multiple trojans infected my pc, please help

[seigen]

Hi, i was recently attacked by several forms of trojans/viruses, and I desperately need your help. Since I am writing this post from another computer, I cannot provide you with detailed info. regarding the locations and names of suspicious files, but I will try my best to describe what I know is happening to my infected computer...

Here are some of the problems I am experiencing so far:

• safe mode does not work
• both IE and Mozilla redirects me to random ad sites
• Avast!Antivir program was installed on my computer without my awareness
• crashes will occur in random occasions, especially when connected to the internet. When disconnected, the computer may survive longer but crashes do happen from time to time regardless of internet connection
• My main source of firewall, McAffee OAS, does not function properly: the scan interface will not appear no matter how many times I attempt to run a scan

I have not yet attempted to remove Avast from the system yet, as I would like you to evaluate it before taking action myself (as stated earlier, the program had been automatically installed on to my system, and I do not believe that a simple removal via add/remove programs will solve anything). In addition, the Gmer scan that you have provided for the preperation process will not run, but the DDS scan did succeed in providing the two reports that you requested. Also, just to save your time, I have read and now aware of the consequences of using p2p programs i.e. Azureus and limewire in my case. I will wait for your proper instructions before deleting ANYTHING from my computer. Thank you for taking the time to help out a PC noob like me, and I will be looking forward to your reputable assistance.




DDS (Ver_09-05-14.01) - NTFSx86
Run by Yuji Moriya at 17:44:29.34 on Mon 06/15/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.520 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\TEMP\b.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe "C:\WINDOWS\system32\actmoviej.exe"
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\TEMP\c.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\psvrr.exe
C:\WINDOWS\System32\reader_s.exe
C:\windows\ld08.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\psvrr.exe
C:\Documents and Settings\Yuji Moriya\reader_s.exe
C:\program Files\MicPhone\antit.exe
C:\Documents and Settings\Yuji Moriya\Yuji Moriya.exe
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
C:\DOCUME~1\YUJIMO~1\LOCALS~1\Temp\_A00F2AFF36A.exe
C:\DOCUME~1\YUJIMO~1\LOCALS~1\Temp\zcb8ho.exe
C:\DOCUME~1\YUJIMO~1\LOCALS~1\Temp\zcb8ho.exe
C:\DOCUME~1\YUJIMO~1\LOCALS~1\Temp\win.exe
C:\WINDOWS\TEMP\_A00F2B1048C.exe
C:\Documents and Settings\Yuji Moriya\Application Data\psvr32.exe
C:\WINDOWS\TEMP\_A00F1BA23.exe
C:\WINDOWS\TEMP\_A00F2281F.exe
C:\WINDOWS\TEMP\_A00F1C166.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\YUJIMO~1\LOCALS~1\Temp\_A00F1CA02.exe
C:\WINDOWS\9129837.exe
C:\Documents and Settings\Yuji Moriya\Application Data\psvr32.exe
C:\DOCUME~1\YUJIMO~1\LOCALS~1\Temp\_A00F1BF34.exe
C:\DOCUME~1\YUJIMO~1\LOCALS~1\Temp\_A00F23DCA.exe
C:\WINDOWS\system32\SYSDLL.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
svchost
svchost
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Yuji Moriya\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3071214
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3071214
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3071214
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mWinlogon: Userinit=userinit.exe
mWinlogon: Taskman=c:\recycler\s-1-5-21-5648628131-6768448527-663210914-9081\wnzip32.exe
BHO: c:\windows\system32\yhafd78auhd.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\yhafd78auhd.dll
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [WinProx32_1] c:\windows\system32\config\systemprofile\application data\psvrr.exe
uRun: [reader_s] c:\documents and settings\yuji moriya\reader_s.exe
uRun: [shv] c:\program files\micphone\antit.exe
uRun: [Yuji Moriya] c:\documents and settings\yuji moriya\Yuji Moriya.exe /i
uRun: [12CFG515-K641-55SF-N66P] c:\recycler\s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
uRun: [A00F2AFF36A.exe] c:\docume~1\yujimo~1\locals~1\temp\_A00F2AFF36A.exe
uRun: [<NO NAME>] c:\docume~1\yujimo~1\locals~1\temp\zcb8ho.exe
uRun: [nzdflkioezncfiunfindiuchiuenfcdc] c:\docume~1\yujimo~1\locals~1\temp\zcb8ho.exe
uRun: [Windows System Recover!] c:\docume~1\yujimo~1\locals~1\temp\win.exe
uRun: [A00F2B1048C.exe] c:\windows\temp\_A00F2B1048C.exe
uRun: [A00F1BA23.exe] c:\windows\temp\_A00F1BA23.exe
uRun: [A00F2281F.exe] c:\windows\temp\_A00F2281F.exe
uRun: [A00F1C166.exe] c:\windows\temp\_A00F1C166.exe
uRun: [A00F1CA02.exe] c:\docume~1\yujimo~1\locals~1\temp\_A00F1CA02.exe
uRun: [ttool] c:\windows\9129837.exe
uRun: [A00F1BF34.exe] c:\docume~1\yujimo~1\locals~1\temp\_A00F1BF34.exe
uRun: [A00F23DCA.exe] c:\docume~1\yujimo~1\locals~1\temp\_A00F23DCA.exe
uRun: [Cognac] c:\windows\temp\b.exe
uRun: [SYSDLL] SYSDLL
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [spywareguard] c:\program files\spyware guard 2008\spywareguard.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [WinProx32_1] c:\windows\system32\config\systemprofile\application data\psvrr.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [sysldtray] c:\windows\ld08.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [WinProx32_1] c:\windows\system32\config\systemprofile\application data\psvrr.exe
StartupFolder: c:\documents and settings\yuji moriya\start menu\programs\startup\asgupd32.exe
StartupFolder: c:\documents and settings\yuji moriya\start menu\programs\startup\fmnupd32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\openmg~1.lnk - c:\program files\sony\openmg jukebox\Omgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: __c00b438c - c:\windows\system32\__c00B438C.dat
AppInit_DLLs: c:\progra~1\micphone\antit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
STS: c:\windows\system32\yhafd78auhd.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\yhafd78auhd.dll
{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnkhebX
LSA: Notification Packages = scecli c:\windows\system32\vuzasufa.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yujimo~1\applic~1\mozilla\firefox\profiles\xlruofsr.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - HiddenExtension: XUL Cache: {795843E7-F10A-4AE4-82F1-E1E1C08723C6} - c:\documents and settings\yuji moriya\local settings\application data\{795843E7-F10A-4AE4-82F1-E1E1C08723C6}

