0

So I was stupid and ended up thinking a fake pop up for a malware trojan was from my AVG antivirus, I should have known better. It restarted my computer and now it's pretty crazy.

My programs show up, as well as my documents, but it's like nothing is actually installed. Everytime I attempt to open something, I get a pop up telling me, in one way or another, that the program is either not recognized or not valid on my computer. The only program that works is internet explorer, and even that gives me a pop up asking me what program I want it to run on. I've learned that it doesn't need that question answered to run, though.

It turned Windows Defender off, which I somehow managed to turn back on and run a scan with, only to have it run into an error and shut down about halfway through. AVG isn't recognized at all, and while I can search for it in my programs, it says it doesn't exist. I tried downloading two separate things from microsoft (a free full scan and malware I think) only to have them not be able to run.

Finally, I tried to get Norton Anti-Virus on my computer, after having to save the installer to run the program, because it gives me that option everytime I try to do something with a document, and it made it as far as installation before it shut down.

I went into safe mode but it didn't allow me to access the Vista System Restore. Not sure what to do, as these problems occur even in safe mode. I can't even turn it off regularly, as the exclamation point is on the power icon, meaning that it has something it wants to "update" my computer with. I have a feeling that's just going to spread it.

I honestly have no idea about computers so anything is helpful. I'm on a different computer at the moment, turned my laptop off. Afraid to turn it on again until something can actually be done about it.

Edited by FredRock: n/a

2
Contributors
12
Replies
13
Views
7 Years
Discussion Span
Last Post by PhilliePhan
0


I honestly have no idea about computers so anything is helpful. I'm on a different computer at the moment, turned my laptop off. Afraid to turn it on again until something can actually be done about it.

Sounds like quite a mess!

-- Do you have a flash drive?
-- Are you able to run the MBA-M step in the linky below? What about DDS and posting that scanlog?

-- Do you have your Windows Vista disk?

http://www.daniweb.com/forums/thread134865.html

PP:)

Edited by PhilliePhan: added a question

0

I have downloaded MBA-M successfully and am running the scan, will attempt DDS after the scan is done.

I do have a flash drive and I think I have my Vista CD here, but it might actually be back at my college dorm. I'll look for it to be sure.

0

DDS:

DDS (Ver_10-03-17.01) - NTFSX64
Run by Kim at 21:56:43.77 on Thu 04/01/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4090.2006 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
C:\Program Files (x86)\AVG\AVG9\avgam.exe
C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10d.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\RacAgent.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Kim\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/?fr=fp-yie8
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files (x86)\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files (x86)\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~2\mi1933~1\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files (x86)\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [EA Core] c:\program files (x86)\electronic arts\ea link\Core.exe -silent
uRunOnce: [Shockwave Updater] c:\windows\syswow64\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; MDDC; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; yie8)" -"http://www.horse-games.org/Barrel_%20Horse_Racing.html"
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Dell DataSafe Online] "c:\program files (x86)\dell datasafe online\DataSafeOnline.exe" /m
mRun: [PDVDDXSrv] "c:\program files (x86)\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "c:\program files (x86)\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files (x86)\hp\digital imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files (x86)\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG9_TRAY] c:\progra~2\avg\avg9\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] "c:\program files (x86)\malwarebytes' anti-malware\mbamgui.exe" /install /silent
StartupFolder: c:\users\kim\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\users\kim\appdata\roaming\micros~1\windows\startm~1\programs\startup\pmbmed~1.lnk - c:\program files (x86)\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\dellre~1.lnk - c:\windows\installer\{f66a31d9-7831-4fba-ba02-c411c0047cc5}\NewShortcut4_F66A31D978314FBABA02C411C0047CC5.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\mi1933~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~2\mi1933~1\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files (x86)\avg\avg9\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~2\mi1933~1\office12\GRA8E1~1.DLL
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files (x86)\avg\avg9\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun-x64: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe
mRun-x64: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun-x64: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun-x64: [(Default)]
mRun-x64: [Dell DataSafe Online] "c:\program files (x86)\dell datasafe online\DataSafeOnline.exe" /m
AppInit_DLLs-X64: avgrssta.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\kim\appdata\roaming\mozilla\firefox\profiles\n5d72l46.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/?fr=fp-yie8
FF - component: c:\program files (x86)\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files (x86)\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\np_IEGetPlugin.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\nphssb.dll
FF - plugin: c:\program files (x86)\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrvta;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSva.sys [2010-3-10 27144]
R0 AvgRkx64;avgrkx64.sys;c:\windows\system32\drivers\avgrkx64.sys [2010-3-10 56008]
R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2009-6-22 53488]
R1 AvgLdx64;AVG Free AVI Loader Driver x64;c:\windows\system32\drivers\avgldx64.sys [2009-8-1 269320]
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;c:\windows\system32\drivers\avgmfx64.sys [2009-8-1 35464]
R1 AvgTdiA;AVG Free8 Network Redirector x64;c:\windows\system32\drivers\avgtdia.sys [2009-8-1 316936]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};c:\program files (x86)\cyberlink\powerdvd dx\000.fcl [2009-6-22 32240]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt64.inf_15f4e438\AESTSr64.exe [2009-6-22 89600]
R2 avg9wd;AVG WatchDog;c:\program files (x86)\avg\avg9\avgwdsvc.exe [2010-3-10 308064]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files (x86)\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-3-10 5888008]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files (x86)\viewpoint\common\ViewpointService.exe [2009-8-8 24652]
R3 AVGIDSDrivervta;AVG9IDSDriver;c:\program files (x86)\avg\avg9\identity protection\agent\driver\platform_vista64\AVGIDSDriver.sys [2010-3-10 132616]
R3 AVGIDSFiltervta;AVG9IDSFilter;c:\program files (x86)\avg\avg9\identity protection\agent\driver\platform_vista64\AVGIDSFilter.sys [2010-3-10 35848]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-6-22 160704]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60a.sys [2009-6-22 252928]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [2009-6-22 158592]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [2009-6-22 310784]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-7-1 93184]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2009-8-28 49152]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*
.exe=secfile

