Multiple problems -- please help

[bsweeney]

Hello, I've been having multiple problems in the past few hours and I was wondering if anyone could help me. First, I found System Security on my computer. I put it in Safe Mode and ran Malwarebytes and, while it says it found the problem and took care of it, I'm still having many problems with my PC. When I first start up the computer, I get the error message that ViewMgr has encountered a problem and needs to close and I also get a pop-up that Old Virus Definition File, even though my virus definitions are up-to-date. Then, when I use Mozilla--I'm noticing a couple of problems: when any website loads, both the scrollbars (on the bottom and the side) appear before any of the site material actually loads. Originally, I was having a problem where Google would only show 6 search results for any search, even though it said it was still displaying the regular 10. But, now, that seems to be working fine. Except for the most annoying part: lots of links are turning into spyware links/pop-ups for sites such as hxxp://suchannel.com

So, below, is my DDS log and I've attached Archive.txt. I cannot, however, get the ark.txt file because my computer is not allowing me to run gmer.exe. When I click it, nothing happens. And I tried extracting it and using Run, but it still won't work.

I'm sure all of these problems are connected (Even the last one) since they all came on in the past few hours.

Please help! I will be eternally grateful.

Thank you very much,

Brian

And here's the DDS.txt:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Brian at 23:10:11.28 on Mon 06/15/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.233 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ThinkVantage\SystemUpdate\PipeServer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Brian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [Aim6]
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [net] "c:\windows\system32\net.net"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [suScheduler] c:\program files\thinkvantage\systemupdate\UCLauncher.exe /SCHEDULER
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [a-squared] "c:\program files\a-squared anti-malware\a2guard.exe" /d=60
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [UDC Integration]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} - hxxp://www.lojackforlaptops.com/ctmweb/testoc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll avgrsstx.dll c:\progra~1\google\google~1\goec62~1.dll xkcmfl.dll c:\windows\system32\suyawewe.dll c:\windows\system32\yofolufe.dll c:\windows\system32\punehomi.dll c:\windows\system32\numefogu.dll c:\windows\system32\lupopuwo.dll c:\windows\system32\rowehulu.dll ,c:\windows\system32\vasuzala.dll
LSA: Notification Packages = scecli psqlpwd csspwntfy c:\windows\system32\yofolufe.dll c:\windows\system32\punehomi.dll c:\windows\system32\numefogu.dll c:\windows\system32\lupopuwo.dll c:\windows\system32\rowehulu.dll c:\windows\system32\vasuzala.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\flkkzwjh.default\
FF - component: c:\documents and settings\brian\application data\mozilla\firefox\profiles\flkkzwjh.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\brian\application data\mozilla\firefox\profiles\flkkzwjh.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-8-13 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-8-13 11520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-4 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-4 27784]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-8-13 6016]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-8-13 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-8-13 4442]
R2 a2AntiMalware;a-squared Anti-Malware Service;c:\program files\a-squared anti-malware\a2service.exe [2008-12-5 419448]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-4 298776]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
R2 smihlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2006-2-14 3328]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-7 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090508.003\naveng.sys [2009-5-8 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090508.003\navex15.sys [2009-5-8 876144]
S1 podmenadrv;podmenadrv;\??\c:\program files\podmena\podmena.sys --> c:\program files\podmena\podmena.sys [?]
S2 ngwvukbj;ngwvukbj;c:\windows\system32\drivers\ybagasj.sys --> c:\windows\system32\drivers\ybagasj.sys [?]
S2 podmena;podmena;c:\windows\system32\svchost.exe -k podmena [1980-1-1 14336]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-2 24652]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-06-15 19:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware_2
2009-06-15 18:49 61,440 a------- C:\click.exe
2009-06-15 18:49 110 a------- C:\tj.vbs
2009-06-15 18:43 <DIR> --d----- c:\program files\podmena
2009-06-15 18:43 2 ----h--- c:\windows\zaponce53173.dat
2009-06-15 18:43 2 ----h--- c:\windows\zaponce53290.dat
2009-06-15 18:43 529 ---sh--- c:\windows\system32\jijigogi.exe
2009-06-15 18:43 159 a------- C:\d45.bat

==================== Find3M ====================

2009-06-15 23:05 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-06-15 22:25 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-06-15 22:25 56,680 a------- c:\windows\system32\rpcnet.dll
2009-06-14 10:43 5,427 a------- c:\windows\system32\EGATHDRV.SYS
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 21:42 56,680 a------- c:\windows\system32\rpcnet.exe
2009-05-10 14:18 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-10 14:18 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 11:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-27 05:29 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 05:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 11:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 11:11 584,192 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-25 18:55 33,280 a------- c:\windows\system32\identprv.dll
2009-03-21 10:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll

============= FINISH: 23:13:42.48 ===============

[Ried]

Hello Brian,

Let's see if we can get gmer to run. Open Notepad and copy/paste the contents in the code box below, into Notepad.

Quote:

@copy /y gmer.exe gamer.exe
@Start gamer.exe -protect

Save this as owned.bat Choose to "Save type as - All Files"

It should look like this:

Place the batch next to gmer & double click the owned.bat to launch it.


Remember to configure and carry out the scan as follows:

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please attach the ark.txt in your next reply

[bsweeney]

Hello Ried,

Thank you very much for your help. Sorry, I haven't responded sooner--I've been away at work all day, but I'll be sure to check back periodically through the night for your response.

I followed your instructions and was able to run the gmer.exe, but the computer keeps blue-screening (and saying it's doing a physical dump of its memory) mid-scan, so I'm unable to get an ark.txt file (unless you wanted me to send in abbreviated results?).

Also, I've noticed a few more things: my computer is extremely slow on start-up, especially when it's restarted properly (vs. from the power switch). it's a bit faster in safe mode. The spyware links seem to only occur (and always) when I'm clicking on google search results. I'm not sure if that problem is exclusive to google (or search engines in general)-that's just my guess.

Hope that's helpful! Thanks again!

Brian

[Ried]

Hi Brian, :)

Let's proceed. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Also let me know if the redirects are still occurring. If so, what browser does this occur in?

[bsweeney]

Wow. Thank you so much. I just ran Combofix and almost everything seems to be working fine again.

Midway through the scan, however, Combofix said it found rootkit activity and had me write down the file/process names, so let me know if you'd like me to type those up? (It just restarted afterward and continued with the scan.)

Also, the links don't seem to redirecting anymore.

I've attached the log file below.

Thank you so much again for all your help!

Brian

[bsweeney]

Two things I forgot:

When running the ComboFix scan, I had to rename it ComboFix2.exe for it to run.

And, oddly, I have the red balloon in my bottom right corner that says Symantec is turned off, and it says "Old Virus Definition File" in a pop-up still, but Symantec itself says it's on and that it's using the most updated definitions.

Thanks!

[Ried]

ComboFix is an amazing tool that makes my job (and the job on your end) so much easier. Without it, it would have taken a bit longer to rid your system of that rootkit and all the junk accompanying it.

That particular Symantec balloon nuisance should be gone by the time we're through here. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/385942-multiple-problems-please-help.html#post2193689

Collect::
C:\click.exe
c:\windows\system32\drivers\ybagasj.sys
C:\d45.bat

File::
c:\WINDOWS\zaponce53173.dat
c:\WINDOWS\zaponce53290.dat

Driver::
ngwvukbj

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

[bsweeney]

Hi Ried,

I wanted to reply before I went ahead with the online scan. I ran the script as you instructed, but the scan only produced a log file--it didn't open a message box to submit files for analysis (Could this have something to do with having to rename Combofix?).

So, anyway, I wanted to make sure that I should proceed before I went ahead and did the online scan. To that end, I've attached the log from the last scan.

Thank you again for everything,

Brian

ComboFix 09-06-16.01 - Brian 06/17/2009 18:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.316 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix2.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point

FILE ::
"c:\windows\zaponce53173.dat"
"c:\windows\zaponce53290.dat"

file zipped: C:\click.exe
file zipped: C:\d45.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\click.exe
C:\d45.bat
c:\windows\zaponce53173.dat
c:\windows\zaponce53290.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NGWVUKBJ
-------\Service_ngwvukbj


((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-15 23:24 . 2009-06-15 23:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware_2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 22:08 . 2008-12-06 21:36 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-06-17 22:08 . 2007-03-13 04:43 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-06-17 02:26 . 2009-03-30 18:00 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-17 01:40 . 2008-12-06 21:36 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-06-17 01:25 . 2009-01-05 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-17 01:24 . 2008-10-18 16:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-14 14:43 . 2006-08-13 17:49 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2009-05-28 05:05 . 2007-12-04 18:40 -------- d-----w- c:\documents and settings\Brian\Application Data\Move Networks
2009-05-26 17:20 . 2008-12-05 20:35 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2008-12-05 20:35 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-22 01:42 . 2007-03-13 04:43 56680 ----a-w- c:\windows\system32\rpcnet.exe
2009-05-15 21:43 . 2009-04-12 18:28 -------- d-----w- c:\documents and settings\Brian\Application Data\EndNote
2009-05-14 04:13 . 2007-08-06 20:51 -------- d-----w- c:\program files\Symantec AntiVirus
2009-05-07 15:44 . 1980-01-01 07:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 1980-01-01 07:00 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 1980-01-01 07:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 1980-01-01 07:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 1980-01-01 07:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-10 23:43 . 2006-08-22 12:40 47208 ----a-w- c:\documents and settings\Brian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 23:30 . 2009-03-26 23:30 965344 ----a-w- c:\documents and settings\Brian\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000006.exe
2009-03-25 22:55 . 2008-01-22 01:43 33280 ----a-w- c:\windows\system32\identprv.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-17_01.50.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-17 22:08 . 2009-06-17 22:08 16384 c:\windows\Temp\Perflib_Perfdata_51c.dat
+ 2009-06-17 02:17 . 2009-06-17 02:17 16384 c:\windows\Temp\Perflib_Perfdata_12c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2006-11-16 43008]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-03-09 106496]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-03-09 69632]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-13 169472]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-02-24 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-02-24 208896]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"a-squared"="c:\program files\A-SQUARED ANTI-MALWARE\a2guard.exe" [2008-12-18 2782352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-27 185872]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-10-21 29696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-1-17 618557]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-8-29 581632]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-17 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-03-09 09:02 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 20:01 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-14 19:16 39936 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd csspwntfy

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156255765\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156255765\\ee\\aim6.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:podmena

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [8/13/2006 1:20 PM 85760]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [8/13/2006 1:20 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [8/13/2006 1:51 PM 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [12/21/2005 8:14 PM 12544]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 4:11 PM 46142]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 7:45 PM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2/14/2006 3:02 PM 3328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/2/2008 7:06 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/7/2009 2:32 AM 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-06-17 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-13 08:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 18:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1352)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(1408)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll

- - - - - - - > 'explorer.exe'(4572)
c:\windows\system32\PROCHLP.DLL
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\browselc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\a-squared Anti-Malware\a2service.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe
c:\windows\system32\rundll32.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
c:\progra~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2009-06-17 18:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-17 22:15
ComboFix2.txt 2009-06-17 01:57

Pre-Run: 49,276,403,712 bytes free
Post-Run: 49,260,494,848 bytes free

253 --- E O F --- 2009-06-11 22:11

[Ried]

Hi Brian,

I'm not sure why the upload failed. We'll grab that in the next round. Open notepad and copy/paste the text in the code box below into it:

Quote:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


======================================



Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply along with the C:\ComboFix.txt



======================================

After you post those logs for me, I'd like for you to run this online scan to search for any remnants that may be lying about while you're waiting for me to review your logs:

It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in another reply

[bsweeney]

Hi Ried,

Sorry for the delay. Thanks again. Here are those logs, and I'll start the online scan right away.

[Ried]

No worries about the delay, Brian. We all have things we must tend to. :)

Please visit this site and copy paste the following bolded text into the 'browse to file to submit' box:

C:\Qoobox\Quarantine\[4]-Submit_2009-06-17_18.01.42.zip

Click 'Send File'

[bsweeney]

Hi Ried,

I just submitted the file, and attached you'll find my Kaspersky results. I'm encountering another problem though now--which is very weird: in Firefox (and only in Firefox), my computer is now typing backwards.

Thanks for your help!

Brian

[Ried]

Files have been received, thank you.

Kaspersky is only reporting backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing after we sort out the Firefox issue.

Try rebooting and see if Firefox is still typing backwards.

[bsweeney]

Awesome, that sounds good. I rebooted the computer, and Firefox is working again. The only thing left now is the Symantec balloon and the "Old Virus Definition File" pop-up.

Thanks!

Brian

[Ried]

Is that actually a Symantec alert, or is it an alert from what appears to be Windows Security Center?

Can you post a screen shot for me?

In Windows a screenshot of the entire monitor, complete with taskbar, can be copied to the system clipboard by pressing the Print screen key (normally located in the top row on the right-hand side of the keyboard)..

You can then paste the clipboard into a program like MS Paint to save it as an image file or paste it directly into a document.

• Press the Print screen key
• Click the "Start" button (normally located in the bottom left of your screen).
• Click "Run" & type "mspaint" (without quotes) & click the "OK" button.
• Wait while the application "Paint" opens. Once it is open, proceed to the next step.
• Click the "Edit" menu and select "Paste".
• Click the "File" menu and select "Save As...". A dialog box will appear.
• In the "File name" field, enter a name of your choice.
• Click the "Save as type" drop-down and select "JPEG (*.JPG;*.JPEG;*.JPE*;.JFIF)".
• Click the "Save" button.

To attach a file to a new post, simply click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and Click Upload.

[bsweeney]

Hi Ried,

I actually installed AVG because I was little worried that my computer wasn't being protected. And, since I installed AVG, the alerts went away because the Windows Security Center says, under Virus Protection, that AVG is up-to-date and running. So, I think it must be a Symantec problem then?

Should I uninstall AVG and then take a screenshot?

Thanks again!

Brian

[Ried]

Did you uninstall Symantec? If so, the problem is that Symantec has not uninstalled properly. Go to this site and follow the instructions for downloading and running
Symantec Removal Tool.


After you've done that, run a new scan with dds.scr and post only the dds.txt

[bsweeney]

Hi Ried,

I didn't uninstall Symantec (I would but the computers at school require that we have it--otherwise it doesn't allow us to access the internet.). Would you like me to uninstall it temporarily? And then run the scan? And then reinstall it?

Thanks for the help,

Brian

[Ried]

Hi Brian,

No--if your school requires it, you must keep it installed. What needs to be done is uninstall AVG. It's never a good idea to have more than 1 AV installed at a given time as they will conflict and fight with one another as well as cause system slow downs and instability.

Do that now, then reboot. Do you still have the warning in the icon tray? If so, I'd like to see a screenshot of it.

[bsweeney]

Okay, that's good to know. So I uninstalled AVG and now just have Symantec.

Mid-way through the uninstall, the balloon had already popped up. And then when I rebooted the computer, it was there again, but then the balloon itself disappeared before I was able to grab a screenshot. But, instead, I got a screenshot of the Windows Security Center message about the problem (that's screenshot1).

Screenshot 2 is a pic of the Old Virus Definition File pop-up that is still there. And, when I went to reply to the thread, Symantec own warning message popped-up in the bottom-right corner, so I've included that as screenshot3 (in the next post).

Thanks again for all your time!

Brian