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 avast!antivirus;avast!antivirus;c:\windows\system32\avast!antivirus.exe -k netsvcs --> c:\windows\system32\avast!Antivirus.exe -k netsvcs [?]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-8-23 5376]
R2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-5-30 240640]
R2 ias;Ias;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-12-25 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-12-25 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-12-25 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-12-25 170408]
S1 c72547c9;c72547c9;c:\windows\system32\drivers\c72547c9.sys [2009-5-30 0]
S2 acpi32;acpi32;c:\windows\system32\drivers\acpi32.sys [2009-6-1 30976]
S2 fips32cup;fips32cup;c:\windows\system32\drivers\fips32cup.sys [2009-6-1 30976]
S2 port135sik;port135sik;c:\windows\system32\drivers\port135sik.sys [2009-6-4 41216]
S2 spoolerhidserv;Print Spooler SpoolerHidServ;c:\windows\system32\actmoviej.exe srv --> c:\windows\system32\actmoviej.exe srv [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S2 ws2_32sik;ws2_32sik;c:\windows\system32\drivers\ws2_32sik.sys [2004-8-10 30976]
S3 ntalme;ntalme;c:\windows\system32\ntalme.sys [2004-8-10 2304]

=============== Created Last 30 ================

2009-06-12 02:53 17,408 a------- c:\windows\system32\SYSDLL.exe
2009-06-12 02:53 <DIR> --d----- c:\windows\system32\sysloc
2009-06-04 03:42 206,340 a------- c:\windows\system32\msxml71.dll
2009-06-04 03:41 40,449 a------- C:\yykvirg.exe
2009-06-04 03:41 9,216 a------- C:\xbmqgeyn.exe
2009-06-04 03:41 20,702 a------- C:\udwnxe.exe
2009-06-04 03:41 20,703 a------- C:\lhkeufwk.exe
2009-06-04 03:41 25,088 a------- c:\windows\system32\__c00A4499.dat
2009-06-04 03:41 38,400 a------- C:\lquq.exe
2009-06-04 03:41 91,212 a------- c:\windows\system32\drivers\41c962d7.sys
2009-06-04 03:41 41,216 a------- c:\windows\system32\drivers\port135sik.sys
2009-06-04 03:40 2 a------- C:\1946489939
2009-06-04 03:40 20,702 a------- C:\bynhqjb.exe
2009-06-04 03:40 20,703 a------- C:\gmres.exe
2009-06-04 03:40 25,088 a------- c:\windows\system32\__c005154E.dat
2009-06-04 03:40 38,400 a------- C:\buvppwg.exe
2009-06-01 21:58 30,976 a------- c:\windows\system32\drivers\acpi32.sys
2009-06-01 20:49 96,076 a------- c:\windows\system32\drivers\804bd010.sys
2009-06-01 20:49 27,648 a------- c:\windows\system32\__c004A0E1.dat
2009-06-01 20:48 27,648 a------- c:\windows\system32\__c0032F7C.dat
2009-06-01 20:48 30,976 a------- c:\windows\system32\drivers\i386si.sys
2009-06-01 20:00 96,076 a------- c:\windows\system32\drivers\82f8854b.sys
2009-06-01 20:00 27,648 a------- c:\windows\system32\__c002648E.dat
2009-06-01 19:10 30,976 a------- c:\windows\system32\drivers\fips32cup.sys
2009-06-01 18:28 57,345 a------- c:\windows\9129837.exe
2009-06-01 18:28 27,648 a------- c:\windows\system32\__c00BDEE7.dat
2009-06-01 18:28 27,648 a------- c:\windows\system32\__c007724F.dat
2009-06-01 18:27 99,648 a------- c:\windows\system32\drivers\7ec1482.sys
2009-06-01 18:27 51,712 ---shr-- c:\windows\system32\actmoviej.exe
2009-06-01 18:22 27,648 a------- c:\windows\system32\__c0064E4.dat
2009-06-01 18:22 96,076 a------- c:\windows\system32\drivers\c152e63f.sys
2009-06-01 18:22 27,648 a------- c:\windows\system32\__c00586F2.dat
2009-06-01 18:17 27,648 a------- c:\windows\system32\__c0014264.dat
2009-06-01 18:16 96,076 a------- c:\windows\system32\drivers\4788f89e.sys
2009-06-01 18:16 1,611 a------- C:\xcrashdump.dat
2009-06-01 18:16 27,648 a------- c:\windows\system32\__c008B8D1.dat
2009-06-01 05:46 27,648 a------- c:\windows\system32\__c00B044.dat
2009-06-01 05:46 21,017 ----h--- c:\documents and settings\yuji moriya\Yuji Moriya.exe
2009-05-31 09:33 <DIR> --dshr-- c:\program files\MicPhone
2009-05-31 09:33 96,204 a------- c:\windows\system32\drivers\46d1f86c.sys
2009-05-30 23:04 <DIR> --d----- c:\windows\system32\3361
2009-05-30 23:04 <DIR> --d----- c:\windows\dhcp
2009-05-30 23:04 158,720 a------- c:\windows\system32\tpsaxyd.exe
2009-05-30 23:04 123,904 a------- c:\windows\system32\sopidkc.exe
2009-05-30 23:04 8 a------- c:\windows\system32\comsa32.sys
2009-05-30 23:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\92409996
2009-05-30 23:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12400004
2009-05-30 23:03 40,449 a------- c:\documents and settings\yuji moriya\reader_s.exe
2009-05-30 23:03 15,000 a------- c:\windows\system32\yhafd78auhd.dll
2009-05-30 23:03 27,648 a------- c:\windows\system32\__c00B438C.dat
2009-05-30 23:03 32,768 a------- c:\windows\system32\avast!Antivirus.exe
2009-05-30 23:03 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-05-30 23:03 0 a------- c:\windows\system32\drivers\c72547c9.sys
2009-05-30 23:02 40,449 a------- c:\windows\system32\reader_s.exe
2009-05-30 23:02 15,360 ----h--- c:\windows\ld08.exe
2009-05-28 03:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\96131706
2009-05-28 03:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\16121714
2009-05-27 22:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\94928426
2009-05-27 22:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\14918434
2009-05-27 22:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\94133426
2009-05-27 22:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\14123434
2009-05-27 21:57 <DIR> --dsh--- c:\windows\system32\lowsec
2009-05-27 21:57 <DIR> --d----- c:\program files\Microsoft Common

==================== Find3M ====================

2009-06-15 17:44 96,076 a------- c:\windows\system32\drivers\beep.sys
2009-06-15 17:38 6,656 a------- c:\windows\system32\drivers\aec.sys
2009-06-13 17:53 6,656 a------- c:\windows\system32\drivers\asyncmac.sys
2009-06-01 18:28 30,976 a------- c:\windows\system32\drivers\ws2_32sik.sys
2009-05-30 23:03 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-03-19 00:41 229,376 a------- c:\docume~1\yujimo~1\applic~1\psvr32.exe
2007-12-25 17:24 13,907,048 ac------ c:\program files\AIM.exe
2007-12-25 16:39 1,559 ac------ c:\program files\INSTALL.LOG
2006-02-27 16:05 880 a------- c:\program files\Data.cfg
2006-02-24 14:20 917,504 ac------ c:\program files\WirelessCfg.exe
2006-02-24 14:20 90,112 ac------ c:\program files\Mrv8000x.dll
2005-11-11 16:43 1,327,195 ac------ c:\program files\odSupp_M.dll
2005-11-11 16:43 49,152 ac------ c:\program files\AutoLinkLib.dll
2002-07-26 18:02 153,088 a------- c:\program files\UNWISE.EXE
2009-01-22 16:44 409,266 a--sh--- c:\windows\system32\Xbehknpo.ini2

============= FINISH: 17:46:11.45 ===============

[TheBruce1]

Hello and welcome to TSF

This machine is quite badly infected and i believe Virut is active on this machine.
Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (software, .exe files) and screensavers (.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.
http://miekiemoes.blogspot.com/2009/...-throwing.html

[seigen]

Thank you for your help

I'm shocked to hear that my system has no chance of recovery other than reinstallation...I will get back to you again when I finish backing up my personal data.

[TheBruce1]

Remember to disconnect from the internet. If you have access to a clean computer you may want to download the installation package for Mcafee(or any other antivirus application)to USB stick, CD-R or any other removable media device.

Once you have re-installed windows install your antivirus package and only reconnect once it wishes to update its definitions. Mcafee i believe works differently and you have to use the download manager from your account.

Once the antivirus/firewall package is installed, reconnect to the internet and visit the Microsoft update page and install all the patches that are required.

Then download DDS again and post the DDS.txt plus the attach.txt in your reply for review.

[TheBruce1]

Hoe are things coming along? If there is no reply to this post within 48hrs this thread will be closed.

[seigen]

I have a question about backing up files:
You said that I should not back up any executable files or screensavers. Do all application type files count as .exe files even when they don't have the extension written? To clarify, is a file named "game" without an extension that is categorized as an application file, the same as if it were named "game.exe"? If not, how can I tell that an application file is not an executable file?

[TheBruce1]

Hello again

Quote:

Do all application type files count as .exe files even when they don't have the extension written?

No, the installer file will most likely be an exe file, but it all depends on the application and what type of file(s)(extensions) are installed, they may all be exe files for all i know.

Quote:

To clarify, is a file named "game" without an extension that is categorized as an application file, the same as if it were named "game.exe"?

The file will have some type of extension, whether is be exe, dll, sys or another, you have to search for the file and check to see what type of file it is.

Quote:

If not, how can I tell that an application file is not an executable file?

Click start>search> type in say game,exe.

[seigen]

I have one more question before I start the reinstall process.
When I tried to disconnect one of my USB drives after backing up files from the computer, my mcafee firewall interface pops up warning that the autorun.ini file stored in the USB as a Trojan or virus. This happens the first time I try to "safely remove hardware" but it will successfuly stop and disconnect the second time after I close the firewall message. Will this be a problem after the reinstall when I try to put the files back on the computer? Or is this just a temporary glitch that might go away after the reinstall?

[TheBruce1]

Hello again

Quote:

When I tried to disconnect one of my USB drives after backing up files from the computer, my mcafee firewall interface pops up warning that the autorun.ini file stored in the USB as a Trojan or virus.

Hard to know if this is a flase/postive or not, once you have re-installed windows you can set the computer to disable autorun. This way you can connect the USB stick to the computer without the files stored on the USB stick from running on the PC.
http://news.cnet.com/8301-13554_3-9894970-33.html

You can then scan the USB stick for any infections.

[seigen]

I've finally got around to attempting the reinstall but now there seems to be another problem.....
When I tried to boot the cd the system says that there are "no boot device available, press ENTER key to retry." I made sure that the bios setting was correct and set the boot priority to cd rom. Since microsoft no longer includes reinstall cd with the computer, I had to borrow one from a friend of mine. Do you have any idea what the problem is in this case??

[seigen]

Nevermind...
I've decided to use a valid copy of windows 2000 instead, and everything worked out normally. I will get back to u with a fresh DDS report once I get a chance to do so.

Thanks for all your help so far!

[seigen]

Nevermind...
I've decided to use a valid copy of windows 2000 instead, and everything worked out normally. I will get back to u with a fresh DDS report once I get a chance to do so.

Thanks for all your help so far!

[TheBruce1]

Good job, i assume you are going overwrite windows 2000 installation with XP?

[seigen]

I've placed an order for a windows xp restore disk which should be arriving within the next couple days so that I can get it back to factory settings

[TheBruce1]

Hello again

If you have ordered the windows xp dics from Microsoft then all the cd will do is install windows, all third-party programs/applications will have to be re-installed. If you have not done so already, using a clean computer download an antivirus programme to your USB stick, that way you can install the antivirus package before you reconnect to the internet.

During the course of the re-installation windows will ask if you wish to turn on automatic updates, please do, once you have install the antivirus programme, reconnect to the internet and install all the patches from Microsoft, it make take some time depending on your connection speed.

Once that is done, post a fresh DDS.txt and attach.txt in your reply.

[seigen]

I'm experiencingsome problems connecting to the internet...
My PCI network adaptor is plugged in but the status report indicates that it is unplugged, therfore unable to identify the SSID, IP address and other information required for connection. I've tried to reinstall the software for the network adaptor but still there is no indication of connectivity. Would you have any idea what is happening here?

[TheBruce1]

Is this after doing a format/re-install of windows?
Make sure you install an antivirus/firewall before connecting to the internet.
As our focus in this section is malware removal, you would be better served discussing your issues in the General Networking Support section of this forum. Please let them know you've been cleared by the HijackThis Log Help section.

If there are no other issues regarding malware removal, i`ll close this thread shortly.

[seigen]

Understood. So far I don't see any other major problems with the system. I will come back with the DDS and attach files for a final review shortly.
I really appreciate your hard work and patience throughout this thread.

[seigen]

sorry this took a while...I've provided the fresh DDS.txt and Attach.txt files

[TheBruce1]

Hello again

You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

• OutPost Free Firewall
• Online Armor Free
• PC Tools Firewall Plus Free

========

Well done, your logs are clean.

Clear IE6 cookies

*Open IE and click Tools
*Click on Internet Options
*Click on General Tab
*Click on Delte Temp Files & Cookies buttons.


Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.


Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

-------------------------------------------------------------------------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.


For Internet Explorer users:
WOT for IE

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Avant
Firefox
Opera
K-Meleon

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
Malwarebytes ' Anti-Malware

SpywareBlaster to help prevent spyware from installing in the first place.

• Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items

------------------------------------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Secunia PSI is a programme that will alert you to vulnerabilities and outdated programs you have installed, such as Java, Flash Player and many more.

It can also alert you if you have not installed the latest patches from Microsoft.

==============================================

Also, please take a look at this well written article:

PC Safety and Security--What Do I Need?

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more, as we may mark this as resolved, thanks.