Infected with SHeur2, Cryptor, Vundo, Generic12

Hi. My computer (PC running XP SP3) is infected with the following viruses (detected by AVG 8):

SHeur2.MHI
Win32/Cryptor
Vundo.DP
Generic12.AYCO

AVG does not seem able to "heal" these.

I saw a related post at:
http://www.geekpolice.net/malware-removal-hijackthis-logs-f11/trojan-vundo-sheur2-and-others-t5345.htm?highlight=sheur2

I wasn't sure if I should just do what is described there or if I should be doing something else. Thanks for any recommendations!

- Ken

Hello.
Please do not run tools posted for other users, follow these instructions.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Click No for Optional Scan.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 3

1/20/2009 6:49:23 PM
mbam-log-2009-01-20 (18-49-23).txt

Scan type: Quick Scan
Objects scanned: 61041
Time elapsed: 53 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\emotagakusadiyur (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blajog (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.

Please post the DDS log.

Here is the DDS output:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Aaron at 19:03:00.25 on Tue 01/20/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.100 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\Password Manager\password_manager.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aaron\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://lenovo.live.com
mDefault_Page_URL = hxxp://lenovo.live.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\password manager\tvtpwm_ie_com.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\amsg.exe
mRun: []
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Password Manager] "c:\program files\lenovo\password manager\password_manager.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aaron\applic~1\mozilla\firefox\profiles\tf5wadj2.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\lenovo\password manager\pwm firefox extension\components\tvtpwm_moz_xpcom.dll
FF - HiddenExtension: XUL Cache: {56695635-64C6-41FB-9BCF-7D0775BE00A0} - c:\documents and settings\aaron\local settings\application data\{56695635-64C6-41FB-9BCF-7D0775BE00A0}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-1 26824]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 35264]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-6 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-6 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 76040]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-9-29 991232]
R4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-5-22 569344]

=============== Created Last 30 ================

2009-01-20 17:53 --d----- c:\docume~1\aaron\applic~1\Malwarebytes
2009-01-20 17:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-20 17:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 17:53 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 17:53 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-19 10:30 --dsh--- c:\windows\system32\twain32
2009-01-19 10:28 1,409 a------- c:\windows\QTFont.for
2009-01-19 10:28 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-25 14:26 --d-h--- C:\$AVG8.VAULT$

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-07 09:53 182,660 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-12-16 21:12 88 ---shr-- c:\windows\system32\6EE8EF455A.sys
2007-12-16 21:12 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-11-24 07:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-21 15:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:03:39.42 ===============

Ah, DDS shows a Goored infection.

Please download GooredFix and save it to your Desktop. Please double-click GooredFix.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Here is the GooredFix log....

GooredFix v1.83 by jpshortstuff
Log created at 20:57 on 20/01/2009 running Option #2 (Aaron)
Firefox version 2.0.0.20 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{56695635-64C6-41FB-9BCF-7D0775BE00A0}"="C:\Documents and Settings\Aaron\Local Settings\Application Data\{56695635-64C6-41FB-9BCF-7D0775BE00A0}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Aaron\Local Settings\Application Data\{56695635-64C6-41FB-9BCF-7D0775BE00A0}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{C0C8B841-60E4-4A2E-86EF-D01923F70B77}"="C:\Documents and Settings\Admin\Local Settings\Application Data\{C0C8B841-60E4-4A2E-86EF-D01923F70B77}\" (Folder Missing)

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

Hello.
Gooredfix shows a leftover, so we need to remove it.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
  "{C0C8B841-60E4-4A2E-86EF-D01923F70B77}"=-
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

What problems remain?

Hi. After I did all this, I restarted my PC, and then AVG Resident Shield Alert reported this:
*************
Threat detected!
File name: C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\9J9DUJ3A\traff[1].jpg

Threat name: Trojan horse SHeur2.MHI
Detected on open.
**************

So it looks like something is still up.

Here are the logs:

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 3

1/20/2009 11:58:38 PM
mbam-log-2009-01-20 (23-58-38).txt

Scan type: Quick Scan
Objects scanned: 61823
Time elapsed: 53 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*************

DDS (Ver_09-01-18.01) - NTFSx86
Run by Aaron at 0:04:49.82 on Wed 01/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.181 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Lenovo\Password Manager\password_manager.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aaron\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://lenovo.live.com
mDefault_Page_URL = hxxp://lenovo.live.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\password manager\tvtpwm_ie_com.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\amsg.exe
mRun: []
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Password Manager] "c:\program files\lenovo\password manager\password_manager.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aaron\applic~1\mozilla\firefox\profiles\tf5wadj2.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\lenovo\password manager\pwm firefox extension\components\tvtpwm_moz_xpcom.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-20 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-1 26824]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 35264]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-6 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-6 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 76040]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 942416]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-9-29 991232]
R4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-5-22 569344]

=============== Created Last 30 ================

2009-01-21 00:03 --d-h--- c:\windows\PIF
2009-01-20 22:02 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-20 21:58 -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-20 21:57 --d----- c:\program files\Lavasoft
2009-01-20 17:53 --d----- c:\docume~1\aaron\applic~1\Malwarebytes
2009-01-20 17:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-20 17:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 17:53 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 17:53 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-19 10:30 --dsh--- c:\windows\system32\twain32
2009-01-19 10:28 1,409 a------- c:\windows\QTFont.for
2009-01-19 10:28 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-25 14:26 --d-h--- C:\$AVG8.VAULT$

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-07 09:53 182,660 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-12-16 21:12 88 ---shr-- c:\windows\system32\6EE8EF455A.sys
2007-12-16 21:12 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-11-24 07:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-21 15:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 0:05:29.79 ===============

GooredFix v1.83 by jpshortstuff
Log created at 00:09 on 21/01/2009 running Option #2 (Aaron)
Firefox version 2.0.0.20 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

Hi again. I ran an AVG scan which did not detect any threats, but overnight, once again the Resident Shield found the Trojan horse SHeur2.MHI. The file name was:

C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP206\A0015339.dll

This morning I ran a Lavasoft Ad-Aware scan (Anniversary Edition/Free edition). It is still running, but during the run, the AVG Resident Shield found the following threats:

A Virus called Win32/Cryptor. The file name is:
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\HL2PMA5M\sie[1].jpg

Another Cryptor called:
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\P206\A0015348.exe

A Trojan horse Vundo.DP file name:
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP206\A0015347.dll


Note that the user account having the problem is Aaron. I have one other account on this same computer which hasn't had this problem (though I haven't logged on there much since this problem started). I should also mention that when AVG finds these threats, I click the "Heal" option, then AVG moves it into the "virus vault."

The Ad-Aware run completed and found one suspicious file. Here is the log:

Logfile created: 1/21/2009 6:52:16
Lavasoft Ad-Aware version: 8.0
Extended engine version: 8.1
User performing scan: Aaron

*********************** Definitions database information ***********************
Lavasoft definition file: 145.0
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 112144
Objects detected: 1


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 1
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0



Skipped items:
Description: C:\WINDOWS\system32\vidccleaner.exe Family Name: Suspicious Object Clean status: Success Item ID: 0 Family ID: 0

Here is some interesting information. This is the AVG Resident Shield info. It seems to indicate that some of my current threats are associated with the various spyware programs I have been running, including Ad-Aware and mbam:

*********

Resident Shield detection
"Infection";"Object";"Result";"Detection time";"Object Type";"Process"

"Trojan horse Delf.HTH";"C:\WINDOWS\TEMP\mcenspc.dll";"Infected";"1/19/2009, 10:32:43 AM";"file";"C:\WINDOWS\TEMP\2E.tmp"

"Trojan horse Delf.HTH";"C:\WINDOWS\system32\mcenspc.dll";"Moved to Virus Vault";"1/19/2009, 10:32:43 AM";"file";"C:\WINDOWS\TEMP\2E.tmp"

"Trojan horse SHeur2.MHI";"C:\WINDOWS\EDAPAGECAGUHIMU.DLL";"Moved to Virus Vault";"1/20/2009, 5:53:25 AM";"file";""

"Virus identified Win32/Cryptor";"C:\WINDOWS\system32\twex.exe";"Moved to Virus Vault";"1/20/2009, 5:59:11 AM";"file";"C:\WINDOWS\system32\winlogon.exe"

"Trojan horse Vundo.DP";"C:\WINDOWS\ejobuxey.dll";"Moved to Virus Vault";"1/20/2009, 5:59:11 AM";"file";"C:\WINDOWS\system32\rundll32.exe"