=============== Created Last 30 ================

2010-04-02 02:48:31 0 d-----w- c:\users\kim\appdata\roaming\Malwarebytes
2010-04-02 02:48:12 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 02:48:12 0 d-----w- c:\programdata\Malwarebytes
2010-04-02 02:48:12 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-04-01 03:17:52 0 d-----w- c:\programdata\Norton
2010-04-01 03:06:41 31648712 ----a-w- c:\windows\syswow64\MRT.exe
2010-03-30 20:46:05 0 d-----w- c:\programdata\EA Core
2010-03-12 19:47:26 0 d-----w- c:\users\kim\appdata\roaming\AVG9
2010-03-11 15:39:22 32768 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-11 15:39:22 24064 ----a-w- c:\windows\syswow64\nshhttp.dll
2010-03-11 15:39:19 610304 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-11 15:39:18 33792 ----a-w- c:\windows\system32\httpapi.dll
2010-03-11 15:39:18 31232 ----a-w- c:\windows\syswow64\httpapi.dll
2010-03-10 16:31:42 12976 ----a-w- c:\windows\system32\avgrssta.dll
2010-03-10 16:17:26 0 d--h--w- C:\$AVG
2010-03-10 16:17:00 27144 ----a-w- c:\windows\system32\drivers\AVGIDSva.sys
2010-03-10 16:16:58 56008 ----a-w- c:\windows\system32\drivers\avgrkx64.sys
2010-03-10 16:16:28 0 d-----w- c:\programdata\avg9
2010-03-05 23:41:39 45056 ----a-w- c:\windows\syswow64\HSSICore.dll
2010-03-05 23:41:39 36864 ----a-w- C:\nphssb.dll
2010-03-05 23:41:39 247 ----a-w- C:\nphssb.xpt
2010-03-05 23:41:39 184320 ----a-w- c:\windows\syswow64\OESICore.dll
2010-03-05 23:41:38 40960 ----a-w- c:\windows\syswow64\HS_live.ocx
2010-03-05 23:41:33 0 d-----w- c:\programdata\Homestead
2010-03-05 23:40:10 98136 ----a-w- c:\windows\gzip.exe
2010-03-05 23:39:18 0 d-----w- c:\program files (x86)\Homestead

==================== Find3M ====================

2010-03-17 17:44:17 215040 ----a-w- c:\users\kim\appdata\roaming\DataSafeDotNet.exe
2010-03-10 16:31:46 316936 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2010-03-10 16:31:42 35464 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2010-03-10 16:31:19 269320 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2010-02-24 15:16:06 212864 ------w- c:\windows\system32\MpSigStub.exe
2010-01-25 13:03:03 534016 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 13:03:03 159232 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 13:03:03 158720 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 13:02:33 535040 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 13:00:33 457216 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 12:48:34 472576 ----a-w- c:\windows\syswow64\secproc_isv.dll
2010-01-25 12:48:34 151040 ----a-w- c:\windows\syswow64\secproc_ssp_isv.dll
2010-01-25 12:48:34 151040 ----a-w- c:\windows\syswow64\secproc_ssp.dll
2010-01-25 12:48:06 472064 ----a-w- c:\windows\syswow64\secproc.dll
2010-01-25 12:45:56 329216 ----a-w- c:\windows\syswow64\msdrm.dll
2010-01-25 08:37:36 413696 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:37:32 594944 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:37:32 409600 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:37:29 594432 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:35:01 346624 ----a-w- c:\windows\syswow64\RMActivate_ssp_isv.exe
2010-01-25 08:35:00 523776 ----a-w- c:\windows\syswow64\RMActivate_isv.exe
2010-01-25 08:34:56 511488 ----a-w- c:\windows\syswow64\RMActivate.exe
2010-01-25 08:34:56 347136 ----a-w- c:\windows\syswow64\RMActivate_ssp.exe
2010-01-23 10:00:20 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-23 09:44:02 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-01-14 05:27:12 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-14 05:27:12 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-14 05:27:11 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-02 07:08:29 1147904 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 07:03:21 77312 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 07:03:21 132096 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:38:20 916480 ----a-w- c:\windows\syswow64\wininet.dll
2010-01-02 06:38:04 1208832 ----a-w- c:\windows\syswow64\urlmon.dll
2010-01-02 06:36:10 206848 ----a-w- c:\windows\syswow64\occache.dll
2010-01-02 06:33:34 5942784 ----a-w- c:\windows\syswow64\mshtml.dll
2010-01-02 06:33:32 594432 ----a-w- c:\windows\syswow64\msfeeds.dll
2010-01-02 06:33:32 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-01-02 06:32:51 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\syswow64\iesetup.dll
2010-01-02 06:32:33 1985536 ----a-w- c:\windows\syswow64\iertutil.dll
2010-01-02 06:32:33 164352 ----a-w- c:\windows\syswow64\ieui.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
2010-01-02 06:32:32 55808 ----a-w- c:\windows\syswow64\iernonce.dll
2010-01-02 06:32:32 184320 ----a-w- c:\windows\syswow64\iepeers.dll
2010-01-02 06:32:32 11070464 ----a-w- c:\windows\syswow64\ieframe.dll
2010-01-02 06:32:26 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-01-02 05:25:39 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-02 04:57:00 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
2010-01-02 04:56:50 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
2010-01-02 04:56:14 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
2009-06-22 21:19:52 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-22 19:01:36 75 --sh--r- c:\windows\CT4CET.bin
2009-08-18 15:01:16 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-08-18 15:01:16 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-08-18 15:01:16 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-08-18 15:01:16 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-15 16:06:11 245760 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-06-22 20:58:48 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 21:59:45.84 ===============


Attach:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 6/22/2009 8:28:41 AM
System Uptime: 4/1/2010 9:40:31 PM (0 hours ago)

Motherboard: Dell Inc. | | 0J276M
Processor: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz | U2E1 | 2400/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 451 GiB total, 329.883 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 7.782 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

4500_Help
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11.5
Advanced Audio FX Engine
AGEIA GAME System Software
Apple Application Support
Apple Software Update
ATI Catalyst Control Center
AVG 9.0
Banctec Service Agreement
Big Fish Games Client
BPD_HPSU
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
Celtx (2.7)
Choice Guard
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Complete Care Consumer Service Agreement
CustomerResearchQFolder
Dell DataSafe Online
Dell Driver Download Manager
Dell Getting Started Guide
Dell Remote Access
Dell Video Chat
Dell Webcam Central
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocMgr
DocProc
DocProcQFolder
EA Download Manager
EA Download Manager UI
EA Link
eSupportQFolder
Fax
getPlus(R) Download Manager for Corel
GPBaseService
Homestead SiteBuilder
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Photosmart Essential 2.5
HP Product Detection
HP Update
HPProductAssistant
HPSSupply
J4500
Java(TM) 6 Update 11
Junk Mail filter update
Live! Cam Avatar Creator
Malwarebytes' Anti-Malware
MarketResearch
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Mozilla Firefox (3.5.5)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenAL
PowerDVD
Primo
ProductContext
PSSWCORE
QuickTime
RealPlayer
Ride!
Riding Club Championships 1.012a
Riding Club Merge Modules
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Runtime
Scan
Skins
SmartWebPrintingOC
SolutionCenter
Sony Picture Utility
Status
The Sims™ Pet Stories
Toolbox
TouchCopy
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VideoToolkit01
Viewpoint Media Player
Visual C++ 8.0 Runtime Setup Package (x64)
WebReg
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer

==== End Of File ===========================

0

MBA-M fixed it! It was hijack that infected it. 4 files removed. Restarted it and AVG is turned back on, saying that it also removed two trojans.

Thank-you for your help!

0

MBA-M fixed it! It was hijack that infected it. 4 files removed. Restarted it and AVG is turned back on, saying that it also removed two trojans.

Thank-you for your help!

Glad to hear it! I was hoping you'd be able to get MBAM to run as 64-bit Vista is difficult to work with.

-- Could you post me the logs from AVG and MBAM? Sometimes there are hidden components that do not get removed.
I did not see it in the DDS log.

-- You should update your Java. Use Add/Remove Programs to remove Java(TM) 6 Update 11 and any other old versions.
Then, please go to http://www.java.com/en/ to download and install the latest version of Java. This will help avoid malware such as Vundo that exploit Java.....

Cheers :)
PP

Edited by PhilliePhan: The Usual. . .

0

Here's the MBA-M log, I have to look around for the AVG log. I'll change my Java aswell. I also deleted the save points in System Recovery, in case the virus was still in there. Should I run another Virus Scan with AVG to see if anyhting is still on there?

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3944

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882

4/1/2010 11:04:22 PM
mbam-log-2010-04-01 (23-04-22).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 307980
Time elapsed: 1 hour(s), 14 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

Here is an AVG log of a scan I just ran, I don't have anything from when it removed the trojans. Now what's interesting about this is that the files listed also froze MBA-M when I was running it. What am I supposed to do with them, though, since there is no option to remove them.

Scan "Scan whole computer" was finished.
Information;"8"
Folders selected for scanning:;"Scan whole computer"
Scan started:;"Friday, April 02, 2010, 7:44:22 PM"
Scan finished:;"Friday, April 02, 2010, 8:05:28 PM (21 minute(s) 6 second(s))"
Total object scanned:;"785037"
User who launched the scan:;"Kim"

Information
File;"Information";"Result"
C:\Users\Kim\Downloads\R214419.exe;"The file is signed with a broken digital signature, issued by: Dell Inc.";""
C:\Users\Kim\Downloads\R210199.exe;"The file is signed with a broken digital signature, issued by: Dell Inc.";""
C:\Users\Kim\Downloads\R200064.exe;"The file is signed with a broken digital signature, issued by: Dell Inc.";""
C:\Users\Kim\Downloads\R192750.exe;"The file is signed with a broken digital signature, issued by: Dell Inc.";""
C:\Users\Kim\Downloads\R182065.exe;"The file is signed with a broken digital signature, issued by: Dell Inc.";""
C:\Users\Kim\Downloads\R156757.exe;"The file is signed with a broken digital signature, issued by: Dell Inc.";""
C:\Users\Kim\Downloads\DELL_REMOTE-ACCESS_A06_R218808.exe;"The file is signed with a broken digital signature, issued by: Dell Inc.";""
C:\Users\Kim\Downloads\Conexant_D400-External-USB-5_A01_R157676.exe;"The file is signed with a broken digital signature, issued by: Dell Inc.";""

0

Here is an AVG log of a scan I just ran, I don't have anything from when it removed the trojans. Now what's interesting about this is that the files listed also froze MBA-M when I was running it. What am I supposed to do with them, though, since there is no option to remove them.

Just navigate to those and delete them manually.
I would imagine you could download those drivers from Dell again if you need to install them again.
No worries deleting them from the downloads folder....

Here's the MBA-M log, I have to look around for the AVG log. I'll change my Java aswell. I also deleted the save points in System Recovery, in case the virus was still in there. Should I run another Virus Scan with AVG to see if anyhting is still on there?

I would recommend running a scan with the Kaspersky Online Scanner 7.0 If you are able to do so.
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choose to save it to the Desktop as a .txt file and then click the Save button.

Please post that for me.

As I mentioned, nothing jumped out at me from DDS log, but I have been so pressed for time, I may have missed it. Let's see what Kaspersky scan shows.

Cheers :)
PP

0

Ok, so the KAS scan report. I really appreciate your help and I understand you have a life outside of the forum, so feel free to take your time.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, April 2, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 64-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, April 02, 2010 23:17:44
Records in database: 3913813
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 171805
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:14:35


File name / Threat / Threats count
C:\Users\Kim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2TEMATF\n008106201318r0409J0b000601Rd81acdb6Wf7f844d9Xff48d7e0Yb4fb4617Z0100f0800[1] Infected: Packed.Win32.Katusha.j 1

Selected area has been scanned.

Edited by FredRock: n/a

0

Ok, so the KAS scan report. I really appreciate your help and I understand you have a life outside of the forum, so feel free to take your time.

Happy to help!

-- That log looks good.
You can manually delete the suspicious file or you could run ATF-Cleaner as directed in the linky below (steps 2&6):
http://www.daniweb.com/forums/thread134865.html

Other than that minor annoyance and if you are having no further problems . . . . I think you are good to go.

Cheers :)
PP

Edited by PhilliePhan: n/a

0

Alrighty, file has been deleted! Thank you so much! I was worried I was going to lose the computer in the beginning, but I'm so glad it could be saved with such a simple solution!

Once again I really appreciate you taking time to help me figure this out.

0

Once again I really appreciate you taking time to help me figure this out.

You're welcome!

I recommend keeping MBAM on hand and every week or two updating the definitions and running a scan.

Cheers :)
PP

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.