RECYCLER virus

[baraidag]

Hello,

I realised a while ago that I had a virus because when I tried to open my c-drive I couldn't because it said that the file RECYCLER\S-5-8-71-1000277S3-10000 couldn't be found. I then looked around to see how to solve this problem because my avg-software didn't pick up on it.

After that I found some sort of program that was supposed to remove it that I tried but I don't think it worked properly. Right now the message is gone from my c-drive but when I plug in my external hard-drive where I have my backup it now says it. I think I still might have the virus because my computer is running a lot more slow than it used to.

I have no idea if this is any help at all but earlier I had an autorun virus that I thought avg got rid of but I guess I'm not sure.

It's fine with me to format my computer (I don't know a lot about these sort of things but if it would help that's alright) the only thing is that my backup is also affected so I don't know how to solve this. I am also worried that it might have spread to my usb-keys and my ipod but I don't know how to check this.

Anyways I found this forum and it seemed like you had solved a similar problem so I'm really hope this can help me. Thanks so much if that happens.

So I'm just going to post my logs and then you can tell me if you need any other information.



DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Ida Gustafsson at 17:31:13,68 on 2009-04-28
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1406.650 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\AVG\AVG8\avgwdsvc.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program\Delade filer\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program\AVG\AVG8\avgemc.exe
C:\Program\AVG\AVG8\avgrsx.exe
C:\Program\AVG\AVG8\avgcsrvx.exe
C:\Program\Delade filer\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Apoint2K\Apoint.exe
C:\Program\TOSHIBA\Tvs\TvsTray.exe
C:\Program\TOSHIBA\E-KEY\CeEKey.exe
C:\Program\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program\TOSHIBA\Toshibas zoomningsfunktion\SmoothView.exe
C:\Program\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\AVG\AVG8\avgtray.exe
C:\Program\Windows Defender\MSASCui.exe
C:\Program\Delade filer\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program\Apoint2K\Apntex.exe
C:\Program\Logitech\QuickCam\Quickcam.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Delade filer\Logishrd\LQCVFX\COCIManager.exe
C:\Program\Delade filer\Teleca Shared\Generic.exe
C:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program\AVG\AVG8\avgnsx.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Skype\Phone\Skype.exe
C:\Program\Skype\Plugin Manager\SkypePM.exe
C:\Documents and Settings\Ida Gustafsson\Skrivbord\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\program\avg\avg8\avgtoolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\program\avg\avg8\avgtoolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [TOSCDSPD] c:\program\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program\apoint2k\Apoint.exe
mRun: [Tvs] c:\program\toshiba\tvs\TvsTray.exe
mRun: [CeEKEY] c:\program\toshiba\e-key\CeEKey.exe
mRun: [<NO NAME>]
mRun: [TPNF] c:\program\toshiba\touchpad\TPTray.exe
mRun: [HWSetup] c:\program\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program\toshiba\toshibas zoomningsfunktion\SmoothView.exe
mRun: [PadTouch] c:\program\toshiba\touch and launch\PadExe.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Sony Ericsson PC Suite] "c:\program\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [TkBellExe] "c:\program\delade filer\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program\delade filer\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AVG8_TRAY] c:\program\avg\avg8\avgtray.exe
mRun: [ssdiag] c:\windows\ssdiag.exe
mRun: [Adobe Reader Speed Launcher] "c:\program\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program\windows defender\MSASCui.exe" -hide
mRun: [LogitechCommunicationsManager] "c:\program\delade filer\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program\logitech\quickcam\Quickcam.exe" /hide
mRun: [QuickTime Task] "c:\program\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\program\delade~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\autoru~1\adobeg~1.lnk - c:\program\delade filer\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\autoru~1\bankid~1.lnk - c:\program\personal\bin\Personal.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\autoru~1\philip~1.lnk - c:\program\philips\philips wireless notebook adapter 11ag utility\PHCardMonitor.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\autoru~1\wordfi~1.lnk - c:\program\wfwin\WFReader.exe
IE: E&xportera till Microsoft Excel - c:\program\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program\delade~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\program\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-3 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-3 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-3 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\program\avg\avg8\avgemc.exe [2008-11-3 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\program\avg\avg8\avgwdsvc.exe [2008-11-3 298264]
R2 WinDefend;Windows Defender;c:\program\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 CPWU6D;Philips Wireless Network Adapter Service;c:\windows\system32\drivers\CPWU6D.sys [2007-1-29 457536]
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [2004-4-21 16384]

=============== Created Last 30 ================

2009-04-28 17:01 1,431,504 a------- c:\program\RegCureSetup_RW.exe
2009-04-16 12:05 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 12:05 217,088 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 19:32 1,878,888 a------- c:\program\install_flash_player.exe
2009-04-14 10:29 244 a---h--- C:\sqmnoopt02.sqm
2009-04-14 10:29 232 a---h--- C:\sqmdata02.sqm
2009-04-14 10:13 244 a---h--- C:\sqmnoopt01.sqm
2009-04-14 10:13 232 a---h--- C:\sqmdata01.sqm
2009-04-11 20:27 <DIR> --d----- c:\program\iPod
2009-04-11 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 20:25 <DIR> --d----- c:\program\Bonjour
2009-04-10 13:04 118 a------- c:\windows\system32\MRT.INI
2009-03-30 00:48 <DIR> --d----- c:\program\NCH Swift Sound
2009-03-30 00:45 <DIR> --d----- c:\program\Audacity

==================== Find3M ====================

2009-04-23 22:35 412,006 a------- c:\windows\system32\perfh01D.dat
2009-04-23 22:35 76,628 a------- c:\windows\system32\perfc01D.dat
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 16:24 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 02:16 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 19:18 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-10 19:10 2,066,816 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-09 16:07 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 13:27 2,189,824 a------- c:\windows\system32\ntoskrnl.exe
2009-02-09 13:27 110,592 a------- c:\windows\system32\services.exe
2009-02-09 12:56 729,600 a------- c:\windows\system32\lsasrv.dll
2009-02-09 12:56 719,360 a------- c:\windows\system32\ntdll.dll
2009-02-09 12:56 681,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 12:56 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-06 12:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-05 09:33 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-03 21:59 56,832 a------- c:\windows\system32\secur32.dll
2008-11-03 09:17 50,689,960 a------- c:\program\avg.exe
2008-09-05 15:10 267,056 a------- c:\program\utorrent.exe
2008-05-26 12:46 3,723,454 a------- c:\program\IZArc_Setup.exe
2008-02-17 18:14 318,904 a------- c:\program\wmpfirefoxplugin.exe
2008-02-13 18:00 19,738,872 a------- c:\program\setupeng.exe
2007-09-05 15:32 8,225,784 a------- c:\program\Disc2Phone_Setup_1.5_Swedish.exe
2007-08-15 22:43 3,857,218 a------- c:\program\MoviePod-Windows.zip
2007-03-09 19:51 23,838,208 a------- c:\program\Nokia_PC_Suite_682_rel_22_0_swe_web.msi
2007-03-09 10:17 25,761,864 a------- c:\program\wmp11-windowsxp-x86-SV-SE.exe
2007-02-08 14:14 20,247,472 a------- c:\program\SkypeSetup.exe
2007-02-08 14:14 17,827,184 a------- c:\program\Install_Messenger.exe
2007-02-08 14:09 5,733,488 a------- c:\program\Firefox Setup 2.0.0.1.exe
2008-10-14 11:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012008101420081015\index.dat

============= FINISH: 17:31:31,09 ===============

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Also, in your case, insert or make active any USB devices you suspect before running ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[baraidag]

I am not at my computer now since I am away for the weekend, will run the combo-fix as soon as possible when I get home (sunday night GMT +1). Just wanted to let you know that I am grateful for the response.


br ida

[tetonbob]

Thanks for letting me know. Will be looking for next log.

[baraidag]

Hello,

have now run the combofix with three portable devices connected.



results are attached


ComboFix 09-05-03.1 - Ida Gustafsson 2009-05-03 21:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1406.883 [GMT 2:00]
Körs från: c:\documents and settings\Ida Gustafsson\Skrivbord\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\IDAGUS~1\LOKALA~1\Temp\tmp2.tmp
F:\Autorun.inf

.
(((((((((((((((((((((((( Filer Skapade från 2009-04-03 till 2009-05-03 ))))))))))))))))))))))))))))))
.

2009-04-28 15:01 . 2009-04-28 15:01 1431504 ----a-w c:\program\RegCureSetup_RW.exe
2009-04-16 10:05 . 2008-04-21 21:16 217088 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 10:04 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 10:04 . 2009-03-06 14:24 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 10:04 . 2009-02-09 11:27 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 10:04 . 2009-02-09 10:56 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 10:04 . 2009-02-09 10:56 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 10:04 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-16 10:04 . 2009-02-09 10:56 681472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 10:04 . 2009-02-09 10:56 729600 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 10:04 . 2009-02-09 10:55 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 10:04 . 2009-02-09 10:56 719360 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:32 . 2009-04-15 17:32 1878888 ----a-w c:\program\install_flash_player.exe
2009-04-11 18:27 . 2009-04-11 18:27 -------- d-----w c:\program\iPod
2009-04-11 18:27 . 2009-04-11 18:28 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 18:25 . 2009-04-11 18:25 -------- d-----w c:\program\Bonjour
2009-04-11 18:24 . 2009-04-11 18:25 -------- d-----w c:\program\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 19:54 . 2005-10-18 05:40 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 19:52 . 2007-02-06 11:52 342 ----a-w c:\windows\Tasks\Symantec NetDetect.job
2009-05-03 19:17 . 2008-11-27 13:18 318 ---ha-w c:\windows\Tasks\MP Scheduled Scan.job
2009-04-23 20:35 . 2005-10-18 05:21 76628 ----a-w c:\windows\system32\perfc01D.dat
2009-04-23 20:35 . 2005-10-18 05:21 412006 ----a-w c:\windows\system32\perfh01D.dat
2009-04-11 18:28 . 2007-06-16 14:05 -------- d-----w c:\program\iTunes
2009-04-11 18:27 . 2007-07-01 17:56 -------- d-----w c:\program\Delade filer\Apple
2009-04-11 18:11 . 2008-09-02 14:14 272 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-03-29 22:48 . 2009-03-29 22:48 -------- d-----w c:\program\NCH Swift Sound
2009-03-29 22:45 . 2009-03-29 22:45 -------- d-----w c:\program\Audacity
2009-03-19 14:32 . 2008-01-29 10:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:24 . 2005-10-18 05:21 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:16 . 2005-10-18 05:21 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:18 . 2005-10-18 05:21 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-10 17:10 . 2004-08-04 01:24 2066816 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 14:07 . 2005-10-18 05:21 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:27 . 2005-10-18 05:21 2189824 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:27 . 2005-10-18 05:21 110592 ----a-w c:\windows\system32\services.exe
2009-02-09 10:56 . 2005-10-18 05:21 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:56 . 2005-10-18 05:21 719360 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:56 . 2005-10-18 05:21 729600 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:56 . 2005-10-18 05:21 681472 ----a-w c:\windows\system32\advapi32.dll
2009-02-06 10:39 . 2005-10-18 05:21 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 07:33 . 2008-11-03 08:22 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-05 07:33 . 2008-11-03 08:22 325128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-05 07:33 . 2008-11-03 08:22 107272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-03 19:59 . 2005-10-18 05:21 56832 ----a-w c:\windows\system32\secur32.dll
2008-11-03 07:17 . 2008-11-03 07:17 50689960 ----a-w c:\program\avg.exe
2008-09-05 13:10 . 2008-09-05 13:10 267056 ----a-w c:\program\utorrent.exe
2008-05-26 10:46 . 2008-05-26 10:44 3723454 ----a-w c:\program\IZArc_Setup.exe
2008-02-17 16:14 . 2008-02-17 16:14 318904 ----a-w c:\program\wmpfirefoxplugin.exe
2008-02-13 16:00 . 2008-02-13 15:45 19738872 ----a-w c:\program\setupeng.exe
2007-09-05 13:32 . 2007-09-05 13:32 8225784 ----a-w c:\program\Disc2Phone_Setup_1.5_Swedish.exe
2007-08-15 20:43 . 2007-08-15 20:42 3857218 ----a-w c:\program\MoviePod-Windows.zip
2007-03-09 17:51 . 2007-03-08 22:10 23838208 ----a-w c:\program\Nokia_PC_Suite_682_rel_22_0_swe_web.msi
2007-03-09 08:17 . 2007-03-09 08:16 25761864 ----a-w c:\program\wmp11-windowsxp-x86-SV-SE.exe
2007-02-08 12:14 . 2007-02-08 12:13 20247472 ----a-w c:\program\SkypeSetup.exe
2007-02-08 12:14 . 2007-02-08 12:14 17827184 ----a-w c:\program\Install_Messenger.exe
2007-02-08 12:09 . 2007-02-08 12:09 5733488 ----a-w c:\program\Firefox Setup 2.0.0.1.exe
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-12 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-05 344064]
"Apoint"="c:\program\Apoint2K\Apoint.exe" [2004-03-24 196608]
"Tvs"="c:\program\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]
"CeEKEY"="c:\program\TOSHIBA\E-KEY\CeEKey.exe" [2005-06-30 671744]
"TPNF"="c:\program\TOSHIBA\TouchPad\TPTray.exe" [2005-06-08 53248]
"HWSetup"="c:\program\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"SmoothView"="c:\program\TOSHIBA\Toshibas zoomningsfunktion\SmoothView.exe" [2005-05-13 118784]
"PadTouch"="c:\program\TOSHIBA\Touch and Launch\PadExe.exe" [2004-11-17 1077327]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Sony Ericsson PC Suite"="c:\program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-27 593920]
"TkBellExe"="c:\program\Delade filer\Real\Update_OB\realsched.exe" [2008-09-02 185896]
"AppleSyncNotifier"="c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"AVG8_TRAY"="c:\program\AVG\AVG8\avgtray.exe" [2009-02-05 1601304]
"ssdiag"="c:\windows\ssdiag.exe" [2005-05-13 57401]
"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LogitechCommunicationsManager"="c:\program\Delade filer\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-12-22 88358]
"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2005-08-05 28672]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-08-12 266240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\program\DELADE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start-meny\Program\Autostart\AutorunsDisabled
Adobe Gamma Loader.lnk - c:\program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-29 113664]
BankID s„kerhetsprogram.lnk - c:\program\Personal\bin\Personal.exe [2008-11-12 927248]
Philips Wireless Notebook Adapter Utility.lnk - c:\program\philips\Philips Wireless Notebook Adapter 11ag Utility\PHCardMonitor.exe [2005-5-16 450560]
WordFinder Easy Reader.lnk - c:\program\Wfwin\WFReader.exe [2007-3-6 1769984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 07:33 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\uTorrent\\uTorrent.exe"=
"c:\\Program\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program\\MSN Messenger\\livecall.exe"=
"c:\\Program\\Bonjour\\mDNSResponder.exe"=
"c:\\Program\\iTunes\\iTunes.exe"=
"c:\\Program\\Skype\\Phone\\Skype.exe"=

R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.SYS [2004-04-21 16384]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-05 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-02-05 107272]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\program\AVG\AVG8\avgemc.exe [2009-02-05 903960]
S2 avg8wd;AVG Free8 WatchDog;c:\program\AVG\AVG8\avgwdsvc.exe [2009-02-05 298264]
S2 WinDefend;Windows Defender;c:\program\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 CPWU6D;Philips Wireless Network Adapter Service;c:\windows\system32\DRIVERS\CPWU6D.sys [2005-06-21 457536]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd0f7e61-db81-11dd-b199-0012bf0d9e18}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]

2009-05-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2007-01-21 c:\windows\Tasks\Påminnelse om registrering 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-10-18 16:05]
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

Notify-WgaLogon - (no file)


.
------- Extra genomsökning -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xportera till Microsoft Excel - c:\program\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 21:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'winlogon.exe'(492)
c:\windows\system32\Ati2evxx.dll
.
Sluttid: 2009-05-03 22:00
ComboFix-quarantined-files.txt 2009-05-03 19:59

Före genomsökningen: 4*463*112*192 byte ledigt
Efter genomsökningen: 5*005*987*840 byte ledigt

WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

180 --- E O F --- 2009-05-03 18:59

[tetonbob]

Hi -

Before we continue, how are the machine and your external drives behaving now?

[baraidag]

Hello,

I can now open all of the harddrives and I seem to have normal speed on internetconnection. My computer is still running a little bit slow but that might have completely different reasons so THANKYOU!

[tetonbob]

Ok, great.

As mentioned in our preposting topic:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

3. Uninstall the following via Add or Remove Programs in Control Panel:

• p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.

P2P - I see you have P2P software ( µTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

Perils of P2P File Sharing

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------

I see an installer for RegCure.

c:\program\RegCureSetup_RW.exe

We do not recommend the use of registry cleaners, and this one has a bad reputation on top of that.

http://www.mywot.com/en/scorecard/regcure.com

Our colleague miekiemoes has an excellent writeup here

Another excellent article by Bill Castner is located here.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

[baraidag]

Hello, thanks so much for the help.

Ran the on-line scanner.

One of the results is for a program that I used for school called marratech which was an online classroom since I'm not in the course anymore it is fine to remove it the other one I don't know what it is.

[tetonbob]

Hi -

These items get flagged due to potential, as remote admin capable. If you know what they are and have brought them onto the machine intentionally, you can ignore them. If you no longer need them, they may be deleted also.

C:\ROCKY\skola\portugisiska\Marratech61.msi
F:\skola\portugisiska\Marratech61.msi

The other items are in your F drive's System Restore points.

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------------------------


Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
  
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[baraidag]

Thank you for all the help and information. You can definitely consider the thread closed.

[tetonbob]

You're quite welcome.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.