"Trojan horse SHeur2.MHI";"C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\9J9DUJ3A\traff[1].jpg";"Infected";"1/20/2009, 5:59:23 PM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

"Trojan horse SHeur2.MHI";"C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\9J9DUJ3A\traff[1].jpg";"Moved to Virus Vault";"1/20/2009, 10:12:03 PM";"file";"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"

"Virus identified Win32/Cryptor";"C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\HL2PMA5M\sie[1].jpg";"Infected";"1/20/2009, 11:10:33 PM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

"Trojan horse SHeur2.MHI";"C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP206\A0015339.dll";"Moved to Virus Vault";"1/21/2009, 1:22:45 AM";"file";"C:\WINDOWS\System32\svchost.exe"

"Virus identified Win32/Cryptor";"C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\HL2PMA5M\sie[1].jpg";"Moved to Virus Vault";"1/21/2009, 6:57:40 AM";"file";"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"

"Trojan horse Vundo.DP";"C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP206\A0015347.dll";"Moved to Virus Vault";"1/21/2009, 7:19:24 AM";"file";"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"

"Virus identified Win32/Cryptor";"C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP206\A0015348.exe";"Moved to Virus Vault";"1/21/2009, 7:19:24 AM";"file";"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"

**********

Note that I did just ugrade to the Ad-Aware Anniversary Free edition after I thought my system was clean. So both Ad-Aware and mbam were installed after the initial infections were discovered by AVG.

Last edited by kk_oop on 21st January 2009, 2:09 pm; edited 1 time in total (Reason for editing : Clarified information)

Hello.
Alot it found was just restore points and temp files.
We won't clean restore points just yet, we may need them.

We'll clean temp files first.

Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
  
• Click Select All found at the bottom of the list.
  
• Click the Empty Selected button.
  

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

Please post a new DDS scan.

Hi. I ran atf-cleaner. Here's the resulting DDS output:

*********
DDS (Ver_09-01-18.01) - NTFSx86
Run by Aaron at 17:22:17.81 on Wed 01/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.213 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Program Files\Lenovo\Password Manager\password_manager.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Documents and Settings\Aaron\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://lenovo.live.com
mDefault_Page_URL = hxxp://lenovo.live.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\password manager\tvtpwm_ie_com.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\amsg.exe
mRun: []
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Password Manager] "c:\program files\lenovo\password manager\password_manager.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aaron\applic~1\mozilla\firefox\profiles\tf5wadj2.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\lenovo\password manager\pwm firefox extension\components\tvtpwm_moz_xpcom.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-20 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-1 26824]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 35264]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-6 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-6 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 76040]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 942416]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-9-29 991232]
R4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-5-22 569344]

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-07 09:53 182,660 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2007-12-16 21:12 88 ---shr-- c:\windows\system32\6EE8EF455A.sys
2007-12-16 21:12 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-11-24 07:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-21 15:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat

============= FINISH: 17:22:59.85 ===============

Looks good.
We'll clean restore points now.


To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

What problems remain?

All is well!!! The Trojans appear to have been defeated!!!!

The only thing I am seeing now is that Ad-Aware is seeing a suspicious file described this way:

C:\WINDOWS\system32\vidccleaner.exe Family Name: Suspicious Object Clean status: Success Item ID: 0 Family ID: 0

Should I care about this?

Thanks,

Ken

As Adaware says, "Suspicious Object" - means it looks/thinks it's malware, but it may not be.

Please upload this file in bold:
C:\WINDOWS\system32\vidccleaner.exe
To this site below for a scan.
http://virusscan.jotti.org/

Copy and paste the results back here.

Looks like it's nothing--so I believe this case is closed!!!

Thanks so much!!!

Scan taken on 22 Jan 2009 00:57:01 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Yep, looks like a false positive in adaware, but don't delete the file, I'm not sure what it's used by.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Hi. I have Ad-Aware (the free "anniversary" edition). I also have AVG.

Regarding the other programs, Spybot-Search & Destroy, SpywareBlaster, and SpywareGuard, do you recommend installing all of them? I'm just wondering why I would need all--does each do something different? Or is the idea if I have all installed, perhaps one will catch something the others miss?

Thanks for any info,

Ken

No, don't install them all, just one or two and you should be fine.

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.