0

I have done all in the "Read me first before posting a request". Unfortunately the virus blocks Internet access except the redirect to it's site so I can not post results. Nothing was found with any of the virus programs. Of the three attempts of the GMER sweep the computer restarted twice and the program stopped on it's own once.

On any restart windows gives a message "XP Security 2011 - Unregistered Version: bpf.exe - Application error". Stopping the bpf under Task Manager processes does stop the pop ups for awhile but the file eventually restarts. A search for the bpf file finds nothing. Another odd thing is a food talk show now plays continuosly over the speakers.

All documents, pictures and videos are hidden. I can see the antivirus programs scan them but document folder is empty. The Explorer favorites is empty but Firefox is untouched.

I have logged all that has happened.

What next?

Reg

4
Contributors
34
Replies
35
Views
6 Years
Discussion Span
Last Post by afinepoint
0

What you need to do is to boot into safe mode by pressing F8 just after the bios screen and selecting safemode with networking from the menu. You will need to connect your computer to your router via a network cable as wireless networking will not work in safe mode.

Stop the bfp.exe process as you did before then click start, run, and type regedit into the box and press enter.
In regedit, click file then export and save the file somewhere where you will find it easily. Next, click Edit then Find and type bfp.exe into the box. You need to delete all registry entries that relate to that file.
Once done, start Mbam up, update it, and get it to do a full scan and remove all it finds.
Now boot into normal mode and see if you can run all the programs from the removal thread and post all the results.

This is not a fix, but rather a method to get the computer running well enough to get it cleaned properly.


No matter how well it runs at this point, you must post all the logs or it will be back very quickly!

0

Files removed in registry except Default. Mbam will not run. It will open but when run is selected the program closes. Internet access is still blocked and redirected. The fake antivirus loads and runs displaying its false results. "warnings" still appearing in task bar. Document folder still "empty".

Next idea?

Reg

P.S. Malwarebytes is now running. Had to do an end run. Updated as well.

Edited by afinepoint: n/a

0

Malwarebytes found 25 infections and clean. On restart I can make it to the Internet but am still being redirect most of the time. It took three tries to make it here with redirect through pebble.com.

Explorer favorites is still empty and so is the document folder. I saw pictures and documents being scanned yesterday so where are they?

I have uploaded the GMER and two Mbam files. Somehow I created two.

Let me know what is next since the reply to my question stated to upload or the virus would return. Also to the admin person this thread has not been resolved. I'll post when it is. Thanks,

Reg

Edited by afinepoint: n/a

Attachments
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6585

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/15/2011 2:41:36 PM
mbam-log-2011-05-15 (14-40-59).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 322563
Time elapsed: 55 minute(s), 12 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
c:\documents and settings\Owner\local settings\application data\bpf.exe (Trojan.FakeAlert.Gen) -> 2684 -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\bpf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\bpf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\bpf.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\bpf.exe" -a "%1" %*) Good: ("%1" %*) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\local settings\application data\bpf.exe (Trojan.FakeAlert.Gen) -> No action taken.
c:\documents and settings\Owner\application data\Sun\Java\deployment\cache\6.0\56\701fd138-1f260e60 (Trojan.FakeAlert.Gen) -> No action taken.
c:\documents and settings\Owner\application data\Sun\Java\deployment\cache\6.0\56\701fd138-25d3bb0a (Trojan.FakeAlert.Gen) -> No action taken.
c:\documents and settings\Owner\application data\Sun\Java\deployment\cache\6.0\24\7ded6258-2086c79b (Spyware.Passwords.XGen) -> No action taken.
c:\documents and settings\Owner\local settings\application data\xik.exe (Trojan.FakeAlert.Gen) -> No action taken.
c:\documents and settings\Owner\local settings\Temp\0.3329785188089751.exe (Spyware.Passwords.XGen) -> No action taken.
c:\documents and settings\Owner\local settings\Temp\0.6074226885438658.exe (Spyware.Passwords.XGen) -> No action taken.
c:\documents and settings\Owner\local settings\Temp\tmpf47f9487\freedom.exe (Trojan.Hijacker) -> No action taken.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP813\A0179710.dll (Trojan.Hiloti) -> No action taken.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP813\A0179711.dll (Trojan.Hiloti) -> No action taken.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP822\A0189132.exe (Trojan.FakeAlert) -> No action taken.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP822\A0189140.exe (Rogue.Installer.Gen) -> No action taken.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP822\A0189144.dll (Trojan.Hiloti) -> No action taken.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP822\A0189145.exe (Rogue.Installer.Gen) -> No action taken.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP822\A0189138.exe (Spyware.Passwords.XGen) -> No action taken.
c:\WINDOWS\system32\spool\prtprocs\w32x86\6451EA.tmp (Trojan.Agent) -> No action taken.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6585

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/15/2011 2:41:48 PM
mbam-log-2011-05-15 (14-41-48).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 322563
Time elapsed: 55 minute(s), 12 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
c:\documents and settings\Owner\local settings\application data\bpf.exe (Trojan.FakeAlert.Gen) -> 2684 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\bpf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\bpf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\bpf.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\bpf.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\local settings\application data\bpf.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\Sun\Java\deployment\cache\6.0\56\701fd138-1f260e60 (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\Sun\Java\deployment\cache\6.0\56\701fd138-25d3bb0a (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\Sun\Java\deployment\cache\6.0\24\7ded6258-2086c79b (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\application data\xik.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\0.3329785188089751.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\0.6074226885438658.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\tmpf47f9487\freedom.exe (Trojan.Hijacker) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP813\A0179710.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP813\A0179711.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP822\A0189132.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP822\A0189140.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP822\A0189144.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP822\A0189145.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP822\A0189138.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\spool\prtprocs\w32x86\6451EA.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
0

For some reason the GMER didn't will not upload. The error message say invalid file. So here is a copy and paste:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-05-14 07:39:21
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JB-00REA0 rev.20.00K20
Running: 48k7ihsc.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwxdyaob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

---- Threads - GMER 1.0.15 ----

Thread System [4:196] 8A320E7A
Thread System [4:200] 8A323008

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RG94XERR\red_shield[1] 3508 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VEHU5ADQ\background_gradient_red[1] 868 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VEHU5ADQ\green_shield[1] 3501 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VEHU5ADQ\red_shield_48[1] 7005 bytes

---- EOF - GMER 1.0.15 ----

0

One of the infections was a Spyware.Password.Xgen. Should I be concerned about changing my various passwords?

0

If you have done any online banking or accessed anything like an ebay account then yes, but change your passwords either by phone or with another computer.

You also need to post your DDS log if you can get it to complete now.

Edited by Rik_: n/a

0

The completed DDS (unzipped) is attached. Hijackthis would upload so I copied and pasted. sorry for the mess.

I have not accessed any password protected site once the issue began. Should I still change all passwords?And how do I make the documents and IE favorites reappear without loading externally?

Thanks for all of your help.

Reg

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:42:18 PM, on 5/15/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NCH Software\BroadCam\broadcam.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Wacom_Tablet.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WTablet\Wacom_TabletUser.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\Wacom_Tablet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Java\jre6\bin\jucheck.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2

\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-

7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2

\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-

FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-

8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-

BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-

86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2

\YTSingleInstance.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-

05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2

\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\System32

\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1

\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32

\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300

Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300

Series\ezprint.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common

Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common

Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32

\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: spamsubtract.lnk = C:\Program

Files\interMute\SpamSubtract\SpamSubtract.exe
O8 - Extra context menu item: &ieSpell Options -

res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program

Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster -

file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia -

file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-

11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6

\bin\jp2iexp.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-

CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6

-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-

ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-

4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-

5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-

4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12

\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-

3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-

f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-

d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110

-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis

- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program

Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: BroadCam Video Streaming Server (BroadCamService)

- Unknown owner - C:\Program Files\NCH

Software\BroadCam\broadcam.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - C:\Program

Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32

\lxcjcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown

owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. -

C:\WINDOWS\System32\Wacom_Tablet.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program

Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation

- C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. -

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9049 bytes

Edited by afinepoint: n/a

Attachments
.
DDS (Ver_11-03-05.01) - NTFSx86  
Run by Owner at 19:45:53.31 on Sun 05/15/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2047.1486 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NCH Software\BroadCam\broadcam.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\Wacom_Tablet.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WTablet\Wacom_TabletUser.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\Wacom_Tablet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Owner\Desktop\Anti-Virus Programs\daniweb ref software\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16
mRun: [lxcjmon.exe] "c:\program files\lexmark 8300 series\lxcjmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 8300 series\ezprint.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\spamsu~1.lnk - c:\program files\intermute\spamsubtract\SpamSubtract.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: SpSubLSP.dll
Trusted Zone: chase.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = :
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ry5hagkl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\ry5hagkl.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: AIM Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: se
0

HJT log? Isn't that what I pasted? Also re passwords I could never go anywhere but the fake Microsoft 2011 site. Their doing.

Edited by afinepoint: n/a

0

You must have added the HJT log after I made my previous post. The HJT log is a real mess, quite a few incomplete registry entries.
It shows no evidence of any antivirus software. If you have an antivirus program installed can you check it's status and run a scan with it. If you don't have antivirus software or you can't get the one you have to work then you will need to uninstall it and replace it with something like AVG free. http://free.avg.com/us-en/download-free-antivirus

0

You must have added the HJT log after I made my previous post. The HJT log is a real mess, quite a few incomplete registry entries.
[/url]

That is why I apologized for the mess. Again thanks.

Do you think I can get the documents to reappear or should I just reload? I know they are there I watched them being scanned.

Seems to me hiding them was part of the virus's scare tactics to get one to buy.

I'll setting up and scanning with AVG. The BitDefender is out of date.

Reg

0

A full virus scan may well help. If not, I do have 1 more thing to suggest but the virus scan must be done first.

0

I downloaded the AVG and did full scan. Eleven items found. Four removed 7 not. I clicked on removed unhealed items. Screen just blinks so I don't know if they were removed without doing another scan. On a positive note the never ending talk show is gone.

Changing passwords but like I said I never could go anywhere but the virus's site once infected.

Explorer favorites still empty as well as document folder. Fortunately documents and pictures are on a thumb drive.

Would restoring computer to an earlier now date help? I restored while infected but things were still missing.

Reg

0

One more thing to try before attempting a restore as your restore points are more than likely infected.

Uninstall AVG free for now (you can reinstall it later if you wish to keep it).

Then download ComboFix by sUBs from

http://www.bleepingcomputer.com/down...virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!


Post the combofix log in your next reply.

Edited by Rik_: n/a

0

I don't visit here often, but I spotted this thread and was interested as a tech. If you are being constantly redirected on your searches, I recommend you run TDSS Killer at http://support.kaspersky.com/faq/?qid=208283363. GMER is good when it runs but has a rather high failure rate for running. on the other hand TDSS Killer is fast and has never failed to run.

Good luck.
Jwack

0

Taking short cut to bleepingcomputers I received:

404 ERROR: Page Not Found!

The requested page http://www.bleepingcomputer.comwww.bleepingcomputer.com/down...virus/combofix could not be found on this server.

Trying to find it by various searchs kept getting redirected. With no protection I didn't want to continue wandering about the Internet, especially to unrequested sites.

I downloaded the TDSS killer. It downloaded but will not run. When I clicked on RUN the program closes. I had a similar issue with Mbam.

I guess we are done. If there is nothing else I will be reinstalling AVG.

Reg

0

Found, installed and ran Combofix. Will attach results. Got TDSS killer to run. 212 files scanned nothing found.

Where are the documents and pictures???

Thanks for all of the help. I do appreciate it.

Reg

Attachments
ComboFix 11-05-15.04 - Owner 05/16/2011  11:50:55.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2047.1721 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Anti-Virus Programs\daniweb ref software\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\Application Data\Adobe\plugs
c:\documents and settings\Owner\Application Data\Adobe\plugs\mmc645829921.txt
c:\documents and settings\Owner\Application Data\Adobe\shed
c:\documents and settings\Owner\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\Owner\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\Owner\WINDOWS
C:\LOG1CB.tmp
C:\LOG335.tmp
C:\LOG5C.tmp
C:\LOG5D.tmp
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\regobj.dll
c:\windows\system32\spool\prtprocs\w32x86\Ppbiproc.dll
D:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected 
Restored copy from - Kitty had a snack :p 
.
(((((((((((((((((((((((((   Files Created from 2011-04-16 to 2011-05-16  )))))))))))))))))))))))))))))))
.
.
2011-05-16 15:39 . 2011-05-16 15:42	--------	d-----w-	C:\32788R22FWJFW
2011-05-16 11:27 . 2011-05-16 11:27	--------	d-----w-	c:\documents and settings\Owner\Application Data\AVG10
2011-05-16 11:24 . 2011-05-16 11:24	--------	d--h--w-	c:\documents and settings\All Users\Application Data\Common Files
2011-05-16 11:22 . 2011-05-16 15:11	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG10
2011-05-16 11:22 . 2011-05-16 11:22	--------	d-----w-	c:\program files\AVG
2011-05-16 11:15 . 2011-05-16 15:11	--------	d-----w-	c:\documents and settings\All Users\Application Data\MFAData
2011-05-15 13:33 . 2011-05-15 13:34	--------	d-----w-	c:\documents and settings\Administrator
2011-05-15 11:31 . 2011-05-15 11:31	--------	d-----w-	C:\d479ce53bdcedb49af1ff44a9f
2011-05-13 00:50 . 2011-05-13 00:50	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-05-13 00:50 . 2011-05-13 00:50	--------	d-----w-	c:\documents and settings\Owner\Local Settings\Application Data\{1AB97A5F-9BBD-4DC6-B2BB-DFA872FB50F5}
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2007-07-23 20:44	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2007-07-23 20:47	420864	----a-w-	c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2009-04-06 02:11	1857920	----a-w-	c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2007-07-23 20:44	43520	----a-w-	c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2007-07-23 20:44	1469440	------w-	c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2006-06-23 15:33	916480	----a-w-	c:\windows\system32\wininet.dll
2011-02-22 16:28 . 2011-02-22 16:28	388096	----a-r-	c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-22 11:41 . 2009-01-31 20:25	385024	----a-w-	c:\windows\system32\html.iec
2011-02-17 13:18 . 2009-04-06 02:11	455936	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2009-04-06 02:11	357888	----a-w-	c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-17 02:25	5120	----a-w-	c:\windows\system32\xpsp4res.dll
2009-09-22 15:05 . 2009-09-13 18:39	47104	-c--a-w-	c:\program files\mozilla firefox\components\FFComm.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"WrtMon.exe"="c:\windows\System32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-06-29 81920]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-11-21 106496]
"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe" [2007-01-30 205744]
"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe" [2007-01-30 103344]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-04-10 151597]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-11 136600]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe [2003-4-10 552960]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-02-16 22:49	149024	-c--a-w-	c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-02-16 22:57	1945960	-c--a-w-	c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BroadCam]
2010-07-30 00:58	1052676	----a-w-	c:\program files\NCH Software\BroadCam\broadcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12	15360	----a-w-	c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-01-30 14:35	103344	----a-w-	c:\program files\Lexmark 8300 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08	421160	----a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-02-25 15:14	2387968	----a-w-	c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcjmon.exe]
2007-01-30 14:32	205744	----a-w-	c:\program files\Lexmark 8300 Series\lxcjmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
2007-06-29 04:43	1474560	----a-w-	c:\windows\system32\nview.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-06-29 04:43	1626112	-c--a-w-	c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
2002-05-28 15:16	86016	-c--a-w-	c:\program files\Visioneer OneTouch\OneTouchMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPWebCap]
2001-10-15 22:16	43008	----a-w-	c:\progra~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38	421888	----a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2003-04-10 06:36	151597	-c--a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-06-24 14:41	247144	----a-w-	c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-02-16 22:45	1169776	-c--a-w-	c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2007-05-11 19:20	2061816	-c--a-w-	c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"Schedule"=2 (0x2)
"SamSs"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"Nla"=3 (0x3)
"mnmsrvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows
0

It was mentioned that the restore drive may be affected. Have I lost the ability to safely restore the computer?

0

Can you now run a FULL scan with Mbam after having updated it and post it's log.

We need to get your computer clean before addressing problems like your documents and pictures. Hopefully, Mbam will tell me if your restore points are infected or not!

Edited by Rik_: n/a

0

It looks like combofix removed at least 16 infected files. You should be close to normal now. Run Malware bytes, Super antispyware, and Spybot search and destroy - all available on the internet.

In regards to your restore points - that was a disinfection not a deletion of your drivers backup.

Also when I disinfect computers I typically turn off system restore, which removes all restore points. These files rarely are repairable after infection and cause many reinfections down the road.

I also see a number of video download sites in your combofix log. These are potentially dangerous sites. If you were a pyscho virus builder, where would you place viruses for quick disemination? In free download sites of course. I would suggest you find alternatives to that.

0

If I may, The TDSSKiller log should always be posted, it has not, even if it said it was clean we need to see that. The HJT log is not necessarily a mess, it is just difficult to read because Word Wrap was on when the log was copied. Plus it is rarely used anyway today. If you read the Read Me First sticky you will not see references to using HiJackThis. The preferred scanner is DDS and both of the logs were also not posted, both logs produced by DDS should always be copy/pasted as noted in the sticky. We don't want any logs attached here, all should be copy/pasted.
We also don't recommend turning off System Restore due to the power of the various tools to be used. While all are excellent tools no tool is 100% safe and can occasionally remove something that is key and a good file. The very first thing that Combofix does is create a restore point so that if that IF an incorrect file is removed then the user will have that point to return to, they are all dated and time stamped so the user will know exactly which one to use if that should be necessary. Files in system restore are LOCKED up and cannot reinfect a computer unless that infected restore point is used.
Once the computer is deemed clean then and only then would System Restore be turned off to clear all restore points. Then it would be turned back on so that it will begin with a brand new, clean restore point.
I suggest that everyone posting in this thread go back and fully read and follow all the steps given in the Read Me Sticky because those ARE the steps we wish to be followed.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Edited by jholland1964: n/a

0

Rik,

Here's the Mbam full scan results. It did find a trojan in the restore area and with action taken said it was removed.

Again thank you for all the help.

Log:

Attachments
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6585

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/18/2011 4:44:40 PM
mbam-log-2011-05-18 (16-44-40).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 318926
Time elapsed: 1 hour(s), 20 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{f20dc6c2-5212-4f33-8959-ab7d05d4cdb6}\RP828\A0192851.sys (Rootkit.Patch) -> Quarantined and deleted successfully.
0

Rik,

Here's the Mbam full scan results. It did find a trojan in the restore area and with action taken said it was removed.

Again thank you for all the help.

Log:

Again I quote from the Read Me First Sticky
When you post your request for assistance, please be sure to submit (Copy & Paste, not as an attachment unless requested)
You also have NOT posted the TDSSKiller log this is a MUST.

You also did not update MBA-M prior to this latest scan. It still shows the same database that was showing in your first post of the log, Database version: 6585. Current database is 6612. You must always update MBA-M prior to each and every scan, even those run on the same day. They release updates multiple times daily.

0

Ah. I'll look again. Before running the scan I went to the site and verified I had the current version. I didn't know it changed so often. Still I am pleased it found the restore trojan which it had not before.

TDS Skiller scanned 212 files but found nothing. Per request I'll look for the log and post it.

On restart I still receive the eternal message "Windows Registry Recovery. One of the files containing system Registry data had to be recovered by use of a log or alternate copy. The recovery was successful."

So . . . am I safe to attempt a (another) restore? Still looking for the "lost" documents.

Edited by afinepoint: n/a

0

Malwarebytes' Anti-Malware is updated via the program itself not by going to their website. Open the program, go to the update tab, click the Check for Updates button. If there are updates they will be downloaded and installed, if there are no updates you will receive a message that you have the latest version.

No where in this thread did you previously post anything about constantly receiving this message;
"Windows Registry Recovery. One of the files containing system Registry data had to be recovered by use of a log or alternate copy. The recovery was successful."

Do you have an operating system reinstall disk? There is a good chance that by incorrectly doing the registry edit that you have damaged key files and this is why you are receiving this message.

0

Thank you regarding the Malware update methodology.

As for the Windows Registry Recovery message I don't think anything done here has harmed any files. I have been receiving that message for a long time. Perhaps I should not have posted about it since I don't want it to become a distration however I thought well maybe it might means something here and did not want to "keep any secrets" so mentioned it.

I do have recovery disks made years ago.

TDSSKiller file:
2011/05/16 12:09:45.0937 0936 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/16 12:09:46.0421 0936 ================================================================================
2011/05/16 12:09:46.0421 0936 SystemInfo:
2011/05/16 12:09:46.0421 0936
2011/05/16 12:09:46.0421 0936 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/16 12:09:46.0421 0936 Product type: Workstation
2011/05/16 12:09:46.0421 0936 ComputerName: YOUR-O0KWKW9JWC
2011/05/16 12:09:46.0421 0936 UserName: Owner
2011/05/16 12:09:46.0421 0936 Windows directory: C:\WINDOWS
2011/05/16 12:09:46.0421 0936 System windows directory: C:\WINDOWS
2011/05/16 12:09:46.0421 0936 Processor architecture: Intel x86
2011/05/16 12:09:46.0421 0936 Number of processors: 2
2011/05/16 12:09:46.0421 0936 Page size: 0x1000
2011/05/16 12:09:46.0421 0936 Boot type: Normal boot
2011/05/16 12:09:46.0421 0936

0

So . . . am I safe to attempt a (another) restore? Still looking for the "lost" documents.

System Restore actually operates only on a very few system files and settings. System Restore backs up your registry. System Restore does not backup your data. If you delete or damage a file, System Restore will not recover it. System Restore does not keep old copies of your files or documents. If the documents are gone then likely they are gone.

That is not a full TDSSKiller log. It is only the beginning of the log which gives system information. Each and every log would show pretty much the same thing because the scan had not yet even Initialized or begun to scan. The next line would read; Initialize success and then followed by Scan started Mode: Manual; with the date and times noted, followed by a long list of files scanned. Ending with Scan finished and then a listing of what was found.

You should have mentioned in your very first post about this Windows Registry Recovery message. This message shows there has been registry damage at sometime in the past.

Since we know now that there was a problem with the registry prior to your making a post and beginning these steps I think your best bet to get a good working computer is to reformat and reload the system.

Edited by jholland1964: n/a

0

Thank you.

Documents including pictures - barring a few are backed up on a thumb drive. I'm guessing the area that contained the IE favorites is lost forever which is no big deal. Sort of like cleaning out the attic.

What is odd as I mentioned before is that I watched one of the anti-virus scans going through my pictures. So where are they? Also Word will open several documemts that it has to be pulling from somewhere.

I have filled six small legal pads with every gliche, issue and concern I have had with this computer from day one. I could tell you the date and situation when the registry message first appeared but I digress.

I'll try to do a proper TDSSkiller scan. I had a problem getting it to scan. It and the Mbam would close when I tried to initiate the scan process. It took persistence to get them to run.

Reformatting will take some thought. This is an atom bomb which will be the death for some programs and data -not saved on the flash drive.

Perhaps I can install a new drive, format it and make this one a slave.

Much appreciation to all.

Edited by afinepoint: n/a

0

You can do a search on the computer for .jpg files or whatever type of image extensions you use. Do the same for Word files, you may be able to find them all if you want to try. If you saved all in specific folders then you possibly could find the entire folders.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.