Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Fake AV + more

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Fake AV + more

Unread postby markcarr » March 15th, 2011, 4:46 pm

I'm trying to help a friend, who suddenly started having pop-ups about his computer being infected, etc. They disable the running of anything else. Also on startup now, there are two popups about being unable to find dll's (dbldogl.dll & iniwipezupe.dll); there were exe files with the same name in the temp folder.
I took the hard drive out of his machine, attached it to mine via USB, and scanned it. MS Security Essentials found and removed two Java exploits (exploit:Java/CVE-2010-0094.CR and the same number ending with .BI). Malwarebytes and Super AntiSpyware portable found nothing.
When I put the drive back, the virus is still there. After some research and scanning, I find he has a version of Vundo, find a removal tool, and remove it.
Today I spent some time trying to get the machine to boot, but I think I have all the malware gone. In addition to the DDS logs I have a combofix log, if you need it.

Here's DDS.txt:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by TonyH at 14:28:06.21 on Tue 03/15/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.991.617 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\TonyH\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT2077543
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTog1.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTog1.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Encarta Web Companion Helper Object: {955be0b8-bc85-4caf-856e-8e0d8b610560} - c:\program files\common files\microsoft shared\encarta web companion\ENCWCBAR.DLL
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: Encarta Web Companion: {147d6308-0614-4112-89b1-31402f9b82c4} - c:\program files\common files\microsoft shared\encarta web companion\ENCWCBAR.DLL
TB: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTog1.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrayServer] c:\program files\magix\movie_edit_pro_14_plus_download_version\TrayServer.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {DA320635-F48C-4613-8325-D75A933C549E} - c:\program files\lenovo\system update\sulauncher.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\tonyh\applic~1\mozilla\firefox\profiles\xa87zfec.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://skateboarding.transworld.net/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\docume~1\tonyh\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\tonyh\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-7-14 3968]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2008-9-6 1527900]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-12-30 223128]
.
=============== Created Last 30 ================
.
2011-03-15 19:22:52 98816 ----a-w- c:\windows\sed.exe
2011-03-15 19:22:52 89088 ----a-w- c:\windows\MBR.exe
2011-03-15 19:22:52 256512 ----a-w- c:\windows\PEV.exe
2011-03-15 19:22:52 161792 ----a-w- c:\windows\SWREG.exe
2011-03-15 19:19:19 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-03-15 19:19:16 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-03-15 19:19:12 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-03-15 19:19:08 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-03-15 19:19:05 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-03-15 19:19:00 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-03-15 19:17:57 64605 ----a-w- c:\windows\system32\dllcache\vvoice.sys
2011-03-15 19:16:58 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2011-03-15 19:15:57 82432 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2011-03-15 19:14:57 10240 ----a-w- c:\windows\system32\dllcache\swpidflt.dll
2011-03-15 19:13:57 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2011-03-15 19:12:59 238592 ----a-w- c:\windows\system32\dllcache\sisgrv.dll
2011-03-15 19:11:59 23936 ----a-w- c:\windows\system32\dllcache\sccmusbm.sys
2011-03-15 19:10:59 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2011-03-15 19:09:57 17792 ----a-w- c:\windows\system32\dllcache\ppa.sys
2011-03-15 19:08:58 25216 ----a-w- c:\windows\system32\dllcache\ovsound2.sys
2011-03-15 19:07:58 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2011-03-15 19:06:58 452736 ----a-w- c:\windows\system32\dllcache\mtxparhm.sys
2011-03-15 19:05:59 58368 ----a-w- c:\windows\system32\dllcache\m3091dc.dll
2011-03-15 19:04:58 5632 ----a-w- c:\windows\system32\dllcache\kbd103.dll
2011-03-15 19:03:59 100936 ----a-w- c:\windows\system32\dllcache\ibmtok.sys
2011-03-15 19:02:59 68608 ----a-w- c:\windows\system32\dllcache\hpgt53tk.dll
2011-03-15 19:01:58 444416 ----a-w- c:\windows\system32\dllcache\fpcibase.sys
2011-03-15 19:00:59 283904 ----a-w- c:\windows\system32\dllcache\emu10k1m.sys
2011-03-15 18:59:59 65622 ----a-w- c:\windows\system32\dllcache\digiasyn.dll
2011-03-15 18:58:59 119296 ----a-w- c:\windows\system32\dllcache\camext30.dll
2011-03-15 18:57:59 30671 ----a-w- c:\windows\system32\dllcache\ati1raxx.sys
2011-03-15 06:36:00 -------- d-----w- C:\VundoFix Backups
2011-03-14 18:00:28 -------- d-----w- c:\docume~1\tonyh\applic~1\SUPERAntiSpyware.com
2011-03-14 18:00:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-06 15:18:35 -------- d-----w- c:\program files\iPod
2011-03-06 15:18:20 -------- d-----w- c:\program files\iTunes
2011-02-21 03:18:19 -------- d-----w- c:\docume~1\tonyh\applic~1\Need for Speed World
2011-02-21 02:47:58 -------- d-----w- c:\docume~1\tonyh\locals~1\applic~1\Electronic_Arts_Inc
2011-02-21 02:44:46 -------- d--h--w- c:\windows\msdownld.tmp
2011-02-21 02:44:43 -------- d-----w- c:\windows\Logs
2011-02-21 02:44:30 -------- d-----w- C:\Need For Speed World
2011-02-21 02:44:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Electronic Arts
.
==================== Find3M ====================
.
2011-03-13 14:32:17 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-02-18 22:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-12-23 17:50:46 0 ----a-w- c:\windows\Jloxehafi.bin
.
============= FINISH: 14:28:43.79 ===============

and here's attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/25/2006 4:41:12 PM
System Uptime: 3/15/2011 1:52:49 PM (1 hours ago)
.
Motherboard: LENOVO | | LENOVO
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket A | 2008/mhz
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket A | 2008/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 228 GiB total, 127.024 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA GeForce 6100
Device ID: PCI\VEN_10DE&DEV_0242&SUBSYS_101717AA&REV_A2\3&13C0B0C5&0&28
Manufacturer: NVIDIA
Name: NVIDIA GeForce 6100
PNP Device ID: PCI\VEN_10DE&DEV_0242&SUBSYS_101717AA&REV_A2\3&13C0B0C5&0&28
Service: nv
.
==== System Restore Points ===================
.
RP1: 3/15/2011 12:53:29 PM - System Checkpoint
RP2: 3/15/2011 12:53:50 PM - 1
.
==== Installed Programs ======================
.
Access Help
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Creative Suite 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe Photoshop CS2
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVS DVDMenu Editor 1.2.1.19
AVS Video Editor 3.5
AVS4YOU Software Navigator 1.2
Bonjour
Civilization III
Digital Photo Navigator 1.5
DivX Web Player
EPSON Printer Software
Firebird SQL Server - MAGIX Edition
Ghost Droolik Screen Saver
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB894686)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB898456)
Hotfix for Windows XP (KB910728)
HSF2014 56K Data Fax Modem
InterActual Player
InterVideo WinDVD
InterVideo WinDVD Creator 3
IS-DV
iTunes
Jahshaka
Lenovo Care
Lenovo Care Supplement
Lenovo Care System Update Toolbar Button for IE
MAGIX Movie Edit Pro 14 PLUS Trial 7.5.2.12 (US)
MAGIX Screenshare 4.3.6.1987 (US)
MAGIX Xtreme Photo Designer 6 6.0.24.0 (US)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Student 2006 DVD
Microsoft Student Graphing Calculator
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mouse Suite
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 Parser and SDK
Need For Speed™ World
NVIDIA Drivers
OpenLibraries
PowerDirector
PowerProducer Express
QuickTime
QuickTime 3.0
Rescue and Recovery
Roxio Digital Media LE
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Sansa Media Converter
Screen Recorder Gold
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918439)
Sonic Icons for Lenovo
Sonic Update Manager
SoundMAX
Suite Specific
System Update
TBS WMP Plug-in
The Weather Channel Desktop 6
The Weather Channel Toolbar
ThinkVantage Technologies Welcome Message
ToggleEN Toolbar
Ulead Photo Explorer 8.0 SE Basic
Ulead Photo Express 5 SE
Update for Windows XP (KB912945)
Vegas Movie Studio 9.0
Wallpapers
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB883517
Windows XP Hotfix - KB883523
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB884868
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885894
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889315
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB896613
XP Themes
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! ¤u¨ã¦C
Zoo Tycoon 2
.
==== Event Viewer Messages From Past Week ========
.
3/8/2011 3:26:01 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
3/15/2011 12:57:18 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
3/15/2011 1:53:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL sptd
3/15/2011 1:19:20 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
3/15/2011 1:08:21 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\nv4_mini.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.5673.
3/15/2011 1:08:20 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\nv4_disp.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.5673.
3/15/2011 1:08:20 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\nv4_mini.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.8415.
3/15/2011 1:08:19 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\nv4_disp.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.8415.
3/14/2011 6:33:29 PM, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:14 PM, error: Service Control Manager [7034] - The TVT Scheduler service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:09 PM, error: Service Control Manager [7034] - The ThinkVantage Registry Monitor Service service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:04 PM, error: Service Control Manager [7034] - The TVT Backup Service service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:04 PM, error: Service Control Manager [7034] - The System Update service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:04 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:04 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
3/14/2011 11:48:31 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/14/2011 11:35:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:34:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/14/2011 1:01:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips Processor SASDIFSV SASKUTIL
.
==== End Of File ===========================
markcarr
Active Member
 
Posts: 4
Joined: March 15th, 2011, 4:33 pm
Advertisement
Register to Remove

Re: Fake AV + more

Unread postby Carolyn » March 15th, 2011, 7:39 pm

I am looking over your logs and will post back shortly.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Fake AV + more

Unread postby Carolyn » March 15th, 2011, 7:56 pm

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

=================================

Download and Run a Diagnostic Tool (MGADiag.exe) from here and save this to your desktop.
http://go.microsoft.com/fwlink/?linkid=56062
* Double-click on MGADiag.exe
* When the program has finished, click on the Validation tab and then click on Copy to Clipboard.
* Please post the results in your next reply.

=================================

Download CKScanner from here
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=================================

Please post the following:
  • The MGADiag log
  • CKFiles.txt
  • The ComboFix log

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Fake AV + more

Unread postby markcarr » March 16th, 2011, 1:18 pm

MGADIAG Log:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-Q89DP-Q8QK8-VF2B8
Windows Product Key Hash: b8ke7thlkNj7yyHBhLmcdr6K2MI=
Windows Product ID: 76477-OEM-2111907-00107
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {F9C9F232-33D7-4F0B-8194-2EE4C02B1E7C}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Home and Student 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: N/A, hr=0x80070002
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{F9C9F232-33D7-4F0B-8194-2EE4C02B1E7C}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-VF2B8</PKey><PID>76477-OEM-2111907-00107</PID><PIDType>2</PIDType><SID>S-1-5-21-2385160532-3668456250-3184165893</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>738726U</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>2NKT17AUS</Version><SMBIOSVersion major="2" minor="33"/><Date>20060811000000.000000+000</Date><SLPBIOS>LENOVO,LENOVO</SLPBIOS></BIOS><HWID>92CE3F770184C068</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Lenovo</name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>95F30F0CEB42F26</Val><Hash>VZdYRvU7LDJxgkcLbjXrf4UgZVE=</Hash><Pid>81602-915-2408115-68489</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 13F5F:IBM|168D0:Legend (Beijing) limited|FD34:Lenovo
Marker string from OEMBIOS.DAT: LENOVO,LENOVO

