fddqsysguard.exe

Hi there,

I think i have a virus on my computer that i have partially dealt with. since yesterday i have been getting lots of pop ups advising me that computer is infected (including a 'windows security' alert asking me if i wihed to run antivirus software-which i closed)and also i was unable to open any program watsoever on my Administrator account. My guest account still worked fine, but i cannot download anything on the guest account.

I was unable to run any antivirus/malware programes in admin account-however i was able to do so in guest. Avira Antivir picked up a few files which it said it had dealt with. also i ran the malwarebytes software-which found nothing, as did symentac.
However logging back on to Admin-the problem still persisted.

Anyway- the next time, as soon as i had logged into administrator account i opened task manager (i would not have been able to open this if i had waited a few mins for all programmes to open up on start up). it showed no applications but many processes open. there were 2 processes both called fddqsysguard.exe which looked suspicous. also there was a process called wscntfy.exe which kept moving up and down the list-so icould never end task it. everytime it moved, a red warning shield would appear in the bottom right tray.many of these shields appeared.

i restarted the computer in safe mode. in msconfig-start up i saw 2 suspicious startup items. both were called fddqsysguard. both had same command ( C:Documents and settings\Administrator\Local Settings\Application Data\josnwb\fddqsysguard.exe) and the same location (HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run).

I unchecked both of these startupitems. i then went to the folder josnwb and deleted it-i then emptied recylce bin.

on restarting the computer-i have noticed that everything seems to be working ok now in admin account. however in msconfig there is still 1 file that says under start up items fddqsysguard.exe. the command is the same, but the location no longer has the HKLM prefix -it just starts of with software. i also can not see any folders named josnwb. i have unchecked this again and restrted the computer. now everytime i start my computer it automatically opens msconfig and advises me that i am only open in selective start up and i should change to normal startup. howver evrytime i selct normal start up-the fddqsysguard.exe is always checked. so now i just ignore the sys config warning that comes up on start up.

my IE wasnt working-until i uncheked the proxy settings.

Everything appears to be working but i still think that the virus may be lurking on my pc. do you have any suggestions please?

also i cannot seem to update avira.-itsaysan error occured dutring download.

many thanks

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 21:57:27, on 30/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224665924531
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.ooxtv.com/vjocx-en.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6203 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Remove the Proxy setting in Internet Explorer and/or in FireFox.

In Internet Explorer

1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
   

In Firefox

1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
   
2. Click the apply button and restart that computer in normal mode.
   

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

i have done as you have suggested. i already have that malware programe-so i updated it. i performed a quick scan:

Malwarebytes' Anti-Malware 1.43
Database version: 3459
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

31/12/2009 00:00:49
mbam-log-2009-12-31 (00-00-49).txt

Scan type: Quick Scan
Objects scanned: 144888
Time elapsed: 22 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\pdfupd.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FV5X4CSG\ms307[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\yrerib.reg (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\esubax.reg (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.


and a full scan:

Malwarebytes' Anti-Malware 1.43
Database version: 3459
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

31/12/2009 10:10:35
mbam-log-2009-12-31 (10-10-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 201586
Time elapsed: 1 hour(s), 54 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D81B69A9-2B33-4F4B-840A-C70CCDE9095E}\RP136\A0067834.exe (Spyware.Passwords) -> Quarantined and deleted successfully.


However, after deleting the infected files - on start up the sys config utility opens up (as im still not in normal start up), and i can see that under the start up tab there is still a start up item called fddqsysguard present. it isnt checked, but it is still present.

do you have any further suggestions? as i have said , the pc seems to working properly now-however im stil concerned that this programme is still present on computer.

Hello

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste BOTH LOGS back here, use more than one post if needed.
  

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 18:39:26.64 on 31/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.492 [GMT 0:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\52114PGJ\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224665924531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.ooxtv.com/vjocx-en.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\c3i2ouc8.default\
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\c3i2ouc8.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-10-3 11608]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-3 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-10-3 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-3 56816]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091211.002\naveng.sys [2009-12-11 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091211.002\navex15.sys [2009-12-11 1323568]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]
S3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2008-10-22 6016]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

=============== Created Last 30 ================

2009-12-31 13:19:42 0 d-----w- c:\docume~1\admini~1\applic~1\Office Genuine Advantage
2009-12-30 21:56:44 0 d-----w- c:\program files\TrendMicro

