Computer Hope
Software => Computer viruses and spyware => Topic started by: collie00 on April 27, 2009, 01:17:00 PM
-
Im having the same problem! Very frustrating! My IE or firefox wont open anymore so i started using safari. But i DL avg and i cant update it because it wants to use IE ah i dont know what to do , any help would be great. It says it has encountered a problem then freezes or just shuts down whole comp. I have to fix this problem! I also tried using ie without add ons still same issue
-
Follow the guidelines here: http://www.computerhope.com/forum/index.php/topic,46313.0.html
Post the three required logs and a malware specialist will assist you.
-
See i cant even run avg because when i try to update it wants to open internet explorer so it shuts down on me! So i cant follow those guidelines without a anti virus correct?
-
Just carry on with the other 3 programs....you can download them with Safari.
-
Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.
* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:
- UAC.sys <- Or anything beginning with UAC
- gaopdxserv.sys <- Or anything beginning with gaopd
- gxvxcserv.sys <- Or anything beginning with gxvx
- Seneka.sys <- Or anything beginning with Seneka
- clbdriver.sys <- Or anything beginning with clbdriver
- TDSSserv.sys <- Or anything beginning with TDSS
* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now reboot and see if you can run the scans that would not run.
* Let me know if you find them or not.
If the files are not found then please let me know what is listed in Non-plug and Play Drivers.
-
Whoa it worked! I clicked disable to TDSSserv.sys I had two of them. But my avg still wont update what am i doing wrong there? And what was it that i disabled? Thank you!
-
It is a rootkit.
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
ComboFix 09-05-08.03 - Colleen murphy 05/09/2009 14:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.396 [GMT -4:00]
Running from: c:\documents and settings\Colleen murphy\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Outdated)
FW: PC-cillin Internet Security - Firewall *enabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\Colleen murphy\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
c:\documents and settings\Colleen murphy\Application Data\rhcg37j0e5dl
c:\documents and settings\Colleen murphy\Application Data\WeatherDPA
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\windows\system32\TDSSkkbi.log
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_PACKET
-------\Legacy_TDSSSERV
-------\Legacy_TDSSSERV.SYS
-------\Service_Packet
-------\Service_TDSSserv
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
.
2009-04-28 14:49 . 2009-04-28 17:03 -------- d--h--w C:\$AVG8.VAULT$
2009-04-28 14:28 . 2009-04-28 14:28 -------- d-sh--w c:\documents and settings\Colleen murphy\IECompatCache
2009-04-28 14:22 . 2009-04-28 14:22 -------- d-sh--w c:\documents and settings\Colleen murphy\PrivacIE
2009-04-28 00:46 . 2009-04-28 00:46 -------- d-sh--w c:\documents and settings\Colleen murphy\IETldCache
2009-04-28 00:46 . 2009-04-28 00:46 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-28 00:43 . 2009-04-28 00:43 -------- d-----w c:\windows\ie8updates
2009-04-28 00:39 . 2009-04-28 00:41 -------- dc-h--w c:\windows\ie8
2009-04-28 00:36 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll
2009-04-27 18:44 . 2009-04-27 18:44 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-27 18:44 . 2009-04-27 18:44 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-27 18:44 . 2009-04-27 18:44 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-27 18:44 . 2009-05-09 17:25 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-27 18:44 . 2009-04-28 17:16 -------- d-----w c:\documents and settings\Colleen murphy\Application Data\AVGTOOLBAR
2009-04-27 18:43 . 2009-04-27 18:43 -------- d-----w c:\program files\AVG
2009-04-27 18:14 . 2009-04-27 18:14 -------- d-----w c:\program files\Alwil Software
2009-04-16 14:59 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 14:59 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 14:59 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 14:59 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 14:59 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 14:59 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 14:59 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 14:59 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 14:59 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 14:59 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 14:56 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 14:56 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 22:52 . 2006-12-28 21:10 3676 ----a-w c:\documents and settings\Colleen murphy\Application Data\wklnhst.dat
2009-04-28 16:26 . 2009-02-28 16:48 -------- d-----w c:\program files\Wopti
2009-04-28 13:58 . 2008-12-11 03:05 2709 ----a-w c:\windows\system32\TDSSlxwp.dll
2009-03-26 15:56 . 2009-03-26 15:55 -------- d-----w c:\program files\iTunes
2009-03-26 15:55 . 2009-03-26 15:55 -------- d-----w c:\program files\iPod
2009-03-26 15:55 . 2007-12-21 01:56 -------- d-----w c:\program files\Common Files\Apple
2009-03-26 15:53 . 2009-03-26 15:53 -------- d-----w c:\program files\Bonjour
2009-03-26 15:53 . 2007-02-28 21:20 -------- d-----w c:\program files\QuickTime
2009-03-25 18:13 . 2008-06-28 23:51 -------- d-----w c:\program files\CCleaner
2009-03-23 22:09 . 2008-10-21 01:27 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-03-23 22:09 . 2008-10-21 01:27 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-03-08 08:34 . 2005-08-16 10:18 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2005-08-16 10:18 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2005-08-16 10:18 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2005-08-16 10:18 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2005-08-16 10:18 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2005-08-16 10:18 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2005-08-16 10:18 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2005-08-16 10:18 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2005-08-16 10:18 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2005-08-16 10:18 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-26 15:50 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2007-12-21 01:56 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-09 12:10 . 2005-08-16 10:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 10:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 10:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 03:14 . 2009-02-09 03:14 71436 ---ha-w c:\windows\system32\mlfcache.dat
2008-06-11 20:23 . 2007-11-12 16:34 5891584 -csha-w c:\program files\ehthumbs.db
2007-01-07 21:55 . 2007-01-07 21:55 251 ----a-w c:\program files\wt3d.ini
2007-05-21 17:59 . 2006-12-26 01:11 88 --sh--r c:\windows\system32\B83AF2285D.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-27 1932568]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-6 66864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-27 18:44 10520 ----a-w c:\windows\system32\avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= Digi32.dll
"aux6"= wdmaud.sys
"Midi1"= diomidi.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:* /L:English /KBD:2
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcl37j0e5dl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcg37j0e5dl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoToAssist"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"MobilePreInstallerService"=2 (0x2)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"hnmsvc"=2 (0x2)
"gusvc"=3 (0x3)
"FastTrackInstallerService"=2 (0x2)
"digiSPTIService"=3 (0x3)
"DigiRefresh"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\1191432277\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [10/26/2007 11:02 AM 16384]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/27/2009 2:44 PM 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/27/2009 2:44 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/27/2009 2:43 PM 298264]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/15/2006 7:08 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 4:03 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/16/2006 2:27 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 4:04 PM 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 4:03 PM 280392]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [10/5/2006 5:06 PM 27328]
S3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\MA763010.sys --> c:\windows\system32\drivers\MA763010.sys [?]
S4 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys --> c:\windows\system32\drivers\MA763004.sys [?]
S4 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio\MobilePre\Install\MPInst.exe [10/29/2007 9:47 AM 49152]
S4 Viewpoint Manager Service;Viewpoint Manager Service; [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-05-09 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-SVCHOST - (no file)
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 14:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0949021B-8719-211C-5152-530D7EE74900}\InProcServer32*]
"oajfmfbkecfdopcoldnofagpbegnpp"=hex:6a,61,6d,65,62,6d,70,6f,62,62,65,63,66,65,
68,6c,62,68,6d,70,00,29
"najfggleaoegkhilokinlekdgfmp"=hex:6a,61,6c,65,66,6d,6c,70,64,69,6f,6d,69,61,
61,62,70,65,6f,63,00,29
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(736)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-05-09 14:30
ComboFix-quarantined-files.txt 2009-05-09 18:29
Pre-Run: 119,629,279,232 bytes free
Post-Run: 119,611,658,240 bytes free
279 --- E O F --- 2009-05-09 04:29
Sorry it took so long to respond, Heres the log...i cant burn cds now , now what do i do?
Thank you again evil for your help
-
Evil's away for the weekend.........
-
Thank you, thats ok...i'll wait for evil's response ill keep checking back.
-
Sorry for the delay.
If you already have Malwarebytes be sure to update it before running the scan!
Download Malwarebytes' Anti-Malware (MBAM) (http://www.malwarebytes.org/mbam-download.php)
Alternate MBAM download link (http://www.besttechie.net/tools/mbam-setup.exe)
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
-
Malwarebytes' Anti-Malware 1.36
Database version: 2117
Windows 5.1.2600 Service Pack 3
5/12/2009 3:21:04 PM
mbam-log-2009-05-12 (15-21-04).txt
Scan type: Quick Scan
Objects scanned: 96781
Time elapsed: 6 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{54a3f8b7-228e-4ed8-895b-de832b2c3959} (Adware.Zango) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcg37j0e5dl (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Application Data\SBUSA (Adware.Hotbar) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\All Users\Application Data\SBUSA\SBUSA.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SBUSA\SBUSAAbout.mht (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SBUSA\SBUSAEULA.mht (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Ok heres is the log for the malware, another problem im having now is when i watch a movie, the picture is fine but the sound is skipping its all broken up, one of the problems i guess that follows a larger problem :sigh: waiting for your command evil :) Thanks again
-
another problem im having now is when i watch a movie, the picture is fine but the sound is skipping its all broken up,
That will need to be dealt with in another forum once we finish up here.
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0949021B-8719-211C-5152-530D7EE74900}]
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0949021B-8719-211C-5152-530D7EE74900}]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
It cant find HIDEC.exe thats what comes up when its done scanning it wont show me a log
-
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
,
---
Restart the computer.
Download a new copy of CF and the drag/drop the script.
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the
Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0949021B-8719-211C-5152-530D7EE74900}]
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0949021B-8719-211C-5152-530D7EE74900}]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
I followed your directions and I still can not get a log, It says preparing log and it never pops up. I tried more then once. My screen saver has changed though now its the windows media center edition logo before it was a photo. I did download the cobo fix from the link u had given.
-
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
- The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
.
----------
Download
ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your Desktop.
Alternate download link (http://majorgeeks.com/ATF_Cleaner_d4949.html)
Note: Vista users must use Run As Administrator (http://vistasupport.mvps.org/run_as_administrator.htm)
- Under Main: Select Files to Delete choose: Select All.
- Click the Empty Selected button.
- If you use Firefox browser click Firefox at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- If you use Opera browser click Opera at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- Click Exit on the Main menu to close the program.
.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.
----------
Download OTCleanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to your Desktop.
- Double-click OTCleanIt.exe.
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes, if not delete it yourself.
.
Important: Restart the computer before continuing.
----------
Scan with Panda ActiveScan (http://www.pandasoftware.com/products/activescan.htm)
This scanner requires Internet Explorer
- Once you are on the Panda site click the Scan your PC now button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Select the appropriate Yes or No to receiving marketing information
- Click the Free Online Scan button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on My Computer to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
.
Post the contents of the ActiveScan report in your next reply.
-
;**************************************************************************************************
ANALYSIS: 2009-05-20 07:31:00
PROTECTIONS: 2
MALWARE: 2
SUSPECTS: 6***********************************************************************************************
PROTECTIONS
Description Version Active Updated
;=========================================================================
AVG Anti-Virus Free 8.5 No Yes
PC-cillin Internet Security - Virus Protectio14.60.1206 No No
;==========================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;=============================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Colleen murphy\Cookies\colleen_murphy@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Colleen murphy\Cookies\colleen_murphy@atdmt[2].txt
;==============================================================================
SUSPECTS
Sent Location +
;================================================================================
Yes C:\Program Files\WildTangent\Apps\Dell Game Console\Uninstall.exe +
Yes C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0000248.exe[32788R22FWJFW\n.com]
Yes C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0000248.exe[32788R22FWJFW\NirCmd.cfexe]
Yes C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0000249.exe +
Yes C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0000292.com +
Yes C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0000294.com +
;======================================================================================
VULNERABILITIES
Id Severity Description +
;=======================================================================================
;=======================================================================================
Here is the report from the activescan, I also used the atf cleaner, and clean it before i scanned.
-
Let me know if you have any questions.
Disable/Enable the System Restore Utility to flush old infected restore points
1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.
Now re-enable System Restore
To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.
1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.
----------
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
-
Ok now where do i post about the cd player problem now, it was working fine till u told me to shut off the tss stuff. Now what?
-
What is it doing? Or not doing?
-
Try updating your sound drivers or install a codec pack.
http://www.free-codecs.com/download/K_lite_codec_pack.htm
-
It did not work, how do u update the drivers? When i watch movies online its fine, its just from a dvd or when i want to burn a cd or dvd