleting - quarantined)

> Next, download my Security Check from here

Here's the log:

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

AVG 2011

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Adobe Flash Player 10.3.181.14

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

``````````End of Log````````````

Thanks again for your time and advice. Any more steps?

Ron

RCFoxFiles.ZIP

Link to post
Share on other sites

  • Staff

Hi,

Delete SystemLook.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Adobe Reader 7.1.0

ESET Online Scanner v3

Java™ 6 Update 14

Restart your computer.

Get the latest version of Adobe Reader.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

  • 2 weeks later...

Thanks for all your help. I've done the cleanup you've suggested, and everything appears to be working normally. Antivirus and Malwarebytes are updated and running and reporting no problems. I appreciate the directions to the additional utilities that finished the cleanup. It's great to have volunteers out there to help. I do my part, too on accounting software forums, where I can "pay it forward" and volunteer my own expertise.

Thanks again. Please consider this incident closed.

Ron

Link to post
Share on other sites

  • Staff

Great!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.