==================== Find3M ====================

2009-12-30 14:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 14:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 21:54:55 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-03 12:06:46 18723 ----a-w- c:\program files\common files\pumeheqoqa.dat
2009-10-03 12:06:46 16649 ----a-w- c:\docume~1\admini~1\applic~1\boqulep.dll
2009-10-03 12:06:45 19436 ----a-w- c:\windows\wene.reg
2009-10-03 12:06:45 18417 ----a-w- c:\windows\yjalujem.reg
2009-10-03 12:06:45 16519 ----a-w- c:\windows\jixufuxoq.exe
2009-10-03 12:06:45 15712 ----a-w- c:\windows\wojunozo.dll
2009-10-03 12:06:45 10887 ----a-w- c:\program files\common files\kadijogejo.exe
2009-10-03 11:36:53 11273 ----a-w- c:\program files\common files\qejeg.pif
2009-10-03 11:36:52 18211 ----a-w- c:\windows\fysuj.vbs
2009-10-03 11:36:52 18064 ----a-w- c:\windows\ibez.pif
2009-10-03 11:36:52 17541 ----a-w- c:\docume~1\admini~1\applic~1\mejixiziky.vbs
2009-10-03 11:36:52 17515 ----a-w- c:\program files\common files\bujubuhyqu._sy
2009-10-03 11:36:52 15565 ----a-w- c:\program files\common files\ulumynehin._dl
2009-10-03 11:36:52 15129 ----a-w- c:\program files\common files\yluhe.bin
2009-10-03 11:36:52 14319 ----a-w- c:\program files\common files\socojoxo.pif
2009-10-03 11:36:52 13043 ----a-w- c:\windows\juhy.exe

============= FINISH: 18:40:00.07 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 22/10/2008 09:20:07
System Uptime: 31/12/2009 10:11:27 (8 hours ago)
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Socket 478 | 2800/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 82.474 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP111: 02/10/2009 20:30:46 - System Checkpoint
RP112: 03/10/2009 13:33:09 - Avira AntiVir Personal - 03/10/2009 13:33
RP113: 03/10/2009 16:32:19 - Software Distribution Service 3.0
RP114: 10/10/2009 13:21:16 - System Checkpoint
RP115: 11/10/2009 13:25:10 - System Checkpoint
RP116: 24/10/2009 18:40:27 - Software Distribution Service 3.0
RP117: 24/10/2009 22:26:33 - Software Distribution Service 3.0
RP118: 26/10/2009 10:25:25 - System Checkpoint
RP119: 01/11/2009 13:00:20 - Software Distribution Service 3.0
RP120: 03/11/2009 18:50:12 - System Checkpoint
RP121: 04/11/2009 09:59:08 - Software Distribution Service 3.0
RP122: 05/11/2009 21:12:36 - System Checkpoint
RP123: 20/11/2009 11:58:12 - System Checkpoint
RP124: 20/11/2009 22:40:15 - Software Distribution Service 3.0
RP125: 22/11/2009 12:47:54 - System Checkpoint
RP126: 26/11/2009 06:56:23 - Software Distribution Service 3.0
RP127: 04/12/2009 16:21:16 - System Checkpoint
RP128: 07/12/2009 18:03:53 - System Checkpoint
RP129: 11/12/2009 22:24:45 - System Checkpoint
RP130: 11/12/2009 23:02:29 - Software Distribution Service 3.0
RP131: 13/12/2009 11:20:43 - System Checkpoint
RP132: 16/12/2009 19:03:34 - System Checkpoint
RP133: 27/12/2009 18:22:01 - System Checkpoint
RP134: 28/12/2009 18:24:28 - System Checkpoint
RP135: 29/12/2009 22:29:08 - System Checkpoint
RP136: 30/12/2009 13:46:18 - Software Distribution Service 3.0
RP137: 30/12/2009 21:56:43 - Installed HiJackThis
RP138: 31/12/2009 00:05:30 - Software Distribution Service 3.0

==== Installed Programs ======================

µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
Ahead Nero Burning ROM
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
Critical Update for Windows Media Player 11 (KB959772)
Free YouTube to Mp3 Converter version 3.1
FrostWire 4.18.0
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Java(TM) 6 Update 13
Java(TM) 6 Update 7
LiveUpdate 2.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.14)
MSN
OGA Notifier 2.0.0048.0
Paint Shop Pro 6.0 (ESD)
PowerDVD
PS3 Video 9 4.07
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SereneScreen Aquarium
SopCast 3.2.4
Stream Torrent 1.0
Symantec AntiVirus
TVAnts 1.0
TVUPlayer 2.4.7.2
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Veetle TV 0.9.14
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
YouTube Downloader App 1.02

==== Event Viewer Messages From Past Week ========

31/12/2009 00:14:21, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024002d: Office 2003 Service Pack 3 (SP3).
31/12/2009 00:02:14, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
30/12/2009 15:26:48, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
30/12/2009 15:25:45, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT ssmdrv SYMTDI Tcpip
30/12/2009 15:25:45, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2009 15:25:45, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2009 15:25:45, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2009 15:25:45, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2009 15:24:50, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
30/12/2009 14:24:10, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
30/12/2009 14:24:02, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
30/12/2009 14:23:54, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
30/12/2009 14:23:54, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
30/12/2009 14:23:54, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
30/12/2009 14:23:45, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
30/12/2009 14:23:39, error: Service Control Manager [7031] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
30/12/2009 14:23:12, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
30/12/2009 14:23:12, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
30/12/2009 13:46:23, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Office 2003 Service Pack 3 (SP3).
29/12/2009 21:58:40, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.

==== End Of File ===========================

Hello.

I see that you are running Frostwire and uTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

You are also running two antivirus', I see from the uninstall list you have Norton installed, along with Avira. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove Symantec to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

µTorrent
FrostWire 4.18.0
Java(TM) 6 Update 13
Java(TM) 6 Update 7
LiveUpdate 2.0 (Symantec Corporation)
Symantec AntiVirus

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  c:\program files\common files\pumeheqoqa.dat
  c:\docume~1\admini~1\applic~1\boqulep.dll
  c:\windows\wene.reg
  c:\windows\yjalujem.reg
  c:\windows\jixufuxoq.exe
  c:\windows\wojunozo.dll
  c:\program files\common files\kadijogejo.exe
  c:\program files\common files\qejeg.pif
  c:\windows\fysuj.vbs
  c:\windows\ibez.pif
  c:\docume~1\admini~1\applic~1\mejixiziky.vbs
  c:\program files\common files\bujubuhyqu._sy
  c:\program files\common files\ulumynehin._dl
  c:\program files\common files\yluhe.bin
  c:\program files\common files\socojoxo.pif
  c:\windows\juhy.exe
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

========== FILES ==========
c:\program files\common files\pumeheqoqa.dat moved successfully.
LoadLibrary failed for c:\docume~1\admini~1\applic~1\boqulep.dll
c:\docume~1\admini~1\applic~1\boqulep.dll moved successfully.
c:\windows\wene.reg moved successfully.
c:\windows\yjalujem.reg moved successfully.
c:\windows\jixufuxoq.exe moved successfully.
LoadLibrary failed for c:\windows\wojunozo.dll
c:\windows\wojunozo.dll moved successfully.
c:\program files\common files\kadijogejo.exe moved successfully.
c:\program files\common files\qejeg.pif moved successfully.
c:\windows\fysuj.vbs moved successfully.
c:\windows\ibez.pif moved successfully.
c:\docume~1\admini~1\applic~1\mejixiziky.vbs moved successfully.
c:\program files\common files\bujubuhyqu._sy moved successfully.
c:\program files\common files\ulumynehin._dl moved successfully.
c:\program files\common files\yluhe.bin moved successfully.
c:\program files\common files\socojoxo.pif moved successfully.
c:\windows\juhy.exe moved successfully.

OTM by OldTimer - Version 3.1.4.0 log created on 12312009_195058


it wouldnt allow me to move a couple of the files

Okay, how is the machine now? still got that malicious run value in msconfig startup tab?

the machine is fine. however on msconfig this same fddqsysguard is still on the start up items list. it is however unchecked-so im presuming it doesnt load on start up.

im jut worried its lurking somewhere in the background causing damage.

Hello.
We can get rid of that, it's just a registry key leftover.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
  start notepad C:\look.txt
  
  

  
  
• Save this as look.bat, save it to your desktop.
  
• Double click look.bat to run it.
  
• Copy and paste the report back here.
  

Last edited by Belahzur on 31st December 2009, 10:14 pm; edited 1 time in total

hi

when i click on the look.bat file on desktop i keep getting a registry editor error message saying:

Command line argument requires a filename an nȯne was specified

My bad, slight mistake in my bat scripting there.

Re-run it using my script above now I've fixed the mistake, see if it makes the log this time.

cheers, this is what is says:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gyojuuhj]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fddqsysguard"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\josnwb\\fddqsysguard.exe"
"inimapping"="0"

Hello.

• Please double-click OTM.exe to run it again.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :reg
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gyojuuhj]
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gyojuuhj\ deleted successfully.

OTM by OldTimer - Version 3.1.4.0 log created on 12312009_231030

That seems to have done the trick! its no longer showing up on the start up items list in msconfig.

Thank you very much indeed - u r a genius!


Is there anything else i need to do-is the computer clear? should i delete the move it/hijack/look.bat programs? how do i do this?

We can remove OTMoveIt now.

• Please double-click OTM.exe to run it again.
  
• Press the green CleanUp! button.
  
• Press Yes cleanup process prompt, do the same for the reboot prompt.
  

How is the machine running now?

hi

yeah its working fine, that move it program has gone. there is no sign of any problems.

i will delete the tool.bat file and shall i leave the hijack program?

youve cracked it mate.

thank you very much once again

Remove look.bat and Hijack This.