OEM Activation 2.0 Data-->
N/A
-------------------------------
CKFiles Log:
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----
-----------------------------------
COMBOFIX DDS
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by TonyH at 14:28:06.21 on Tue 03/15/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.991.617 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\TonyH\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT2077543
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTog1.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTog1.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Encarta Web Companion Helper Object: {955be0b8-bc85-4caf-856e-8e0d8b610560} - c:\program files\common files\microsoft shared\encarta web companion\ENCWCBAR.DLL
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: Encarta Web Companion: {147d6308-0614-4112-89b1-31402f9b82c4} - c:\program files\common files\microsoft shared\encarta web companion\ENCWCBAR.DLL
TB: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTog1.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrayServer] c:\program files\magix\movie_edit_pro_14_plus_download_version\TrayServer.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {DA320635-F48C-4613-8325-D75A933C549E} - c:\program files\lenovo\system update\sulauncher.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\tonyh\applic~1\mozilla\firefox\profiles\xa87zfec.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://skateboarding.transworld.net/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\docume~1\tonyh\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\tonyh\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-7-14 3968]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2008-9-6 1527900]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-12-30 223128]
.
=============== Created Last 30 ================
.
2011-03-15 19:22:52 98816 ----a-w- c:\windows\sed.exe
2011-03-15 19:22:52 89088 ----a-w- c:\windows\MBR.exe
2011-03-15 19:22:52 256512 ----a-w- c:\windows\PEV.exe
2011-03-15 19:22:52 161792 ----a-w- c:\windows\SWREG.exe
2011-03-15 19:19:19 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-03-15 19:19:16 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-03-15 19:19:12 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-03-15 19:19:08 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-03-15 19:19:05 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-03-15 19:19:00 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-03-15 19:17:57 64605 ----a-w- c:\windows\system32\dllcache\vvoice.sys
2011-03-15 19:16:58 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2011-03-15 19:15:57 82432 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2011-03-15 19:14:57 10240 ----a-w- c:\windows\system32\dllcache\swpidflt.dll
2011-03-15 19:13:57 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2011-03-15 19:12:59 238592 ----a-w- c:\windows\system32\dllcache\sisgrv.dll
2011-03-15 19:11:59 23936 ----a-w- c:\windows\system32\dllcache\sccmusbm.sys
2011-03-15 19:10:59 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2011-03-15 19:09:57 17792 ----a-w- c:\windows\system32\dllcache\ppa.sys
2011-03-15 19:08:58 25216 ----a-w- c:\windows\system32\dllcache\ovsound2.sys
2011-03-15 19:07:58 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2011-03-15 19:06:58 452736 ----a-w- c:\windows\system32\dllcache\mtxparhm.sys
2011-03-15 19:05:59 58368 ----a-w- c:\windows\system32\dllcache\m3091dc.dll
2011-03-15 19:04:58 5632 ----a-w- c:\windows\system32\dllcache\kbd103.dll
2011-03-15 19:03:59 100936 ----a-w- c:\windows\system32\dllcache\ibmtok.sys
2011-03-15 19:02:59 68608 ----a-w- c:\windows\system32\dllcache\hpgt53tk.dll
2011-03-15 19:01:58 444416 ----a-w- c:\windows\system32\dllcache\fpcibase.sys
2011-03-15 19:00:59 283904 ----a-w- c:\windows\system32\dllcache\emu10k1m.sys
2011-03-15 18:59:59 65622 ----a-w- c:\windows\system32\dllcache\digiasyn.dll
2011-03-15 18:58:59 119296 ----a-w- c:\windows\system32\dllcache\camext30.dll
2011-03-15 18:57:59 30671 ----a-w- c:\windows\system32\dllcache\ati1raxx.sys
2011-03-15 06:36:00 -------- d-----w- C:\VundoFix Backups
2011-03-14 18:00:28 -------- d-----w- c:\docume~1\tonyh\applic~1\SUPERAntiSpyware.com
2011-03-14 18:00:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-06 15:18:35 -------- d-----w- c:\program files\iPod
2011-03-06 15:18:20 -------- d-----w- c:\program files\iTunes
2011-02-21 03:18:19 -------- d-----w- c:\docume~1\tonyh\applic~1\Need for Speed World
2011-02-21 02:47:58 -------- d-----w- c:\docume~1\tonyh\locals~1\applic~1\Electronic_Arts_Inc
2011-02-21 02:44:46 -------- d--h--w- c:\windows\msdownld.tmp
2011-02-21 02:44:43 -------- d-----w- c:\windows\Logs
2011-02-21 02:44:30 -------- d-----w- C:\Need For Speed World
2011-02-21 02:44:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Electronic Arts
.
==================== Find3M ====================
.
2011-03-13 14:32:17 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-02-18 22:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-12-23 17:50:46 0 ----a-w- c:\windows\Jloxehafi.bin
.
============= FINISH: 14:28:43.79 ===============

COMBOFIX ATTACH:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/25/2006 4:41:12 PM
System Uptime: 3/15/2011 1:52:49 PM (1 hours ago)
.
Motherboard: LENOVO | | LENOVO
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket A | 2008/mhz
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket A | 2008/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 228 GiB total, 127.024 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA GeForce 6100
Device ID: PCI\VEN_10DE&DEV_0242&SUBSYS_101717AA&REV_A2\3&13C0B0C5&0&28
Manufacturer: NVIDIA
Name: NVIDIA GeForce 6100
PNP Device ID: PCI\VEN_10DE&DEV_0242&SUBSYS_101717AA&REV_A2\3&13C0B0C5&0&28
Service: nv
.
==== System Restore Points ===================
.
RP1: 3/15/2011 12:53:29 PM - System Checkpoint
RP2: 3/15/2011 12:53:50 PM - 1
.
==== Installed Programs ======================
.
Access Help
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Creative Suite 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe Photoshop CS2
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVS DVDMenu Editor 1.2.1.19
AVS Video Editor 3.5
AVS4YOU Software Navigator 1.2
Bonjour
Civilization III
Digital Photo Navigator 1.5
DivX Web Player
EPSON Printer Software
Firebird SQL Server - MAGIX Edition
Ghost Droolik Screen Saver
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB894686)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB898456)
Hotfix for Windows XP (KB910728)
HSF2014 56K Data Fax Modem
InterActual Player
InterVideo WinDVD
InterVideo WinDVD Creator 3
IS-DV
iTunes
Jahshaka
Lenovo Care
Lenovo Care Supplement
Lenovo Care System Update Toolbar Button for IE
MAGIX Movie Edit Pro 14 PLUS Trial 7.5.2.12 (US)
MAGIX Screenshare 4.3.6.1987 (US)
MAGIX Xtreme Photo Designer 6 6.0.24.0 (US)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Student 2006 DVD
Microsoft Student Graphing Calculator
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mouse Suite
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 Parser and SDK
Need For Speed™ World
NVIDIA Drivers
OpenLibraries
PowerDirector
PowerProducer Express
QuickTime
QuickTime 3.0
Rescue and Recovery
Roxio Digital Media LE
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Sansa Media Converter
Screen Recorder Gold
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918439)
Sonic Icons for Lenovo
Sonic Update Manager
SoundMAX
Suite Specific
System Update
TBS WMP Plug-in
The Weather Channel Desktop 6
The Weather Channel Toolbar
ThinkVantage Technologies Welcome Message
ToggleEN Toolbar
Ulead Photo Explorer 8.0 SE Basic
Ulead Photo Express 5 SE
Update for Windows XP (KB912945)
Vegas Movie Studio 9.0
Wallpapers
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB883517
Windows XP Hotfix - KB883523
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB884868
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885894
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889315
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB896613
XP Themes
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! ¤u¨ã¦C
Zoo Tycoon 2
.
==== Event Viewer Messages From Past Week ========
.
3/8/2011 3:26:01 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
3/15/2011 12:57:18 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
3/15/2011 1:53:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL sptd
3/15/2011 1:19:20 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
3/15/2011 1:08:21 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\nv4_mini.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.5673.
3/15/2011 1:08:20 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\nv4_disp.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.5673.
3/15/2011 1:08:20 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\nv4_mini.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.8415.
3/15/2011 1:08:19 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\nv4_disp.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.8415.
3/14/2011 6:33:29 PM, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:14 PM, error: Service Control Manager [7034] - The TVT Scheduler service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:09 PM, error: Service Control Manager [7034] - The ThinkVantage Registry Monitor Service service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:04 PM, error: Service Control Manager [7034] - The TVT Backup Service service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:04 PM, error: Service Control Manager [7034] - The System Update service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:04 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
3/14/2011 4:31:04 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
3/14/2011 11:48:31 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/14/2011 11:35:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:35:37 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2011 11:34:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/14/2011 1:01:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips Processor SASDIFSV SASKUTIL
.
==== End Of File ===========================
markcarr
Active Member
 
Posts: 4
Joined: March 15th, 2011, 4:33 pm

Re: Fake AV + more

Unread postby Carolyn » March 17th, 2011, 4:46 pm

In addition to the DDS logs I have a combofix log, if you need it.


You posted DDS.txt and Attach.txt again. Please post the contents of C:\ComboFix.txt for my review.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Fake AV + more

Unread postby markcarr » March 17th, 2011, 5:22 pm

SORRY

ComboFix 11-03-13.02 - TonyH 03/15/2011 13:33:33.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.991.685 [GMT -6:00]
Running from: c:\documents and settings\TonyH\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\TonyH\Local Settings\Application Data\{5A8C06E1-216C-42BB-B854-9151CE321FBD}
c:\documents and settings\TonyH\Local Settings\Application Data\{5A8C06E1-216C-42BB-B854-9151CE321FBD}\chrome.manifest
c:\documents and settings\TonyH\Local Settings\Application Data\{5A8C06E1-216C-42BB-B854-9151CE321FBD}\chrome\content\_cfg.js
c:\documents and settings\TonyH\Local Settings\Application Data\{5A8C06E1-216C-42BB-B854-9151CE321FBD}\chrome\content\overlay.xul
c:\documents and settings\TonyH\Local Settings\Application Data\{5A8C06E1-216C-42BB-B854-9151CE321FBD}\install.rdf
c:\program files\Java
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-03-15 19:19 . 2004-08-04 06:56 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-03-15 19:19 . 2001-08-18 04:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-03-15 19:19 . 2001-08-18 04:36 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-03-15 19:19 . 2001-08-18 04:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-03-15 19:19 . 2001-08-18 04:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-03-15 19:19 . 2001-08-18 04:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-03-15 19:17 . 2001-08-17 19:28 64605 ----a-w- c:\windows\system32\dllcache\vvoice.sys
2011-03-15 19:16 . 2001-08-18 04:36 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2011-03-15 19:15 . 2004-08-04 06:56 82432 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2011-03-15 19:14 . 2001-08-18 04:36 10240 ----a-w- c:\windows\system32\dllcache\swpidflt.dll
2011-03-15 19:13 . 2001-08-18 04:36 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2011-03-15 19:12 . 2001-08-18 04:36 238592 ----a-w- c:\windows\system32\dllcache\sisgrv.dll
2011-03-15 19:11 . 2001-08-17 19:51 23936 ----a-w- c:\windows\system32\dllcache\sccmusbm.sys
2011-03-15 19:10 . 2001-08-17 18:12 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2011-03-15 19:09 . 2001-08-17 19:53 17792 ----a-w- c:\windows\system32\dllcache\ppa.sys
2011-03-15 19:08 . 2001-08-17 20:05 25216 ----a-w- c:\windows\system32\dllcache\ovsound2.sys
2011-03-15 19:07 . 2001-08-17 18:20 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2011-03-15 19:06 . 2004-08-04 04:29 452736 ----a-w- c:\windows\system32\dllcache\mtxparhm.sys
2011-03-15 19:05 . 2001-08-18 04:36 58368 ----a-w- c:\windows\system32\dllcache\m3091dc.dll
2011-03-15 19:04 . 2001-08-17 20:55 5632 ----a-w- c:\windows\system32\dllcache\kbd103.dll
2011-03-15 19:03 . 2001-08-17 18:12 100936 ----a-w- c:\windows\system32\dllcache\ibmtok.sys
2011-03-15 19:02 . 2001-08-18 04:36 68608 ----a-w- c:\windows\system32\dllcache\hpgt53tk.dll
2011-03-15 19:01 . 2001-08-17 18:14 444416 ----a-w- c:\windows\system32\dllcache\fpcibase.sys
2011-03-15 19:00 . 2001-08-17 18:19 283904 ----a-w- c:\windows\system32\dllcache\emu10k1m.sys
2011-03-15 18:59 . 2001-08-18 04:36 65622 ----a-w- c:\windows\system32\dllcache\digiasyn.dll
2011-03-15 18:58 . 2001-08-18 04:36 119296 ----a-w- c:\windows\system32\dllcache\camext30.dll
2011-03-15 18:57 . 2004-08-04 04:29 30671 ----a-w- c:\windows\system32\dllcache\ati1raxx.sys
2011-03-15 06:36 . 2011-03-15 06:36 -------- d-----w- C:\VundoFix Backups
2011-03-14 18:00 . 2011-03-14 18:00 -------- d-----w- c:\documents and settings\TonyH\Application Data\SUPERAntiSpyware.com
2011-03-14 18:00 . 2011-03-14 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-06 15:18 . 2011-03-06 15:18 -------- d-----w- c:\program files\iPod
2011-03-06 15:18 . 2011-03-06 15:19 -------- d-----w- c:\program files\iTunes
2011-02-21 03:18 . 2011-02-21 03:18 -------- d-----w- c:\documents and settings\TonyH\Application Data\Need for Speed World
2011-02-21 02:47 . 2011-02-21 02:47 -------- d-----w- c:\documents and settings\TonyH\Local Settings\Application Data\Electronic_Arts_Inc
2011-02-21 02:44 . 2011-02-21 02:45 -------- d--h--w- c:\windows\msdownld.tmp
2011-02-21 02:44 . 2011-02-21 02:44 -------- d-----w- c:\windows\Logs
2011-02-21 02:44 . 2011-02-21 02:47 -------- d-----w- C:\Need For Speed World
2011-02-21 02:44 . 2011-02-21 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-13 14:32 . 2006-10-10 23:00 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-02-18 22:36 . 2009-09-12 14:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-18 22:36 . 2009-02-24 01:09 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTog1.dll" [2010-04-26 2349080]
.
[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2010-04-26 19:35 2349080 ----a-w- c:\program files\ToggleEN\tbTog1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTog1.dll" [2010-04-26 2349080]
.
[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{038CB5C7-48EA-4AF9-94E0-A1646542E62B}"= "c:\program files\ToggleEN\tbTog1.dll" [2010-04-26 2349080]
.
[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-04-16 818288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrayServer"="c:\program files\MAGIX\Movie_Edit_Pro_14_PLUS_Download_version\TrayServer.exe" [2008-02-07 90112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-02 7557120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
2006-07-15 01:13 2341632 ------w- c:\program files\Lenovo\Client Security Solution\cssauth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 00:07 61952 ------w- c:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-08-09 13:03 221184 ------w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 17:44 81920 ------w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2006-07-03 16:11 110592 ------w- c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2005-04-13 21:34 49152 ------w- c:\windows\system32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2006-07-15 01:05 503808 ------w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/30/2006 4:23 PM 643072]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 4:55 PM 3968]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [12/30/2006 4:26 PM 223128]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\TonyH\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\TonyH\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\TonyH\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\TonyH\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [9/6/2008 10:12 AM 1527900]
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT2077543
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\TonyH\Application Data\Mozilla\Firefox\Profiles\xa87zfec.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://skateboarding.transworld.net/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-imhmjdvo - c:\docume~1\TonyH\LOCALS~1\Temp\cxuvuvlvb\omhnqwljfdi.exe
MSConfigStartUp-Klalikomemapiqi - c:\windows\iniwipezupe.dll
MSConfigStartUp-Uhuzobuzi - c:\windows\dbdog1.dll
AddRemove-HijackThis - i:\r2g soft\HijackThis.exe
AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-Microsoft Interactive Training - c:\windows\orun32.isu
AddRemove-t@b ZS4 Video Editor_is1 - c:\t@b\unins000.exe
AddRemove-VLC media player - c:\program files\VideoLAN\VLC\uninstall.exe
AddRemove-Weather Services - c:\progra~1\THEWEA~1\Framework\wxfw.cpl
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 13:37
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-15 13:40:08
ComboFix-quarantined-files.txt 2011-03-15 19:39
.
Pre-Run: 136,439,001,088 bytes free
Post-Run: 136,426,102,784 bytes free
.
- - End Of File - - BDAE3CA86DFE56146B3B83FFB324F36B
markcarr
Active Member
 
Posts: 4
Joined: March 15th, 2011, 4:33 pm

Re: Fake AV + more

Unread postby Carolyn » March 17th, 2011, 6:16 pm

Hello,

Enable Windows Firewall
  1. Please press Start... then choose Run from the menu.
  2. In the Run, text entry box, please copy/paste the following:
    wscui.cpl
  3. Press the OK... button.
    The Security Center window will open.
  4. If the Firewall information "bar" says it it On... then go to instruction step 8.
  5. Otherwise... in the "Manage security settings for:" section, click the "Windows Firewall" link.
    In the "Windows Firewall" window... under the General tab.
  6. Check the radio button, marked "On (recommended)".
  7. Click the OK...button.
  8. Close the Security Center Window, using the X button at the top right of the window.

============================

No Anti-virus Software Installed!
Looking over your log ... there is NO evidence of anti-virus software installed.. This puts you at serious risk.
Anti-virus software will help detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories.

To protect your computer from infection...download a (free for personal use) anti-virus program from one these reliable vendors.

  1. Antivir PersonalEdition Classic- Superior detection, the "free" version has no email scan.
  2. avast! Free Antivirus - Excellent detection, the freeware version includes email scanning.
  3. Microsoft Security Essentials ** - New, from Microsoft, with email scanning, easy to install, easy to use. <<==== I recommend this program
    ** Your PC must run genuine Windows to install Microsoft Security Essentials.

A good (pay for) Anti-virus program is ESET NOD32 Antivirus - 30 day free trial.

Installing a new AV product.
Do NOT unistall any existing anti-virus product yet!
  1. Download the new Anti-virus product to your computer.
  2. Save any work. Close all applications, especially your Internet connection.
  3. Uninstall any existing anti-virus product... Use the AV uninstall option if available.
  4. Reboot your computer, if not done during the uninstall.
  5. Install the new AV product... following installation instructions.
  6. Check for updates to the new AV product, if not done during install setup.
  7. Run a full scan of your computer.
It is strongly recommended that you run only one antivirus program at a time.
Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


============================

Create a new System Restore Point
  • Click Start > Help and Support
  • Click on ->Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name and then click Create, then Close.
  • Close Help and Support Center.

============================

Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  1. Double click on mbam-setup.exe to install it.
  2. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  3. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  4. Select the Scanner tab. Click on Perform full scan, then click on Scan.
  5. Leave the default options as it is and click on Start Scan.
  6. When done, you will be prompted. Click OK, then click on Show Results.
  7. Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
  8. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.


Next,
Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please post the following:
  • The log from the Antivirus scan
  • The Malwarebytes' log
  • The OTL.txt logfile
  • The Extras.txt logfile
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Fake AV + more

Unread postby markcarr » March 17th, 2011, 8:29 pm

After I did the first post I installed MS Security Essentials and Malwarebytes. Both scans were clean; I gave the computer back, so I'll have to see if he can give me those logs. I'll have him run the OTL software and send the log to me to post.
markcarr
Active Member
 
Posts: 4
Joined: March 15th, 2011, 4:33 pm

Re: Fake AV + more

Unread postby Carolyn » March 18th, 2011, 7:15 am

If you do not have the computer in your possession, we will be unable to follow-up on the results of the OTL log analysis.

Please be advised that we have not determined that your friend's computer is clean.

I recommend that your friend start a new topic here to complete this process.

Also, please advise your friend that XP SP2 is no longer supported my Microsoft. For more information, please read
Attention: Windows XP and Vista Users!.

As the computer is no longer in your possession, we are unable to complete the cleaning process.

This topic is now closed.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 498 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware