johntron

Hi,

I was on the internet today and without thinking clicked on a random popup that appeared and it got me into some trouble I think.

This program called "System Security 2009" suddenly popped up and began "scanning" my computer and then things went downhill pretty fast.

I attempted to do a system restore but apparently this program disabled it so I cant click on the "next" button to begin a restore. I then tried to do a scan with my antivirus program (avira antivir) and it scanned for about half an hour and found about 70 detections before the computer suddenly restarted and a blue screen popped up. After reading the instructions I wish I had wrote down what it said, but the blue screen doesn't popup anymore. It said something about a possible hardware problem but thats about all I remember.

Now when I turn on the computer, it wont let me access any programs at all and when I try to open anything a balloon pops up and says: "Application cannot be executed. The file ... is infected. Please activate your antivirus software."

The internet is totally shut down as well.

That's about all I can think of to write about the problem. The computer is basically useless and I'm on my friends laptop posting this on the forum. I was able to do a dds scan and the text is below. Ive attached the attach.txt and the ark.txt...

If there's anything else you want to know that I didn't think of let me know. I'd really appreciate any help at all. Thanks

----------------------------------------------------------------------
DDS (Ver_09-02-01.01) - NTFSx86 MINIMAL
Run by Govier at 23:26:08.37 on Wed 07/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1678 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost
C:\WINDOWS\Explorer.EXE
svchost
C:\Documents and Settings\Govier\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\smss.exe
mWinlogon: Taskman=c:\recycler\s-1-5-21-8740180075-0867940186-176470350-4594\wnzip32.exe
BHO: c:\windows\system32\gsf83iujid.dll: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\gsf83iujid.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [A00F75F1D9F.exe] c:\docume~1\govier\locals~1\temp\_A00F75F1D9F.exe
uRun: [<NO NAME>] c:\docume~1\govier\locals~1\temp\yy4za.exe
uRun: [hsf7husjnfg98gi498aejhiugjkdg4] c:\docume~1\govier\locals~1\temp\yy4za.exe
uRun: [Windows System Recover!] c:\docume~1\govier\locals~1\temp\taskmgr.exe
uRun: [12CFG515-K641-55SF-N66P] c:\recycler\s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
uRun: [reader_s] c:\documents and settings\govier\reader_s.exe
uRun: [A00F7600B7A.exe] c:\docume~1\govier\locals~1\temp\_A00F7600B7A.exe
uRun: [ttool] c:\windows\9129837.exe
uRun: [InetChk] c:\docume~1\govier\locals~1\temp\ms1246503636.exe work
uRun: [Govier] c:\documents and settings\govier\Govier.exe /i
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dldtmon.exe] "c:\program files\dell v305\dldtmon.exe"
mRun: [dldtamon] "c:\program files\dell v305\dldtamon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [17255784] c:\documents and settings\all users\application data\17255784\17255784.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} - hxxp://www.bxwa.com/fastbid/fastbidx1.cab
DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} - hxxp://www.bxwa.com/fastbid/fastbidx_plugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - hxxp://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: ccedda - c:\windows\system32\ccedda.dll
Notify: __c0049FCA - c:\windows\system32\__c0049FCA.dat
AppInit_DLLs: ,c:\docume~1\govier\locals~1\temp\123756593142mxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: ewwwahQ - {ACA38E21-0609-248B-959C-D9129FE7C9E2} - c:\windows\system32\jvpj.dll
STS: c:\windows\system32\gsf83iujid.dll: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\gsf83iujid.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 21e9bc01c641f0498a97094892a518a8;21e9bc01c641f0498a97094892a518a8;c:\windows\system32\21e9bc01c641f0498a97094892a518a8.sys []
S1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-11-19 11608]
S1 drvdrv;drvdrv;\??\c:\program files\drv\drv.sys --> c:\program files\drv\drv.sys [?]
S2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-11-19 68865]
S2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2008-7-11 99568]
S2 drv;drv;c:\windows\system32\svchost.exe -k drv [2005-8-16 17408]
S2 lich;lich;c:\windows\system32\lich.exe [2009-7-1 86016]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2005-8-16 17408]
S2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-10 98304]
S3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-11-19 151297]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-11-19 52056]

=============== Created Last 30 ================

2009-07-01 21:50 424,320 a------- c:\windows\system32\drivers\bcmwl5.sys
2009-07-01 21:50 142,592 a------- c:\windows\system32\drivers\aec.sys
2009-07-01 21:50 60,800 a------- c:\windows\system32\drivers\arp1394.sys
2009-07-01 21:50 59,904 a------- c:\windows\system32\drivers\atmarpc.sys
2009-07-01 21:50 52,864 a------- c:\windows\system32\drivers\DMusic.sys
2009-07-01 21:50 45,312 a------- c:\windows\system32\drivers\bcm4sbxp.sys
2009-07-01 21:50 14,336 a------- c:\windows\system32\drivers\asyncmac.sys
2009-07-01 21:50 13,952 a------- c:\windows\system32\drivers\CmBatt.sys
2009-07-01 21:50 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-07-01 21:50 2,944 a------- c:\windows\system32\drivers\drmkaud.sys
2009-07-01 20:10 50 a------- C:\xcrashdump.dat
2009-07-01 20:08 12,544 a------- c:\windows\system32\iehelper.dll
2009-07-01 20:05 200,720 a------- c:\windows\system32\mukmil.dll
2009-07-01 20:02 21,593 ----h--- c:\documents and settings\govier\Govier.exe
2009-07-01 20:00 118,784 a------- c:\windows\system32\sgc518j0e7an.dll
2009-07-01 20:00 76,289 a------- c:\windows\9129837.exe
2009-07-01 20:00 <DIR> --dsh--- c:\windows\system32\lowsec
2009-07-01 19:59 10 a------- c:\windows\system32\kr_done1
2009-07-01 19:59 8 a------- c:\windows\system32\comsa32.sys
2009-07-01 19:59 134,656 -------- c:\windows\system32\tpsaxyd.exe
2009-07-01 19:59 28,160 a------- c:\windows\system32\__c004A790.dat
2009-07-01 19:59 206,546 a------- C:\illhtee.exe
2009-07-01 19:59 0 a------- c:\windows\system32\lich.dat
2009-07-01 19:59 86,016 a------- c:\windows\system32\lich.exe
2009-07-01 19:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\17255784
2009-07-01 19:58 306,432 a------- c:\windows\sysguard.exe
2009-07-01 19:58 <DIR> --d----- c:\program files\drv
2009-07-01 19:58 2 a------- c:\windows\010112010146118114.dat
2009-07-01 19:58 206,546 a------- C:\gklrwl.exe
2009-07-01 19:58 39,424 a------- c:\windows\system32\drivers\smss.exe
2009-07-01 19:58 2 a------- C:\-1398567392
2009-07-01 19:58 28,672 a------- c:\windows\ld11.exe
2009-06-30 09:40 <DIR> --d----- C:\Deckard
2009-06-06 20:20 <DIR> --d----- c:\program files\DAEMON Tools Pro
2009-06-06 20:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2009-06-06 20:12 <DIR> --d----- c:\docume~1\govier\applic~1\DAEMON Tools Pro
2009-06-06 18:07 <DIR> --d----- c:\program files\BitTorrent

==================== Find3M ====================

2009-07-01 14:33 68,625 a------- c:\windows\system32\nvModes.dat
2009-06-06 20:12 721,904 a------- c:\windows\system32\drivers\sptd.sys
2008-08-20 20:11 24,896 a------- c:\docume~1\govier\applic~1\GDIPFONTCACHEV1.DAT
2008-07-12 18:46 0 a--sh--- c:\docume~1\govier\applic~1\0000000000CHEV1.dat
2007-02-14 16:53 56 ---shr-- c:\windows\system32\6929A60EE9.sys
2007-01-14 19:54 88 ---shr-- c:\windows\system32\E90EA62969.sys
2007-02-14 16:53 5,382 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-02 16:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120220081203\index.dat

============= FINISH: 23:28:07.65 ===============

Attached Files

	ark.zip (961 Bytes, 1 views)
	Attach.zip (4.7 KB, 2 views)

CatByte

Hi,

please download this following program onto your friends computer and transfer it over via USB

be certain to rename it Before you save it.

Are you able to access 'safe mode' on the infected machine?

If so, run this program in safe mode.


Download Combofix from any of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2
Link 3


During the download, rename Combofix to Combo-Fix as follows:





--------------------------------------------------------------------

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

• Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  
  
  -----------------------------------------------------------
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------

amateur

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html