Author Topic: Virus without Detection (Read 7467 times)

Ragnoph · « **on:** July 19, 2010, 05:31:26 PM »

Greetings:

My name is Jon. I have a Toshiba laptop, and recently received a virus (possibly through limewire, but I am not sure). I normally have AntiVir, but all full scans of the system come up without any detections. I then downloaded the free trial of Mcafee, and each time it finds trojans and tracking cookies. It cleans them up, but the initial virus that is causing all of this still remains. Here are the symptoms that let me know it's still here:

Whenever I open Internet Explorer, a hidden file "idgrvecqmn" is created on my desktop. Also, whenever I try to search something (from Yahoo or Google) the links to the sites that come back all lead to advertisement pages instead of the desired page.

Occasionally, Windows Explorer closes down as soon as I start my computer, and I have to ctrl-alt-dlt to restart the computer or at least restart Windows Explorer. This hasn't happened in the past day or two.

The most recent symptom is back with Internet Explorer, as when it is in full-screen mode it does this weird thing where I cannot see the toolbar for Windows Explorer at the bottom of the screen (unless I minimize Internet Explorer or make it just a partial screen), and on the top where I would type in internet addresses it disappears until I scroll the mouse to the top of the screen.

When I first ran McAfee it told me it didn't detect anything. Then the virus tried to do something (first time Windows Explorer crashed and had to be restarted) and now viruses keep popping up, but I cannot get rid of the sucker that started all of this.

Is there another antivirus software I can download that would be more affective? I always update McAfee before running the scan, hoping it will be updated to be able to detect the initial virus, but so far no good.

Any help would be most appreciated. Thank you so much for taking the time to look over my problem.

2x3i5x · « **Reply #1 on:** July 19, 2010, 05:34:26 PM »

Try using the free ESET online scanner for another opinion of what's actually on your pc and also

see the computer hope malware help guide and follow the directions and a malware specialist will help you get you on your way with your pc.

Geek-9pm · « **Reply #2 on:** July 19, 2010, 05:39:30 PM »

Quote

Any help would be most appreciated. Thank you so much for taking the time to look over my problem.

Thane are a number of PC users who believe the only sure was is to do a clean install of everything and restore data from the backup.You do have a b backup?
Or a restores from a parturition image.

But have you already used Megabytes in Safe mode?

2x3i5x · « **Reply #3 on:** July 19, 2010, 05:42:19 PM »

Quote from: Geek-9pm on July 19, 2010, 05:39:30 PM

But have you already used Megabytes in Safe mode?

What is megabytes? a file size?

SuperDave · « **Reply #4 on:** July 19, 2010, 06:18:52 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.

=====================================

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

=====================================

Please download: HiJackThis to your Desktop.

Double Click the HijackThis icon, located on your Desktop.
By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
Accept the license agreement.
Click the Open the Misc Tools section button.
Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
Please post the log in your next reply.

====================================

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Ragnoph · « **Reply #5 on:** July 20, 2010, 01:42:11 PM »

Log from SUPER AntiSpyware quick scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/20/2010 at 09:43 AM

Application Version : 4.40.1002

Core Rules Database Version : 5233
Trace Rules Database Version: 3045

Scan type : Quick Scan
Total Scan Time : 00:19:34

Memory items scanned : 658
Memory threats detected : 3
Registry items scanned : 2068
Registry threats detected : 14
File items scanned : 7022
File threats detected : 30

Adware.Vundo/Variant-X32[Header]
   C:\WINDOWS\SYSTEM32\DSPRPRES32.DLL
   C:\WINDOWS\SYSTEM32\DSPRPRES32.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{058718E5-C467-43F3-BDE6-3E86AE0E7B69}
   HKCR\CLSID\{058718E5-C467-43F3-BDE6-3E86AE0E7B69}
   HKCR\CLSID\{058718E5-C467-43F3-BDE6-3E86AE0E7B69}\InprocServer32
   HKCR\CLSID\{058718E5-C467-43F3-BDE6-3E86AE0E7B69}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5BB033D-3421-BFD9-4012-CB82668CD82E}
   HKCR\CLSID\{E5BB033D-3421-BFD9-4012-CB82668CD82E}
   HKCR\CLSID\{E5BB033D-3421-BFD9-4012-CB82668CD82E}
   HKCR\CLSID\{E5BB033D-3421-BFD9-4012-CB82668CD82E}\InProcServer32
   HKCR\CLSID\{E5BB033D-3421-BFD9-4012-CB82668CD82E}\InProcServer32#ThreadingModel
   HKU\S-1-5-21-3573051235-2141633314-3562829705-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{058718E5-C467-43F3-BDE6-3E86AE0E7B69}
   HKU\S-1-5-21-3573051235-2141633314-3562829705-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E5BB033D-3421-BFD9-4012-CB82668CD82E}
   Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\4c319037967
   C:\WINDOWS\SYSTEM32\AVICAP3232.DLL
   C:\WINDOWS\SYSTEM32\D3DRM32.DLL
   C:\WINDOWS\SYSTEM32\DSSENH32.DLL
   C:\WINDOWS\SYSTEM32\GLMF3232.DLL

Heuristic.Backdoor
   C:\DOCUMENTS AND SETTINGS\JON L. PEACOCK\APPLICATION DATA\SYSTEMPROC\LSASS.EXE
   C:\DOCUMENTS AND SETTINGS\JON L. PEACOCK\APPLICATION DATA\SYSTEMPROC\LSASS.EXE
   C:\WINDOWS\Prefetch\LSASS.EXE-0F9F560F.pf

Trojan.Unclassified-Packed/Suspicious
   C:\WINDOWS\SYSTEM32\DMSERVER32.DLL
   C:\WINDOWS\SYSTEM32\DMSERVER32.DLL

Adware.Tracking Cookie
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@advertise[1].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\[email protected][2].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\[email protected][1].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@casalemedia[2].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@bravenet[1].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@adbrite[2].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@mediaplex[2].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@questionmarket[2].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@atwola[1].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@adecn[1].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@atdmt[1].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@yieldmanager[1].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@doubleclick[2].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@tacoda[1].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\[email protected][1].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\[email protected][2].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\[email protected][2].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@advertising[1].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@invitemedia[1].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@apmebf[2].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@imrworldwide[2].txt

Disabled.SecurityCenterOption
   HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
   HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY

Trojan.Dropper/Win-NV
   C:\WINDOWS\SYSTEM32\GETUNAME32.DLL

Log from SUPERAntiSpyware Full Scan (with all specifications you said to do):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/20/2010 at 01:46 PM

Application Version : 4.40.1002

Core Rules Database Version : 5233
Trace Rules Database Version: 3045

Scan type : Complete Scan
Total Scan Time : 03:32:23

Memory items scanned : 607
Memory threats detected : 0
Registry items scanned : 7488
Registry threats detected : 0
File items scanned : 99880
File threats detected : 2

Adware.Tracking Cookie
   C:\Documents and Settings\Jon L. Peacock\Cookies\[email protected][2].txt
   C:\Documents and Settings\Jon L. Peacock\Cookies\jon_l._peacock@doubleclick[1].txt

Ragnoph · « **Reply #6 on:** July 20, 2010, 04:11:00 PM »

File Log from Malwarebytes' Full Scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

7/20/2010 6:13:43 PM
mbam-log-2010-07-20 (18-13-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 216101
Time elapsed: 2 hour(s), 7 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.Tracur) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon L. Peacock\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\SysWoW32\mu376162925v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu376162925v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu376162925v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu376162925v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu376162925v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu376162925v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu376162925v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu376162925v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu376162925v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu376162925v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu376162925v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu376162925v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu376162925v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu376162925v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu376162925v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u376162925v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u376162925v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u376162925v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u376162925v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.

