Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Am i still infected?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Am i still infected?

Unread postby jmw3 » July 6th, 2009, 1:55 am

Hi
I am having a problem when i drag the CFScript.exe nto ComboFix.
So did you reboot & try dropping the CFScript into ComboFix again & did ComboFix run? If it didn't then delete the copy of ComboFix you have & download it again:
Link 1
Link 2
Link 3
The try the CFScript again.

Fix HiJackThis Entries
  • Open HiJackThis
  • Click on Do a system scan only
  • Place a checkmark next to these lines(if still present):
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.
Upload Files for Scanning
Go to VirSCAN & upload the following File/s for scanning.
  • Copy & paste the following File & Path in the text box next to the Browse button.
    Code: Select all
    C:\MBtools.exe\MGtools.exe
  • Click Upload.
  • Wait for scans to finish then copy & paste the results into your next reply.
To post in next reply:
ComboFix log (if it ran)
VirSCAN Results log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Re: Am i still infected?

Unread postby BillyC » July 6th, 2009, 10:16 am

Hello JMW3

Cant get the script file to run in ComboFix. Installed/uninstalled several times, rebooted and re-installed several times...no go!
I am glad you spotted the MGtools.exe folder (log below) i do not know where it came from but it is riddled, how is it that my spyware tools did not pick it up?? Are any of these tools worth a damn?? i have a decent firewall, well respected anti virus (AVG) and a battery of scan on demand tools and still this crap gets through.....makes you wonder!!

Scanner results
Scanner results : 26% Scanner(10/38) found malware!
Time : 2009/07/06 14:45:12 (IST)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.1 20090705150128 2009-07-05 Trojan-Dropper.Agent!IK 2.462
AhnLab V3 ... .. -- - 0.271
AntiVir 8.2.0.204 7.1.4.187 2009-07-06 TR/Drop.Agent.auzs 0.190
Antiy 2.0.18 20090705.2596636 2009-07-05 - 0.170
Arcavir 2009 200907061018 2009-07-06 - 0.098
Authentium 5.1.1 200907051955 2009-07-05 - 2.010
AVAST! 4.7.4 090705-0 2009-07-05 Win32:Trojan-gen {Other} 0.056
AVG 8.5.286 270.13.5/2220 2009-07-06 - 4.814
BitDefender 7.81008.3654256 7.26401 2009-07-06 - 3.825
CA (VET) 9.0.0.143 31.6.6596 2009-07-06 - 4.518
ClamAV 0.95.2 9537 2009-07-03 - 0.657
Comodo 3.9 1538 2009-07-02 Heur.Suspicious 0.857
CP Secure 1.1.0.715 2009.07.03 2009-07-03 - 11.104
Dr.Web 4.44.0.9170 2009.07.06 2009-07-06 - 5.127
F-Prot 4.4.4.56 20090705 2009-07-05 - 2.462
F-Secure 5.51.6100 2009.07.06.05 2009-07-06 Trojan-Dropper.Win32.Agent.auzs [AVP] 4.543
Fortinet 2.81-3.117 10.572 2009-07-06 - 0.143
GData 19.6300/19.387 20090706 2009-07-06 Win32:Trojan-gen {Other} [Engine:B] 4.443
Ikarus T3.1.01.64 2009.07.06.72986 2009-07-06 Trojan-Dropper.Agent 3.032
JiangMin 11.0.800 2009.07.06 2009-07-06 TrojanDropper.Agent.yon 5.886
Kaspersky 5.5.10 2009.07.06 2009-07-06 - 0.088
KingSoft 2009.2.5.15 2009.7.6.15 2009-07-06 - 0.542
McAfee 5.3.00 5667 2009-07-05 - 3.097
Microsoft 1.4803 2009.07.06 2009-07-06 - 5.198
mks_vir 2.01 2009.07.06 2009-07-06 - 3.345
Norman 6.01.09 6.01.00 2009-07-04 - 4.005
nProtect 20090706.01 4650829 2009-07-06 - 8.455
Panda 9.05.01 2009.07.04 2009-07-04 - 2.101
Quick Heal 10.00 2009.07.06 2009-07-06 - 1.512
Rising 20.0 21.37.04.00 2009-07-06 - 1.327
Sophos 2.88.0 4.43 2009-07-06 Mal/Generic-A 2.973
Sunbelt 5225 5225 2009-07-04 - 1.530
Symantec 1.3.0.24 20090705.003 2009-07-05 - 0.092
The Hacker 6.3.4.3 v00362 2009-07-04 Trojan/Dropper.Agent.atlx 0.742
Trend Micro 8.700-1004 6.252.01 2009-07-06 - 0.048
VBA32 3.12.10.7 20090705.1528 2009-07-05 - 2.244
ViRobot 20090706 2009.07.06 2009-07-06 - 0.409
VirusBuster 4.5.11.10 10.107.37/1760621 2009-07-05 - 2.898
NOTICE: It may be false positive by some scanners when they found a malware, so you should judge it by yourself
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am

Re: Am i still infected?

Unread postby jmw3 » July 6th, 2009, 12:56 pm

Hi
how is it that my spyware tools did not pick it up?? Are any of these tools worth a damn??
Basically AV compnaies can't stay on top of the amount of malware that is released. You'll notice that only 10 of the 38 AV scanners used by VirSCAN picked that file up. Strange that the Kaseprsky OnLine Scan flagged it yet the Kaspersky Scan Engine in the VirScan log didn't.

Let's try something else.

OTM
Download OTM by OldTimer Here & save it to your desktop.
  • Double click on OTM.exe to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error
Code: Select all
:Services
ASKService
:Files
C:\MBtools.exe
C:\Program Files\AskBarDis
F:\All Mp3\MP3\limewire songs\02 Track 2 (searchers-love).wma
F:\My Documents\My Music\My Music\MP3 Drive\BOBBY DARIN\beyond the sea karaoke MTV.mp3
F:\My Documents\My Music\My Music\MP3 Drive\limewire songs\02 Track 2 (searchers-love).wma
:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000
:Commands
[Purity]
[EmptyTemp]
[Reboot]

  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

Could you also run DDS again please. I only need to see the DDS log. Don't worry about posting Attach.txt.

To post in next reply:
OTM log
New DDS log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Am i still infected?

Unread postby BillyC » July 6th, 2009, 2:08 pm

Hi JMW3,

One of the biggest problems i find lately, is the amount of false positive that are being flagged. It is getting so, that you dont know what is malware, and what is legitimate any more. When we have successfully cleaned my PC i think i will use Threatfire as my active antivirus and either SpywareGuard or SpywareNlaster as my active antispyware. These two dont scan, they just prevent intrusions etc. Then i can use some of my other tools like Malwarebytes, Spyware doctor to scan on command....what do you think/recommend?

Anyway here are the requested logs:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Billy Corcoran at 18:56:18.21 on 06/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.2047.1452 [GMT 1:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Roland\VSC32\vscvol.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Billy Corcoran\Desktop\CleanUp\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.google.ie/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vsc32cnf.exe] c:\program files\roland\vsc32\vsc32cnf.exe
mRun: [vscvol.exe] c:\program files\roland\vsc32\vscvol.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\billyc~1\startm~1\programs\startup\spywareguard.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\usb f5d7050\wireless utility\Belkinwcui.exe
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/house ... hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/v ... .2.4.1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billyc~1\applic~1\mozilla\firefox\profiles\e22nb6s4.default\
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\documents and settings\billy corcoran\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: f:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: f:\divx\divx web player\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-6-25 40464]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-15 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-25 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-6-22 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-6-22 46864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-20 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-20 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-20 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-25 353672]
R2 ComodoBackupService;ComodoBackupService;c:\program files\comodo\backup\CmdBkSvc.exe [2008-11-27 1023488]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-4-10 47640]
R2 RVIEGVST;VSC VST Engine;c:\program files\roland\virtual sound canvas vst\RVIEg01VST.sys [2008-8-13 188276]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-6-25 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-6-25 1095560]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26 54960]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-6-22 33552]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [2008-8-13 951284]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-20 298776]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\77.tmp --> c:\windows\system32\77.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-07-06 18:43 <DIR> --d----- C:\_OTM
2009-07-05 13:26 161,792 a------- c:\windows\SWREG.exe
2009-07-05 13:26 155,136 a------- c:\windows\PEV.exe
2009-07-05 13:26 98,816 a------- c:\windows\sed.exe
2009-07-04 17:39 <DIR> --d----- c:\program files\Cobian Backup 9
2009-07-03 18:35 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-03 18:28 <DIR> a-dshr-- C:\cmdcons
2009-07-03 10:42 <DIR> --d-h--- c:\windows\PIF
2009-06-30 13:40 <DIR> --d----- c:\documents and settings\billy corcoran\Tracing
2009-06-30 13:34 <DIR> --d----- c:\program files\Microsoft
2009-06-30 13:33 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-06-30 13:22 <DIR> --d----- c:\program files\common files\Windows Live
2009-06-30 13:01 <DIR> --d----- c:\program files\filehippo.com
2009-06-28 22:16 <DIR> --d----- c:\program files\Trend Micro
2009-06-27 23:27 18,942 a------- c:\windows\system32\AAWService_2009_06_27_23_27_17.dmp
2009-06-25 17:10 40,464 a------- c:\windows\system32\drivers\hotcore3.sys
2009-06-25 17:09 <DIR> --d----- c:\program files\Paragon Software
2009-06-25 16:20 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-06-25 16:20 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-06-25 16:19 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-06-25 16:19 <DIR> --d----- c:\program files\Zone Labs
2009-06-25 16:19 350,192 a------- c:\windows\system32\vsconfig.xml
2009-06-25 16:17 <DIR> --d----- c:\windows\Internet Logs
2009-06-25 15:47 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-25 15:47 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-25 15:47 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-25 15:47 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-06-25 15:47 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-25 15:47 <DIR> --d----- c:\program files\Spyware Doctor
2009-06-25 15:47 <DIR> --d----- c:\docume~1\billyc~1\applic~1\PC Tools
2009-06-25 13:48 <DIR> --d----- c:\docume~1\billyc~1\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-25 10:46 664 a------- c:\windows\system32\d3d9caps.dat
2009-06-24 22:07 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-06-24 20:43 <DIR> --d----- c:\program files\SpywareGuard
2009-06-22 07:16 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-06-22 07:16 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-06-22 07:16 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-06-22 07:16 <DIR> --d----- c:\program files\ThreatFire
2009-06-22 07:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-06-20 18:22 <DIR> --d----- c:\program files\SpywareBlaster
2009-06-20 14:30 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-20 14:30 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-20 14:30 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-20 14:30 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-19 21:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IObit
2009-06-19 13:42 <DIR> --d----- c:\program files\Enigma Software Group
2009-06-14 09:44 <DIR> --d----- c:\docume~1\billyc~1\applic~1\TrueCrypt
2009-06-14 09:42 217,664 a------- c:\windows\system32\drivers\truecrypt.sys
2009-06-14 09:42 <DIR> --d----- c:\program files\TrueCrypt
2009-06-10 13:25 <DIR> --d----- c:\program files\EZBackitup

==================== Find3M ====================

2009-06-24 23:05 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 ac------ c:\windows\system32\drivers\mbam.sys
2009-05-27 00:33 15,688 ac------ c:\windows\system32\lsdelete.exe
2009-05-13 16:12 286,720 a------- c:\windows\iun506.exe
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 ac------ c:\windows\system32\ieencode.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 18:57:36.46 ===============


All processes killed
========== SERVICES/DRIVERS ==========
Service\Driver ASKService not found.
Service\Driver ASKService not found.
========== FILES ==========
C:\MBtools.exe moved successfully.
File/Folder C:\Program Files\AskBarDis not found.
F:\All Mp3\MP3\limewire songs\02 Track 2 (searchers-love).wma moved successfully.
F:\My Documents\My Music\My Music\MP3 Drive\BOBBY DARIN\beyond the sea karaoke MTV.mp3 moved successfully.
F:\My Documents\My Music\My Music\MP3 Drive\limewire songs\02 Track 2 (searchers-love).wma moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall\\"DisableMonitoring"|dword:00000000 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: Administrator.BILLY-68792BBDT
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Billy Corcoran
->Temp folder emptied: 202579 bytes
->Temporary Internet Files folder emptied: 8368569 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 12240305 bytes
->Google Chrome cache emptied: 1048 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Elysse
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33172 bytes

User: MauraC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 33251 bytes
RecycleBin emptied: 9138849 bytes

Total Files Cleaned = 28.72 mb


OTM by OldTimer - Version 3.0.0.4 log created on 07062009_184340

Files moved on Reboot...

Registry entries deleted on Reboot...
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am

Re: Am i still infected?

Unread postby BillyC » July 6th, 2009, 3:17 pm

Sorry, i forgot to include comuter update.
My computer is running fine, it seems to be a bit 'zippier' than it was. i was having a problem with the pc freezing, i thought that perhaps it might have been getting a little hot, as the case is fairly well packed. But i now believe that the fact that Adaware was running in the background with one or two other tools, may have caused this problem. So out of all of this i may have indirectly solved a recurring problem :)

I meant to ask you in the last post, the folder called MGtools.exe seems to have appeared in the last week, if this is so could it have happened while i was running tools like ComboFix etc where i had to disable my 'protection' ??
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am

Re: Am i still infected?

Unread postby jmw3 » July 6th, 2009, 4:24 pm

Hi
When we have successfully cleaned my PC i think i will use Threatfire as my active antivirus and either SpywareGuard or SpywareNlaster as my active antispyware.
The general rule is to only have One Anti-virus program & One Anti-spyware program running with real-time protection. Any thing else you have should only be used 'On Demand'.
SpywareBlaster is not an anti-spyware program as such. It does not detect spyware that has already been downloaded. All it does is adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers.
Personally I would use Malwarebytes' Anti-Malware as your Anti-spyware. Though for the real-time protetction you will need to purchaes the licence. It's a one off payment for lifetime protection.

I meant to ask you in the last post, the folder called MGtools.exe seems to have appeared in the last week, if this is so could it have happened while i was running tools like ComboFix etc where i had to disable my 'protection' ??
From your first DDS log:
2009-06-24 20:24 <DIR> --d----- C:\MBtools.exe The time & date signify when it was created on your system. So as you can see it was there well before you came here.

Last DDS log looks good, though still see that errant AVG entry in the WMI. Let me know if you want to de-register that.

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
  • Double-click OTM
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it yourself
You can delete the following from your desktop:
DDS.scr
The Gmer.exe file (it will be randomly named .exe file)
TFC.exe
Any logs that may have been saved to your desktop

You should also remove HijackThis. You can do this by going to C:\Program Files\Trend Micro\HijackThis
  • Double click HijackThis.exe
  • From the Main menu click Open the Misc Tools section
  • Using the scroll bar, scroll down to Uninstall HijackThis
  • Click Uninstall HijackThis & exit then click Yes at the prompt
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Am i still infected?

Unread postby BillyC » July 7th, 2009, 1:48 am

Hi JMW3,

Everything here seems good to go,i am very relieved that there are no underlying problems that i am not aware of. I cant thank you enough for all the time you gave up to sort out my problems. i appreciate it enormously!!

I think i would like to deregister the errant AVG entry if possible. I think i may experiment with one or two anti virus programs other than AVG, so just in case there are any conflicts down the the line may as well clear it.
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am

Re: Am i still infected?

Unread postby jmw3 » July 7th, 2009, 7:41 am

Hello BillyC
Everything here seems good to go,i am very relieved that there are no underlying problems that i am not aware of. I cant thank you enough for all the time you gave up to sort out my problems. i appreciate it enormously!!
No problem at all.... Glad I could help.

Follow these instructions for de-registering AVG Internet Security:

**Note: Make sure you only delete AVG products
  • Click Start > Run & copy/paste wbemtest into the Run box then click OK
  • Click Connect
  • Copy/paste root/securitycenter into the Namespace box then click Connect
  • Click Query
  • Copy/paste SELECT * FROM AntiVirusProduct under Enter Query then click Apply
  • If there is more than one result, it means there is more than one Antivirus program registered
  • Double-click on each result to view the properties for that Antivirus product
  • Identify the product(s) registered by scrolling down to companyName then click Close
  • In the Query Result window, click Delete for any Antivirus software that is no longer installed
  • Click Close then Exit

All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again. I won't recommend any more AV or AS applications. You already have enough.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
  • A short distance down the page in the centre, click on the Download button
  • Agree to the license
  • On the next page, to the right side of where it says Download Estimates, right click on the underlined word Hosts Manager choose Save Target As and download the installer Hosts20setup.exe to your desktop
  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Web of Trust
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and Internet Explorer.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Am i still infected?

Unread postby BillyC » July 7th, 2009, 8:30 pm

Hi JMW3,

Everything carried out successfully, thank you once again for your help (and patience)

Kind Regards

BillyC
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am

Re: Am i still infected?

Unread postby jmw3 » July 7th, 2009, 10:01 pm

No problem BillyC... Glad I could help.

Good Luck & Safe Surfing
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Am i still infected?

Unread postby chryssi2001 » July 8th, 2009, 1:41 pm

As this issue appears to be resolved, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 490 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware