Unable to get to windows update or any virus scan sites

[stoopboy15]

I have been trying to resolve this issue for some time.
Symptoms:
symantec spyware does not start on start up
trying to do a live update ends with a cannot access site

spysweeper will not start

unable to do a windows update.....marks microsoft site as unreachable

unable to access spyware web sites such as AVG

unable to access this techsupportforumsite...needed to open this problem on a different pc

able to access most all other sites. PC performance is ok on reboot, and then slows down over a period of days

I had to download the troubleshooting tools from your site to a flash drive on one pc and then transfer over
I am attaching the first dds logs. those worked
PC would not allow the running of GMER...double click, etc. and it just sits there with no error msg.

I suspect you will need this gmer output. Perhaps you can advise on what to do next or if you have a good idea of what this virus is and where it came from. thanks
-Rick

[Angelfire777]

Hi, welcome to TSF!

Rename GMER to LMER then re-run it again. Post the log please.

Also, You are operating your computer with multiple Anti Virus programs

Symantec
AVG

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove one of them and keep only one.

[stoopboy15]

Yes...added AVG when I could not get liveupdate to work on symantec.

Renamed GMER to LMER and added GMER output file as requested.

thanks
-Rick

[Angelfire777]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Note: Please rename combofix.exe to cfix.exe

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[stoopboy15]

Thanks ! It seemed to have worked!
Mostly all good news.

Bottom Line.....this looks like it did the trick. Everything looks good now, able to access windows update, able to get latest virus updates.
Wonderful!

Details....
Ran combofix and it came up with an error msg saying it detected rootkit activity and said to write down on paper the names of each files, which I did. Let me know if you want me to post these or not at his point.

I clicked OK and
It rebooted.....on reboot, combofix auto-started....couldn't get to start or anything else on the system tray.
After a minute or so, windows detected sys config file was changed and not starting in normal mode. I clicked on start in normal mode and it rebooted again and on bring-up, all the stuff that usually comes up now again comes up. Looks clean to me.

Question:
1) Do you want me to post these filenames that spit out on the err msg
2) There is no combofix.txt file....there is a combofix system file, I never saw the "completed stage1-stage34 msgs".
3) Should I keep this combofix app on my pc
4) During install, it downloaded the ms restore package...I assume I should keep this somewhere on my pc.....right now, it is in the combofix filesystem

thanks again
-Rick

[Angelfire777]

Hi,

Yes, I would like the list of names please.

For #3, we will delete it later, not now. Combofix is a tool only to be used by trained helpers. It wasn't designed as something like an antivirus or an antispyware program.

for #4, that's normal. Recovery console will help us restore OS or your files in the slight chance of accidents or uncontrollable circumstances. It's our safety net.

I want you to run combofix again and see if it will produce a log now.

[stoopboy15]

OK.....

1) reran combofix and the log is attached
2) rootkit files that were identified in the earlier run were
the TDSS dlls and logs that are in the log now.
They are:
C:\windows\system32\
twext.exe
\drivers\TDSSrfdc.sys
TDSSkfkl.dll
TDSSblat.dat
TDSSurkv.dll
TDSSottp.dll
TDSSxnyq.dll
TDSSdlpb.dll
TDSSqogd.log
TDSSnmxh.log
TDSSqshe.dll
TDSSshbe.log

All looks well. You guys are great. I just donated via paypal.

-Rick


ComboFix 09-02-05.03 - rjb 2009-02-06 12:32:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.562 [GMT -5:00]
Running from: c:\documents and settings\rjb.RJB-1\Desktop\cfix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
.
The following files were disabled during the run:
c:\program files\Webroot\Spy Sweeper\sis.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\rjb.RJB-1\Application Data\WNSXS~1
c:\documents and settings\rjb.RJB-1\My Documents\ICROSO~1
c:\documents and settings\rjb.RJB-1\Start Menu\Programs\Internet Speed Monitor
c:\documents and settings\rjb.RJB-1\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
c:\documents and settings\rjb.RJB-1\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
c:\program files\Common Files\mantec~1
c:\program files\Common Files\wnsxs~1
c:\program files\Common Files\Yazzle1122OinUninstaller.exe
c:\program files\icroso~1
c:\program files\smante~1
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\program files\Temporary
c:\temp\tpBe12
c:\windows\BMbbd4875e.txt
c:\windows\cookies.ini
c:\windows\IE4 Error Log.txt
c:\windows\pskt.ini
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\adult.txt
c:\windows\system32\aifwiilu.ini
c:\windows\system32\akgmfhtq.ini
c:\windows\system32\drivers\TDSSrfdc.sys
c:\windows\system32\eksuubjb.ini
c:\windows\system32\finance.txt
c:\windows\system32\fnts~1
c:\windows\system32\gojtolgu.ini
c:\windows\system32\goryausy.ini
c:\windows\system32\grvenhir.ini
c:\windows\system32\guxqlcrd.ini
c:\windows\system32\gwkymqba.ini
c:\windows\system32\hkheyxki.ini
c:\windows\system32\ineWc01
c:\windows\system32\ixcabdqm.ini
c:\windows\system32\jksaeamn.ini
c:\windows\system32\jwgkgymq.ini
c:\windows\system32\klutaucs.ini
c:\windows\system32\kynbnveb.ini
c:\windows\system32\lfsfqffw.ini
c:\windows\system32\lt.res
c:\windows\system32\lychiyiq.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\odddgjhe.ini
c:\windows\system32\okygsvjt.ini
c:\windows\system32\other.txt
c:\windows\system32\pharma.txt
c:\windows\system32\pjyaetca.ini
c:\windows\system32\psmnddgz.dllbox
c:\windows\system32\qrtskhum.ini
c:\windows\system32\racle~1
c:\windows\system32\rehadfoc.ini
c:\windows\system32\rqstv.ini
c:\windows\system32\rqstv.ini2
c:\windows\system32\sft.res
c:\windows\system32\sqrbivli.ini
c:\windows\system32\stem32~1
c:\windows\system32\stfv.bin
c:\windows\system32\TDSSblat.dat
c:\windows\system32\TDSSdlpb.dll
c:\windows\system32\TDSSkfkl.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSottp.dll
c:\windows\system32\TDSSqogd.log
c:\windows\system32\TDSSqshc.dll
c:\windows\system32\TDSSshbe.log
c:\windows\system32\TDSSurkv.dll
c:\windows\system32\TDSSxnyq.dll
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twext.exe
c:\windows\system32\ugvekpij.ini
c:\windows\system32\vluuqmgv.ini
c:\windows\system32\wcgwjmcj.ini
c:\windows\system32\wugpynmj.ini
c:\windows\system32\xldathii.ini
c:\windows\system32\yiwkaful.ini
c:\windows\system32\yryxhkwv.ini
c:\windows\vmreg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-03 10:16 . 2009-02-03 10:32 <DIR> d-------- C:\techsupportforum doc
2009-02-02 14:00 . 2009-02-02 14:01 <DIR> d-------- C:\Jenna
2009-01-30 10:54 . 2009-02-06 12:29 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-30 10:25 . 2009-01-30 10:25 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-01-30 10:25 . 2009-01-30 10:25 <DIR> d-------- c:\documents and settings\rjb.RJB-1\Application Data\Sammsoft
2009-01-30 10:20 . 2009-02-06 10:22 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-30 10:20 . 2009-01-30 10:20 <DIR> d-------- c:\program files\AVG
2009-01-30 10:20 . 2009-01-30 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-30 10:20 . 2009-01-30 10:20 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-30 10:20 . 2009-01-30 10:20 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-30 10:20 . 2009-01-30 10:20 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-28 14:22 . 2009-01-28 14:22 <DIR> d-------- c:\program files\XoftSpySE
2009-01-24 16:19 . 2009-01-24 16:19 <DIR> d-------- c:\program files\iTunes
2009-01-24 16:19 . 2009-01-24 16:19 <DIR> d-------- c:\program files\iPod
2009-01-24 16:19 . 2009-01-24 16:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-24 16:18 . 2009-01-24 16:18 <DIR> d-------- c:\program files\QuickTime
2009-01-24 16:18 . 2009-01-24 16:18 <DIR> d-------- c:\program files\Bonjour
2009-01-24 16:17 . 2009-01-24 16:17 <DIR> d-------- c:\program files\Apple Software Update
2009-01-24 16:16 . 2009-01-24 16:16 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-24 16:16 . 2009-01-24 16:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-23 21:21 . 2009-01-23 21:21 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-23 21:21 . 2009-01-23 21:21 1,409 --a------ c:\windows\QTFont.for
2009-01-23 13:46 . 2009-01-23 13:46 <DIR> d-------- c:\windows\system32\scripting
2009-01-23 13:46 . 2009-01-23 13:46 <DIR> d-------- c:\windows\system32\en
2009-01-23 13:46 . 2009-01-23 13:46 <DIR> d-------- c:\windows\system32\bits
2009-01-23 13:46 . 2009-01-23 13:46 <DIR> d-------- c:\windows\l2schemas
2009-01-23 13:44 . 2009-01-23 13:44 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-06 08:16 . 2009-01-06 08:16 585 --a------ C:\Spyware Guard 2008.lnk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 15:59 31,600 ----a-w c:\documents and settings\rjb.RJB-1\Application Data\GDIPFONTCACHEV1.DAT
2009-01-28 20:32 --------- d-----w c:\program files\Canon
2009-01-03 15:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-03 15:35 --------- d-----w c:\program files\Common Files\Canon
2008-12-11 19:55 --------- d-----w c:\program files\Odds Maker
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-11 16:01 286,720 ----a-w c:\windows\iun506.exe
2005-10-28 12:34 19,944 ----a-w c:\documents and settings\rjb\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2008-08-22 2084480]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-01-25 3552256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"TLogonPath"="c:\program files\Timbuktu Pro\minitb2.exe" [2002-02-08 65536]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"DTS-CheckScreenSaver"="c:\program files\DTS\CheckScreenSaver.exe" [2006-06-01 20480]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2006-06-02 73728]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-30 1601304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2002-02-08 23:08 81973 c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 10:20 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= m3jpeg32.dll
"VIDC.PIM1"= pclepim1.dll
"vidc.dmb1"= m3jpeg32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0HiberNative\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ephdssol

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=%SystemRoot%\system32\cscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=%SystemRoot%\system32\cscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=\\dte.telcordia.com\NETLOGON\Corp\Bin\sms2003\sms_install.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=\\dte.telcordia.com\netlogon\Corp\Scripts\Deny_Network_Access_Group.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\4\0]
"Script"=\\dte.telcordia.com\NETLOGON\Scripts\AddProprietaryWarning.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-8389\Scripts\Logon\0\0]
"Script"=%SystemRoot%\system32\cscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-8389\Scripts\Logon\1\0]
"Script"=%SystemRoot%\system32\cscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-8389\Scripts\Logon\2\0]
"Script"=%SystemRoot%\system32\cscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-8389\Scripts\Logon\3\0]
"Script"=%SystemRoot%\system32\cscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [2005-04-27 11456]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\ephdxlat.sys [2006-05-15 90016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-30 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-30 107272]
R1 js1284;js1284;c:\windows\system32\drivers\JS1284.SYS [2005-10-14 76848]
R1 jsmux;jsmux;c:\windows\system32\drivers\JSMUX.SYS [2005-10-14 64336]
R1 jsscan;jsscan;c:\windows\system32\drivers\JSSCAN.SYS [2005-10-14 69088]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-30 298264]
R2 EphdXlatService;EphdXlatService;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe [2006-06-02 192512]
R2 jsfax;jsfax;c:\windows\system32\drivers\JSFAX.SYS [2005-10-14 64640]
R2 jspclcap;jspclcap;c:\windows\system32\drivers\JSPCLCAP.SYS [2005-10-14 55200]
R2 PCG Protect;PCG Protect;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe [2006-06-02 61440]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
R2 WebClientSrv;WebClientSrv;c:\program files\PC Guardian\Encryption Plus Management Console Client\WebClientSrv.exe [2005-06-21 262144]
R3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [2005-10-13 62048]
S4 jsdbg;jsdbg;c:\windows\system32\drivers\JSDBG.SYS [2005-10-14 37168]

--- Other Services/Drivers In Memory ---

*Deregistered* - ephdlink
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C6671313-CCE9-45BE-90CF-B5F853616032} - c:\windows\system32\vtsqr.dll
Toolbar-SITEguard - (no file)
HKLM-Run-PCLEUSBTip - c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
Notify-psmnddgz - psmnddgz.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optonline.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: telcordia.com\mart.dta
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\rjb.RJB-1\Application Data\Mozilla\Firefox\Profiles\6tletew9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13113.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13118.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJPI141_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 12:39:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\RJB~1.RJB\LOCALS~1\Temp\mc2A.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,a7,78,c8,df,90,
8a,13,a0,e2,63,26,f1,3f,c8,ff,68,ca,c6,37,e4,22,cc,49,1f,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,45,7c,d8,40,b1,
d5,d7,3e,6a,9c,d6,61,af,45,84,18,48,55,79,3e,3b,1b,f1,64,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,d2,d7,9c,8f,40,
2b,e3,e7,ff,7c,85,e0,43,d4,0e,fe,de,e8,fa,b6,16,38,e7,ba,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,0b,21,98,84,8e,
64,90,d6,86,8c,21,01,be,91,eb,e7,04,e4,e0,50,ef,99,6d,73,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,0d,31,d1,d5,5a,
55,ed,54,f5,1d,4d,73,a8,13,5c,05,76,9f,0e,05,09,07,38,2d,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,02,94,0c,b9,af,
a3,80,db,df,20,58,62,78,6b,cf,c8,6a,9e,fa,03,99,e5,85,cc,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,51,f6,79,3b,5b,
ff,81,c3,fb,a7,78,e6,12,2f,9a,ea,6a,09,56,e0,77,b1,e3,b2,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,de,a5,85,88,e4,
d8,c6,61,01,3a,48,fc,e8,04,4a,f1,6a,67,68,88,50,8b,a1,44,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,91,b4,9b,cf,f8,
cf,fd,75,f6,0f,4e,58,98,5b,89,c9,bd,32,a9,ac,74,17,e8,ae,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,02,ab,02,31,c7,
a8,ef,bd,3d,ce,ea,26,2d,45,aa,78,6c,71,80,ed,f1,47,63,e2,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,96,a7,b8,fe,bd,
c5,ce,69,2a,b7,cc,b5,b9,7f,41,e7,cf,ef,f2,da,48,e9,6a,a1,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,d6,3e,4d,df,6c,
92,92,d3,6c,43,2d,1e,aa,22,2f,9c,1e,47,e1,45,79,b4,34,ce,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\ephdgina.dll
c:\windows\system32\NavLogon.dll
c:\program files\Webroot\Spy Sweeper\sis.dll

- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\ephdssol.dll
c:\windows\system32\ephdsson.dll
c:\windows\system32\RegistryAccess.dll
c:\windows\system32\AccessEPFS.dll
c:\windows\system32\MSVCR71.dll
c:\windows\system32\EPcrypto.dll
c:\windows\system32\EPCL32.dll
c:\program files\Webroot\Spy Sweeper\sis.dll

- - - - - - - > 'csrss.exe'(680)
c:\program files\Webroot\Spy Sweeper\sis.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\jetsuite\JSDAEMON.EXE
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Timbuktu Pro\tb2launch.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-06 12:43:20 - machine was rebooted [rjb]
ComboFix-quarantined-files.txt 2009-02-06 17:43:00

Pre-Run: 23,747,551,232 bytes free
Post-Run: 24,541,073,408 bytes free

405 --- E O F --- 2009-01-27 16:25:06

[Angelfire777]

Hi,

As I've warned you earlier, please uninstall either AVG or Symantec. Having two of them installed won't give you any benefits at all. They will only slowdown your computer and actually decrease your security.


*I see you have Viewpoint installed...
Viewpoint related software are considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
• Viewpoint Manager
• Viewpoint Media Player

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

File::
C:\Spyware Guard 2008.lnk
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
Regnull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
DDS::
mSearch Bar = 
uCustomizeSearch = 
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.


*Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 12".
• Click the "Download" button to the right.
• For Platform, select "Windows"
• For language, select your language
• Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  • Java 2 Runtime Environment, SE v1.4.1_06
  • Java 2 Runtime Environment, SE v1.4.2_11
  • Java(TM) 6 Update 3
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

*Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

On your next reply, please include a

• kaspersky scan log
• combofix log

[stoopboy15]

ok....

1) removed AVG
2) removed viewpoint
3) copy/pasted script to combo fix and ran
4) download new java and deleted old java
5) downloaded kaspersky and ran scan
6) attached combixfix and kaspersky logs

thanks
-Rick

[Angelfire777]

Hi,

What kaspersky found were mostly quarantined files by Symantec and Combofix. We'll clean them later.

*Open the Symantec Control Panel
Click View | Quarantine.
Select the file or group of files.
Do one of the following:

• *Right click the file and choose Delete Permanently
  *Click the X Delete button.

Click Start Delete

How's it running?

[stoopboy15]

OK....deleted the files from the quarantined area....

Everything is running great! Like a well-oiled machine :)

The only issue I have left is that this virus/malware somehow deactivated
the startup of symantec anti-spyware.
There are warnings that it has not started on startup and there
is a red circle around it on the system tray.
However, I can start the client after reboot to do things like the
deletions you mention and I can do manual scans.
Also, the scheduled scans are running.
There is an entry in the start-up for this, but it must be corrupted somehow.
Any suggestions ?

thanks again for all your help
-Rick

[Angelfire777]

Hi,

Please try the following. If it doesn't work, see if there is a setting in there where you can set it to start automatically on startup. If none, you may need to reinstall the program.

*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type set.bat in the File name and save it to your desktop.

Code:

@echo off 
sc config ccEvtMgr start= auto
sc config ccSetMgr start= auto
del %0

Locate set.bat on your Desktop and double-click on it.


*Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\\progra~1\\symant~1\\VPTray.exe"
"ccApp"="c:\\program files\\common files\\symantec shared\\ccApp.exe"

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Reboot.

[stoopboy15]

thanks......

I performed these operations...no change.
it tries to autostart, but does not.
It is in system startup list.
looks like I will have to reinstall

-Rick

[Angelfire777]

A reinstall should fix it :)

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

[stoopboy15]

I am running fine now.
Thanks for your GREAT support!