Ragnoph · « **Reply #7 on:** July 20, 2010, 04:26:48 PM »

Log for HijackThis (I did not delete anything, because there were many finds and it said that not all of them may be bad...I am awaiting further instructions before doing anything with HijackThis):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:20 PM, on 7/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (filesize 63136 bytes, MD5 42729C3DE75A7A51FC6F9EF6546C9199)
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll (filesize 245272 bytes, MD5 6432FCF6D4872A8942A68B8A012F9BA9)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (filesize 110652 bytes, MD5 94D61FA6DF58A22F139121B945D22083)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100712005209.dll (filesize 73288 bytes, MD5 8F2C804A891173CF42BE3E7FBD9DA550)
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (filesize 804136 bytes, MD5 7D52D1B380C1231FCEC11A707726A781)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (filesize 1196936 bytes, MD5 E4DA316797A0B111F19F88A01EAB451D)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (filesize 41760 bytes, MD5 385BD69743EA92E76CDF07B3345A25D5)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (filesize 79648 bytes, MD5 4E2BB6D2677B42AD04BE18A6E9817B68)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: LimeWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (filesize 1196936 bytes, MD5 E4DA316797A0B111F19F88A01EAB451D)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (filesize 866584 bytes, MD5 77C03BF23AE56B0A31AE4D5BB4B3D0AC)
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en (filesize 1589248 bytes, MD5 34FA97DBF7E3C75AEE34D065A3B3143A)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide (filesize 2027792 bytes, MD5 5CD7B01284E6B2E017F49A0F694E0933)
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" (filesize 563984 bytes, MD5 BE97F174CEBEB029F28FF06CB16D70CF)
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" (filesize 667718 bytes, MD5 5A6ACFF04D39D4C16F1FF52682C3B1B0)
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless (filesize 602182 bytes, MD5 D4830448B45CDD45F4285DC6E152764F)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min (filesize 209153 bytes, MD5 29680A793F690EEF4AAA68479D2A6DF8)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (filesize 413696 bytes, MD5 FABAD2BFD44661D8CC627E5485BFAFAF)
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (filesize 1193848 bytes, MD5 1A4FEE255228AB6EFCAA81BC6BE2D591)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" (filesize 248040 bytes, MD5 52DB6CDAC5BC7A1FC884E97C41C91213)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized (filesize 26192168 bytes, MD5 70B6D0C45256B688B7DBC10E922FB402)
O4 - HKCU\..\Run: [zvchost.exe] C:\Documents and Settings\Jon L. Peacock\Application Data\Microsoft\zvchost.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe (filesize 118784 bytes, MD5 0A69272204F37AC304B80FE5BDFB223D)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (filesize 83360 bytes, MD5 5BC65464354A9FD3BEAA28E18839734A)
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (filesize 155648 bytes, MD5 5648152AD2CCAB0265EAB9711755F484)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (filesize 804136 bytes, MD5 7D52D1B380C1231FCEC11A707726A781)
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (filesize 804136 bytes, MD5 7D52D1B380C1231FCEC11A707726A781)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll (filesize 1499136 bytes, MD5 26CB10FA893F940AB09713FF46DCDADE)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (filesize 804136 bytes, MD5 7D52D1B380C1231FCEC11A707726A781)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (filesize 2135336 bytes, MD5 028FF74DAFDC7BB45C956A5EC8926CEE)
O20 - AppInit_DLLs: C:\WINDOWS\system32\dsprpres32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLC:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXEC:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exeC:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exec:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exeC:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exeC:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exeC:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exeC:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exeC:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exeC:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exeC:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exeC:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exec:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 16305 bytes

JJ 3000 · « **Reply #8 on:** July 20, 2010, 05:07:33 PM »

Your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help.

Ragnoph · « **Reply #9 on:** July 20, 2010, 05:22:05 PM »

Checkup Log:

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
McAfee Total Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner (remove only)
Java(TM) 6 Update 20
Adobe Flash Player
Adobe Reader 7.0
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Windows Defender MSASCui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Windows Defender MsMpEng.exe
Windows Defender MSASCui.exe
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

SuperDave · « **Reply #10 on:** July 20, 2010, 06:30:13 PM »

You are running two Anti-Virus programs on your computer which is a no-no; Avira AntiVir Personal and McAfee Total Protection One will have to be disabled. If you decide to keep McAfee Total Protection, I would imagine it also has a firewall so you will not be able to use the Windows Firewall.
=====================================

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

======================================

I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

•AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.

===================================

P2P - I see you have P2P software installed on your machine. (LimeWire) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

====================================

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

========================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (filesize 1196936 bytes, MD5 E4DA316797A0B111F19F88A01EAB451D)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O20 - AppInit_DLLs: C:\WINDOWS\system32\dsprpres32.dll

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

==============================

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

Code: [Select]

@echo off
del /f C:\WINDOWS\system32\dsprpres32.dll
del event.bat
exit

In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish.

You will know it's finished when there is a new file on your desktop.

===================================

Download ComboFix by sUBs from one of the below links.

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

Ragnoph · « **Reply #11 on:** July 21, 2010, 12:59:22 PM »

I only found Ask.com, but other than that I was able to do (and did) everything that you recommended. Here is that final Log you requested:

ComboFix 10-07-20.03 - Jon L. Peacock 07/21/2010 14:53:12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.472 [GMT -4:00]
Running from: c:\documents and settings\Jon L. Peacock\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jon L. Peacock\Application Data\020000009c3ce73d967C.manifest
c:\documents and settings\Jon L. Peacock\Application Data\020000009c3ce73d967O.manifest
c:\documents and settings\Jon L. Peacock\Application Data\020000009c3ce73d967P.manifest
c:\documents and settings\Jon L. Peacock\Application Data\020000009c3ce73d967S.manifest
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\2114189136
c:\windows\system32\unrar.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))
.

2010-07-21 18:08 . 2010-07-21 18:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-07-21 18:08 . 2010-07-21 18:08   --------   d-----w-   c:\program files\NOS
2010-07-20 22:23 . 2010-07-20 22:23   --------   d-----w-   c:\program files\Trend Micro
2010-07-20 13:17 . 2010-07-20 13:17   63488   ----a-w-   c:\documents and settings\Jon L. Peacock\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-20 13:17 . 2010-07-20 13:17   52224   ----a-w-   c:\documents and settings\Jon L. Peacock\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-20 13:17 . 2010-07-20 13:17   117760   ----a-w-   c:\documents and settings\Jon L. Peacock\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-20 13:16 . 2010-07-20 13:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-20 13:16 . 2010-07-20 13:16   --------   d-----w-   c:\documents and settings\Jon L. Peacock\Application Data\SUPERAntiSpyware.com
2010-07-20 13:16 . 2010-07-20 13:16   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-07-15 18:33 . 2010-04-12 21:29   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-14 06:22 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe
2010-07-09 19:01 . 2010-07-09 19:01   348160   ----a-w-   c:\documents and settings\Jon L. Peacock\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-69dc2242-n\msvcr71.dll
2010-07-09 19:01 . 2010-07-09 19:01   503808   ----a-w-   c:\documents and settings\Jon L. Peacock\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-69dc2242-n\msvcp71.dll
2010-07-09 19:01 . 2010-07-09 19:01   499712   ----a-w-   c:\documents and settings\Jon L. Peacock\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-69dc2242-n\jmc.dll
2010-07-09 19:01 . 2010-07-09 19:01   61440   ----a-w-   c:\documents and settings\Jon L. Peacock\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4754ffa5-n\decora-sse.dll
2010-07-09 19:01 . 2010-07-09 19:01   12800   ----a-w-   c:\documents and settings\Jon L. Peacock\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4754ffa5-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-21 18:58 . 2006-10-05 14:45   --------   d-----w-   c:\documents and settings\Jon L. Peacock\Application Data\Skype
2010-07-21 18:33 . 2007-08-08 16:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2010-07-21 18:26 . 2006-03-02 23:38   --------   d-----w-   c:\program files\Common Files\Adobe
2010-07-21 17:57 . 2007-08-30 03:05   --------   d-----w-   c:\program files\LimeWire
2010-07-21 15:23 . 2009-07-23 22:09   --------   d-----w-   c:\documents and settings\Jon L. Peacock\Application Data\skypePM
2010-07-20 19:57 . 2009-08-05 18:51   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-15 18:33 . 2006-03-02 23:57   --------   d-----w-   c:\program files\Common Files\Java
2010-07-15 18:32 . 2006-03-02 23:57   --------   d-----w-   c:\program files\Java
2010-07-09 08:50 . 2010-07-09 08:50   0   ---ha-w-   c:\documents and settings\Jon L. Peacock\igdrvecqmn.tmp
2010-06-14 14:31 . 2006-03-02 21:26   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 23:43 . 2010-06-12 23:43   --------   d-----w-   c:\program files\Common Files\Skype
2010-06-10 20:41 . 2010-06-10 20:41   --------   d-----w-   c:\documents and settings\All Users\Application Data\AOL Downloads
2010-05-21 18:14 . 2009-10-11 23:12   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-04 17:20 . 2006-03-02 18:39   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2006-03-02 18:38   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-03-02 18:37   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2006-03-02 18:39   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2009-08-05 18:51   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-08-05 18:51   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-29 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-02-20 1589248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 761945]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50   71216   ----a-r-   c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56   64512   ----a-w-   c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-12-29 22:21   61952   ----a-w-   c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34   41824   ----a-w-   c:\program files\Common Files\AOL\1141344126\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 20:39   292136   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
2005-03-18 01:37   151552   ----a-w-   c:\toshiba\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18   413696   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2005-04-27 00:13   122880   ----a-w-   c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2006-02-02 01:33   1880064   ----a-w-   c:\program files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"AOLService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1141344126\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1141344126\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/27/2009 3:58 PM 108289]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [10/19/2006 2:11 PM 10664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ     getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-zvchost.exe - c:\documents and settings\Jon L. Peacock\Application Data\Microsoft\zvchost.exe
AddRemove-{2FCE4FC5-6930-40E7-A4F1-F862207424EF} - c:\program files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ }*2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-21 15:01:16
ComboFix-quarantined-files.txt 2010-07-21 19:01

Pre-Run: 490,725,376 bytes free
Post-Run: 661,880,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - A931E046CD49E074B7FC80A49B194A5B

SuperDave · « **Reply #12 on:** July 21, 2010, 03:59:47 PM »

Are all those weird things still happening with your computer?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Ragnoph · « **Reply #13 on:** July 23, 2010, 04:45:15 PM »

Thank you so much for all of your help!!

None of the "symptoms" have continued, and this last search I conducted with ESET Online Scanner came back with no threats found. Because of this, I could not click on any button to copy and paste the results onto this forum.

Is there anything else I should do, or do you believe (as I do) that the virus has finally been eliminated from my computer?

Again, thank you!!

SuperDave · « **Reply #14 on:** July 24, 2010, 01:08:36 PM »

That looks good. It's now time for some cleanup.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

=============================

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

===========================

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

==============================

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Computer Hope Forum

News:

Author Topic: Virus without Detection (Read 7467 times)

Ragnoph

Virus without Detection

2x3i5x

Re: Virus without Detection

Geek-9pm

Re: Virus without Detection

2x3i5x

Re: Virus without Detection

SuperDave

Re: Virus without Detection

Ragnoph

Re: Virus without Detection

Ragnoph

Re: Virus without Detection

Ragnoph

Re: Virus without Detection

JJ 3000

Re: Virus without Detection

Ragnoph

Re: Virus without Detection

SuperDave

Re: Virus without Detection

Ragnoph

Re: Virus without Detection

SuperDave

Re: Virus without Detection

Ragnoph

Re: Virus without Detection

SuperDave

Re: Virus without Detection