WiredWX Hobby Weather ToolsLog in

 


Host of virus problems

3 posters

descriptionHost of virus problems EmptyHost of virus problems

more_horiz
Hello..I'm having a huge battle trying to fight virus problems for the past couple of weeks. I realize that I am suppose to do a diagnostic and post the data..however I can't even get onto my computer other than on safemode right now.

Sooo here goes.. I have a malware program that has disabled my ability to get onto my task manager. I was able to get rid of it with the malware bytes program. However a few days ago whenever I logged onto my computer, explorer/my start menu/icons would not come up. To get around it I was able to get onto task manager and run a document file and it would get explorer to pop up. Well guess what, this morning when I turned my computer on, I explorer wouldn't come up and when I tried to get onto task manager, a popup came up saying that my task manager had been disabled by my administrator. So now I'm stuck in limbo when I turn my computer on with nothing but my desktop showing.

I've tried getting onto safemode and running malware bytes, spybot, avg, and adaware. I did some research and also tried deleting my prefetch files, my temporary internet files, and my temp files from all my users that are associated with my computer. I also ran regedit and deleted a file under one of the hkey roots that was set to disable my authority to use task manager but on loadup it had no effect. Help would be much appreciated. Again I'd love to follow the directions for when posting a new topic but I can't even play solitaire right now lol. Thanks again,

Josh

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
Hello, I need you to do the following, boot in safemode with networking and download ComboFix, if the malware is not letting you download then save it onto a USB drive or Cd and then put it onto the infected machine, once you have ComboFix onto the infected machine in Safe Mode, please run it by following these instructions exactly:




  • Download combofix from here
    Link 1
    Link 2
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

Host of virus problems CF_download_FF

Host of virus problems CF_download_rename

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV..

  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
Okay I followed your directions to a T and DLed combo-fix. However since I am in safemode, the only option I am allowed with avg is a scanner called command line composer. I can't turn off the antivirus portion that runs in the background. I also tried uninstalling and an error pops up saying Local machine: installion failed. Installation: Error: action failed for registry key HKLM\software\microsoft NT\currentversion\windows: creating registry key.... Error 0x80070005. Additionally I went to add/remove programs and it said the same thing when I tried to manually uninstall. What should I do to get avg to stop running? I also have spybot but it is giving me the normal options allowed in normal mode.


Josh

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ovfsthtksmqecxvxvgpyriyuspvnstidiemnbv" found!
ImagePath: \systemroot\system32\drivers\ovfsthpdxpmbcrvhuxiwijbjqdcbbpcynxctst.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
Yes found the rootkit, lets remove it shall we:


1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to delete:
ovfsthtksmqecxvxvgpyriyuspvnstidiemnbv.sys

Files to delete:
C:\WINDOWS\system32\drivers\ovfsthpdxpmbcrvhuxiwijbjqdcbbpcynxctst.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthtksmqecxvxvgpyriyuspvnstidiemnbv.sys" not found!
Deletion of driver "ovfsthtksmqecxvxvgpyriyuspvnstidiemnbv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\drivers\ovfsthpdxpmbcrvhuxiwijbjqdcbbpcynxctst.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz

  • Download combofix from here
    Link 1
    Link 2
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

Host of virus problems CF_download_FF

Host of virus problems CF_download_rename

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV..

  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
Again I tried temporarily turning off avg but the program only allows a basic computer scan option when loaded in safemode. It won't let me use any options or anything. I also again tried manually uninstalling it through add/remove programs and AVG uninstall on the start menu. Both attempts fail with the same error message. Thanks again for the help!

Josh

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
Please download the following tool to fully remove AVG from your system:

http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe

Then run ComboFix, if ComboFix can't run in normal mode please try it in safe mode.

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
ComboFix 09-05-31.06 - Administrator 06/01/2009 23:21.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1750 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Josh Kelley\Application Data\wiaserva.log
c:\documents and settings\Josh Kelley\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\bszip.dll
c:\windows\system32\ovfsthixdjxercehciqtmcjadxarvrddodpjpe.dat
c:\windows\system32\ovfsthlog.dat
c:\windows\system32\ovfsthlssiewfqacanciquwhouigwfdaomyaki.dat
c:\windows\system32\ovfsthtrqfulkejdgssffvxbnodjxblytqifso.dll
c:\windows\system32\ovfsthvbwvargdnpospwwjxmpyiqdgtsrthxfj.dll
c:\windows\system32\ovfsthywojprdmageiotrpeafmdxwodlpjqsxb.dll
c:\windows\system32\prqss.bak1
c:\windows\system32\prqss.bak2
c:\windows\system32\prqss.tmp
c:\windows\system32\sysloc
C:\xcrashdump.dat

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASHEVTSVC
-------\Legacy_AVAST!ANTIVIRUS
-------\Legacy_WIN32X
-------\Service_ovfsthtksmqecxvxvgpyriyuspvnstidiemnbv


((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-06-02 01:57 . 2009-06-02 01:57 -------- dc----w- c:\documents and settings\Administrator\Application Data\Corel Photo Album
2009-06-02 01:57 . 2009-06-02 01:57 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Corel Photo Album
2009-06-02 01:26 . 2009-06-02 01:26 76056 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 19:26 . 2009-05-31 19:26 -------- dc----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-05-31 19:10 . 2009-05-31 19:10 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-31 16:59 . 2009-05-31 16:59 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-31 16:56 . 2009-05-31 16:56 -------- dcsh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-31 16:51 . 2009-05-31 16:51 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-05-31 09:18 . 2009-05-31 09:18 192 -c--a-w- C:\487656.bat
2009-05-30 03:26 . 2006-10-12 16:29 83504 -c--a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-05-30 03:17 . 2009-05-30 03:17 -------- dc----w- c:\documents and settings\Josh Kelley\Application Data\acccore
2009-05-30 03:17 . 2009-05-30 03:17 -------- dc----w- c:\documents and settings\Josh Kelley\Local Settings\Application Data\AOL
2009-05-30 03:16 . 2009-05-30 03:16 -------- dc----w- c:\documents and settings\Josh Kelley\Local Settings\Application Data\AOL OCP
2009-05-30 03:16 . 2009-05-30 03:16 -------- dc----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-30 03:16 . 2009-05-30 03:18 -------- dc----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-05-30 03:15 . 2009-05-30 03:17 -------- dc----w- c:\program files\AIM6
2009-05-28 18:13 . 2009-05-28 18:13 -------- dcsh--w- c:\documents and settings\Josh Kelley\PrivacIE
2009-05-28 17:33 . 2009-05-28 17:33 -------- dcsh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-05-28 17:30 . 2009-05-26 08:18 105 -c--a-w- C:\tj.vbs
2009-05-20 05:17 . 2009-05-20 05:17 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-20 04:54 . 2009-05-20 04:54 -------- dc----w- c:\program files\Common Files\Adobe AIR
2009-05-20 04:19 . 2009-05-20 04:19 -------- dcsh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-20 04:18 . 2009-05-20 04:18 -------- dcsh--w- c:\documents and settings\LocalService\IETldCache
2009-05-20 04:18 . 2009-05-20 04:18 -------- dcsh--w- c:\documents and settings\Josh Kelley\IETldCache
2009-05-20 04:14 . 2009-05-20 04:14 -------- dc----w- c:\windows\ie8updates
2009-05-20 04:14 . 2009-04-25 05:30 102400 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-20 04:13 . 2009-05-20 04:13 -------- dc-h--w- c:\windows\ie8
2009-05-20 01:19 . 2009-05-20 01:20 -------- dc----w- c:\program files\iTunes
2009-05-20 01:19 . 2009-05-20 01:20 -------- dc----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-20 01:17 . 2009-05-20 01:17 -------- dc----w- c:\program files\QuickTime
2009-05-20 01:06 . 2009-05-20 01:06 75048 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-19 21:39 . 2009-05-28 18:03 3371383 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-16 17:15 . 2009-05-16 17:15 -------- dc----w- c:\program files\Common Files\INCA Shared
2009-05-16 15:43 . 2009-05-19 21:51 -------- dc----w- c:\program files\The Chronicles of Spellborn
2009-05-16 02:19 . 2009-05-16 03:29 -------- dc----w- c:\documents and settings\Josh Kelley\Application Data\GetRightToGo
2009-05-15 20:13 . 2009-05-15 20:13 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-05-15 20:13 . 2009-05-15 20:13 152576 -c--a-w- c:\documents and settings\Josh Kelley\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-15 19:16 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-15 19:16 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-15 19:16 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-15 19:16 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-15 19:16 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-15 19:16 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-15 19:16 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-15 19:16 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-15 19:16 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-15 19:15 . 2008-05-03 11:55 2560 -c----w- c:\windows\system32\xpsp4res.dll
2009-05-15 19:15 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 03:05 . 2009-03-19 00:58 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-02 02:04 . 2005-12-28 23:13 3558 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-02 02:04 . 2005-12-28 23:13 56 -csh--r- c:\windows\system32\CDFA64DBDF.sys
2009-05-30 03:16 . 2005-12-08 02:45 -------- dc----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-30 03:16 . 2005-12-08 02:45 -------- dc----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-30 03:16 . 2005-12-08 02:44 -------- dc----w- c:\program files\Common Files\AOL
2009-05-30 03:14 . 2005-12-28 23:47 -------- dc----w- c:\program files\AIM
2009-05-28 18:03 . 2009-03-03 01:10 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-26 17:20 . 2009-03-03 01:10 40160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2009-03-03 01:10 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-05-22 22:28 . 2006-07-07 01:43 -------- dc----w- c:\program files\Bethesda Softworks
2009-05-22 21:54 . 2008-08-18 21:06 -------- dc----w- c:\documents and settings\Josh Kelley\Application Data\U3
2009-05-20 05:05 . 2005-12-08 02:39 -------- dc----w- c:\program files\Java
2009-05-20 04:53 . 2006-01-19 23:59 -------- dc----w- c:\program files\Common Files\Adobe
2009-05-20 01:19 . 2006-02-01 23:25 -------- dc----w- c:\program files\iPod
2009-05-20 01:19 . 2007-07-04 01:36 -------- dc----w- c:\program files\Common Files\Apple
2009-05-20 01:18 . 2007-02-11 02:20 -------- dc----w- c:\program files\Bonjour
2009-05-20 01:03 . 2008-03-24 20:00 -------- dc----w- c:\program files\Safari
2009-05-19 21:52 . 2008-08-30 01:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-19 21:52 . 2008-08-30 01:58 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-05-17 15:26 . 2009-03-19 00:58 -------- dc----w- c:\documents and settings\Josh Kelley\Application Data\AVGTOOLBAR
2009-05-15 20:21 . 2009-02-22 00:50 -------- dc----w- c:\program files\Diablo II
2009-04-29 11:46 . 2009-04-29 11:46 -------- dc----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-04-29 11:31 . 2009-04-29 11:31 -------- dc----w- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-04-25 03:15 . 2009-04-25 03:15 -------- dc----w- c:\documents and settings\Josh Kelley\Application Data\QuosaDDM
2009-03-19 20:32 . 2009-03-19 20:32 23400 -c--a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-01-29 16:01 23400 -c--a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 08:34 . 2004-08-10 18:51 914944 -c--a-w- c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-10 18:51 43008 -c--a-w- c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-10 18:50 18944 -c--a-w- c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-10 18:51 420352 -c--a-w- c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-10 18:50 72704 -c--a-w- c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-10 18:51 71680 -c--a-w- c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-10 18:51 34816 -c--a-w- c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-10 18:51 48128 -c--a-w- c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-10 18:51 45568 -c--a-w- c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-10 18:51 156160 -c--a-w- c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-10 18:51 284160 -c--a-w- c:\windows\system32\pdh.dll
.

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD5772"="del" [X]
"SpybotDeletingD1049"="del" [X]
"SpybotDeletingB3199"="command.com" - c:\windows\system32\command.com [2004-08-04 50620]
"SpybotDeletingB3461"="command.com" - c:\windows\system32\command.com [2004-08-04 50620]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-15 148888]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-04 86016]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYSDLL"="SYSDLL" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
PI Monitor.lnk - c:\program files\ArcSoft\PhotoImpression 5\PI Monitor.exe [2007-1-9 86016]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

S1 84b1be9c;84b1be9c;c:\windows\system32\drivers\84b1be9c.sys --> c:\windows\system32\drivers\84b1be9c.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/24/2007 7:15 PM 24652]
S2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [8/18/2008 5:08 PM 53307]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe
HKU-Default-RunOnce-POSTRBT - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe
Notify-ssqrp - c:\windows\system32\ssqrp.dll
Notify-avgrsstarter - avgrsstx.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kbt6e9da.default\
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-01 23:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,62,ec,86,bb,8c,b6,03,41,a1,a5,8d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,62,ec,86,bb,8c,b6,03,41,a1,a5,8d,\

[HKEY_USERS\S-1-5-21-2350805228-3028851994-2295997966-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,19,f4,28,60,3c,1d,c5,46,b8,4c,14,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,19,f4,28,60,3c,1d,c5,46,b8,4c,14,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1988)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2009-06-02 23:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-02 03:33

Pre-Run: 71,736,832,000 bytes free
Post-Run: 75,871,154,176 bytes free

248 --- E O F --- 2009-05-16 04:10

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
I ran the avg removal program and it no longer appeared on my computer. However when I ran combofix it kept telling me avg was still active but I ran it anyway. Hope this didn't cause a problem!


Josh

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
84b1be9c
npggsvc

File::
C:\487656.bat

Folder::
c:\Program Files\Azureus

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD5772"=-
"SpybotDeletingD1049"=-
"SpybotDeletingB3199"=-
"SpybotDeletingB3461"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYSDLL"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Host of virus problems Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
ComboFix 09-05-31.06 - Administrator 06/02/2009 13:01.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1771 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"C:\487656.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\487656.bat
c:\program files\Azureus
c:\program files\Azureus\.install4j\_shfoldr.dll
c:\program files\Azureus\.install4j\autoUninstall.0
c:\program files\Azureus\.install4j\files.log
c:\program files\Azureus\.install4j\i4j_extf_0_5p83tu.utf8
c:\program files\Azureus\.install4j\i4j_extf_1_5p83tu_jhp9vg.png
c:\program files\Azureus\.install4j\i4j_extf_2_5p83tu.txt
c:\program files\Azureus\.install4j\i4j_extf_3_5p83tu_1kde336.ico
c:\program files\Azureus\.install4j\i4j_extf_4_5p83tu_62t8mu.icns
c:\program files\Azureus\.install4j\i4jdel.exe
c:\program files\Azureus\.install4j\i4jinst.dll
c:\program files\Azureus\.install4j\i4jparams.conf
c:\program files\Azureus\.install4j\i4jruntime.jar
c:\program files\Azureus\.install4j\inst_jre.cfg
c:\program files\Azureus\.install4j\install.prop
c:\program files\Azureus\.install4j\installation.log
c:\program files\Azureus\.install4j\installer16.png
c:\program files\Azureus\.install4j\installer32.png
c:\program files\Azureus\.install4j\installerHeader.png
c:\program files\Azureus\.install4j\MessagesDefault
c:\program files\Azureus\.install4j\response.varfile
c:\program files\Azureus\.install4j\unicows.dll
c:\program files\Azureus\.install4j\uninstallerHeader.png
c:\program files\Azureus\.install4j\user.jar
c:\program files\Azureus\aereg.dll
c:\program files\Azureus\Azureus.exe
c:\program files\Azureus\Azureus.exe.manifest
c:\program files\Azureus\Azureus.properties
c:\program files\Azureus\Azureus2.jar
c:\program files\Azureus\AzureusUpdater.exe
c:\program files\Azureus\GPL.txt
c:\program files\Azureus\installer.log
c:\program files\Azureus\msvcr71.dll
c:\program files\Azureus\plugins\azemp\azemp_1.9.10.jar
c:\program files\Azureus\plugins\azemp\azemp_1.9.11.jar
c:\program files\Azureus\plugins\azemp\azemp_1.9.11.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.11.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.11.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.14.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.14.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.16.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.16.zip
c:\program files\Azureus\plugins\azemp\azmplay.exe
c:\program files\Azureus\plugins\azemp\azmplay.exe.bak
c:\program files\Azureus\plugins\azemp\azureus.sig
c:\program files\Azureus\plugins\azemp\cp1250-a.raw
c:\program files\Azureus\plugins\azemp\cp1250-a.raw.bak
c:\program files\Azureus\plugins\azemp\cp1250-b.raw
c:\program files\Azureus\plugins\azemp\cp1250-b.raw.bak
c:\program files\Azureus\plugins\azemp\font.desc
c:\program files\Azureus\plugins\azemp\font.desc.bak
c:\program files\Azureus\plugins\azemp\osd-mplayer-a.raw
c:\program files\Azureus\plugins\azemp\osd-mplayer-a.raw.bak
c:\program files\Azureus\plugins\azemp\osd-mplayer-b.raw
c:\program files\Azureus\plugins\azemp\osd-mplayer-b.raw.bak
c:\program files\Azureus\plugins\azemp\plugin.properties
c:\program files\Azureus\plugins\azemp\plugin.properties_1.9.11
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.11
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.14
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.16
c:\program files\Azureus\plugins\azplugins\azplugins_2.1.4.jar
c:\program files\Azureus\plugins\azrating\azrating_1.3.1.jar
c:\program files\Azureus\plugins\azupdater\azupdater_1.8.8.zip
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.6.jar
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.8.jar
c:\program files\Azureus\plugins\azupdater\plugin.properties
c:\program files\Azureus\plugins\azupdater\plugin.properties_1.8.8
c:\program files\Azureus\plugins\azupdater\Updater.jar
c:\program files\Azureus\plugins\azupdater\Updater.jar.bak
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.1.7.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.0.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.0.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.1.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.1.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
c:\program files\Azureus\plugins\azupnpav\azureus.sig
c:\program files\Azureus\plugins\azupnpav\plugin.properties
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.0
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.1
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.2
c:\program files\Azureus\swt.jar
c:\program files\Azureus\TOS.txt
c:\program files\Azureus\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_84b1be9c


((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-06-02 01:57 . 2009-06-02 01:57 -------- dc----w- c:\documents and settings\Administrator\Application Data\Corel Photo Album
2009-06-02 01:57 . 2009-06-02 01:57 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Corel Photo Album
2009-06-02 01:26 . 2009-06-02 01:26 76056 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 19:26 . 2009-05-31 19:26 -------- dc----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-05-31 19:10 . 2009-05-31 19:10 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-31 16:59 . 2009-05-31 16:59 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-31 16:56 . 2009-05-31 16:56 -------- dcsh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-31 16:51 . 2009-05-31 16:51 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-05-30 03:26 . 2006-10-12 16:29 83504 -c--a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-05-30 03:17 . 2009-05-30 03:17 -------- dc----w- c:\documents and settings\Josh Kelley\Application Data\acccore
2009-05-30 03:17 . 2009-05-30 03:17 -------- dc----w- c:\documents and settings\Josh Kelley\Local Settings\Application Data\AOL
2009-05-30 03:16 . 2009-05-30 03:16 -------- dc----w- c:\documents and settings\Josh Kelley\Local Settings\Application Data\AOL OCP
2009-05-30 03:16 . 2009-05-30 03:16 -------- dc----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-30 03:16 . 2009-05-30 03:18 -------- dc----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-05-30 03:15 . 2009-05-30 03:17 -------- dc----w- c:\program files\AIM6
2009-05-28 18:13 . 2009-05-28 18:13 -------- dcsh--w- c:\documents and settings\Josh Kelley\PrivacIE
2009-05-28 17:33 . 2009-05-28 17:33 -------- dcsh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-05-28 17:30 . 2009-05-26 08:18 105 -c--a-w- C:\tj.vbs
2009-05-20 05:17 . 2009-05-20 05:17 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-20 04:54 . 2009-05-20 04:54 -------- dc----w- c:\program files\Common Files\Adobe AIR
2009-05-20 04:19 . 2009-05-20 04:19 -------- dcsh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-20 04:18 . 2009-05-20 04:18 -------- dcsh--w- c:\documents and settings\LocalService\IETldCache
2009-05-20 04:18 . 2009-05-20 04:18 -------- dcsh--w- c:\documents and settings\Josh Kelley\IETldCache
2009-05-20 04:14 . 2009-05-20 04:14 -------- dc----w- c:\windows\ie8updates
2009-05-20 04:14 . 2009-04-25 05:30 102400 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-20 04:13 . 2009-05-20 04:13 -------- dc-h--w- c:\windows\ie8
2009-05-20 01:19 . 2009-05-20 01:20 -------- dc----w- c:\program files\iTunes
2009-05-20 01:19 . 2009-05-20 01:20 -------- dc----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-20 01:17 . 2009-05-20 01:17 -------- dc----w- c:\program files\QuickTime
2009-05-20 01:06 . 2009-05-20 01:06 75048 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-19 21:39 . 2009-05-28 18:03 3371383 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-16 17:15 . 2009-05-16 17:15 -------- dc----w- c:\program files\Common Files\INCA Shared
2009-05-16 15:43 . 2009-05-19 21:51 -------- dc----w- c:\program files\The Chronicles of Spellborn
2009-05-16 02:19 . 2009-05-16 03:29 -------- dc----w- c:\documents and settings\Josh Kelley\Application Data\GetRightToGo
2009-05-15 20:13 . 2009-05-15 20:13 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-05-15 20:13 . 2009-05-15 20:13 152576 -c--a-w- c:\documents and settings\Josh Kelley\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-15 19:16 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-15 19:16 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-15 19:16 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-15 19:16 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-15 19:16 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-15 19:16 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-15 19:16 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-15 19:16 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-15 19:16 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-15 19:15 . 2008-05-03 11:55 2560 -c----w- c:\windows\system32\xpsp4res.dll
2009-05-15 19:15 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

.

descriptionHost of virus problems EmptyRe: Host of virus problems

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum