problems with viruses (and "antivirus software")

[cleancutkid]

I had some issues with malware last summer and was able to successfully deal with them here ( here is the link to my thread from then, if it would be relevant: help needed with popups and blue screen - Adware.MaxSearch ).

Since then, my computer has been running pretty well, but recently I started to have some weird issues.

I am running Windows XP home edition. with service pack 3. I have spybot search and destroy anti-spyware and symantec antivirus. My primary browser is firefox 3.

Last night, I got a blue screen of death. When I restarted the computer, my desktop wouldn't load. (black screen, which is my background, but no taskbar, no icons, etc) I restarted a few more times to no avail, but then tried ctrl-alt-dlting to bring up the task manager. With task manager, I was able to open up some applications, and I started a scan for spyware. It went okay for a while, but then I got a blue screen of death. I tried again, deleted a few things that came up, but then I had to go to sleep.

This morning, I tried restarting again, and the desktop loaded. However, when I try to make some programs load (almost everything but firefox), the computer objects. I get these popups that say:

"Application cannot be executed. The file "...".exe is infected. Do you want to activate your antivirus software now?"

with the file in question being everything from microsoft word to some random program I've never heard of/seen. If I press no, more pop up, and if I press yes, it opens an IE window trying to get me to buy a pro edition of Spyware Protect 2009. There is also an icon for this "Antivirus System Pro" in my taskbar by the clock - it looks like a shield with blue and white stripes. I don't recall having ever installed this - maybe it was trial software (I bought the laptop from Dell in 2006 if that helps)? I have also been getting IE popups which go to "porno.org", "porno.com", and "******.com"

I read through the instructions and tried to do the steps requested. I downloaded dds.scr and was able to get dds.txt saved to my desktop. However, the text file 'attach.txt' disappeared somehow in a flurry of "windows security alert" popups, and I haven't been able to run dds.scr again.
(Popup: "Application cannot be executed. The file dds.scr.exe is infected. Do you want to activate your antivirus software now?" ). I downloaded gmer.zip to the desktop as well, but I can't get it unzipped, let alone run. I'll put the contents of the dds.txt here. I have to be away from the computer for a few hours, but I'll be trying to get the other scans done again, too.

Thank you for any and all help or advice you can provide. The computer isn't terribly usable at the moment, and while I am willing to pay some money to get it repaired, I would like to try and figure it out first.














DDS (Ver_09-06-26.01) - FAT32x86
Run by Emily Merrill at 14:07:39.92 on Thu 07/02/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [LowRiskFileTypes] c:\windows\sysguard.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sysldtray] c:\windows\ld11.exe
mRun: [sysfbtray] c:\windows\freddy49.exe
mRun: [sysberay2] c:\windows\romeo15.exe
dRun: [LowRiskFileTypes] c:\windows\sysguard.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Default: No Registry Reference - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2009-07-02 13:54 12,544 a------- c:\windows\system32\iehelper.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 23:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-02-22 14:27 59,616 ac------ c:\documents and settings\emily merrill\application data\GDIPFONTCACHEV1.DAT
2006-10-18 17:47 14,507,105 a------- C:\mpeg-encoder.exe
2006-09-05 15:29 25,791,108 a------- C:\sav10installer.exe
2006-08-31 13:36 580,102 a------- C:\DE04.ZIP
2006-05-11 01:18 16,686,284 a------- C:\mcafee8i.zip

============= FINISH: 14:09:05.93 ===============

[Glaswegian]

Hi

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so.




Combofix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please read all the information carefully!

You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.

Please include the log C:\ComboFix.txt in your next reply for further review.

[cleancutkid]

HI Iain-

Thanks for getting back to me on this. I have downloaded combofix and disabled my antivirus, but I have no clue how to disable the demo version of this "Antivirus System PRO", which is one of my main problems at the moment, since it pops up a lot of security alerts but won't let me deal with them. The program also did not allow me to run combofix, either - it pops up a window saying: "Application cannot be executed. The file combofix.exe is infected. Do you want to activate your antivirus software now?". (this is the message that also comes up if I try to open basically anything else on my computer, except internet browsers). Do you have any advice on how to disable/kill this? Would it help if I started my computer in Safe mode or something?

-Emily

[Glaswegian]

Hi Emily

Don't worry about disabling Antivirus Pro - we want to get rid of that.

Please delete the version of combofix you have just now - we'll need to try it a different way.


Please download ComboFix from here - - > http://download.bleepingcomputer.com/sUBs/ComboFix.exe

**Note: It is important that it is saved directly to your desktop**

Referring to the images below



When saving the file, you must rename the file as Combo-Fix.exe



1. Close any open browsers and physically disconnect from the Internet.

2. You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.

NOTE: ComboFix will disconnect your system from the Internet - do not attempt to re-connect until it has finshed scanning.

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the log C:\ComboFix.txt for further review.

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

** If there is no internet connection when Combofix has completely finished then manually restart your computer to restore the connection. **

[cleancutkid]

Hi-
Thanks for the alternative method. I have attached combofix.txt here to this post. I don't know if it matters/makes any difference, but the popups from antivirus pro seem to have stopped since I shut off the internet (though I haven't really been using this computer for the past few days).

[Glaswegian]

Hello again Emily

Good work – how is your system running now?

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


Combofix

• Close any open browsers.
  
• Open notepad and copy/paste the text in the box below into it:

Code:

File::
c:\windows\bf23567.dat
c:\windows\system32\9D13004BAC.sys
c:\windows\system32\AC4B00139D.sys

Driver::
fmwsxcdwlirtkap

Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt for further review.



Online Scan
Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

[cleancutkid]

Hi Iain-
All of the problems appear to have been fixed in the system. I don't see anything pop up or act funny, but I also have not been using this computer for anything besides running these scans since the weekend, so I guess issues could still be there.

I have attached the logs from ComboFix and Panda ActiveScan. Sorry it took so long; the panda scan took a long while to run. Thanks for helping out and staying patient.

[Glaswegian]

Hi again

You can use the computer normally again – all your logs are clean.

If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

I did notice that you were here last year with an infected system. Please ensure you read all the information posted below.


The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below



Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK:


ComboFix /u



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:


General Protection
Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.


Ad-aware 2008 Free Edition
Download and install Ad-Aware 2008 Free Edition. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.



SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.


MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon


Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.


Web of Trust
WOT warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.


ERUNT & NTREGOPT
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system.


Additional Reading
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.
Think Prevention!

Have a look here if your PC is still running a bit slow
Is your PC running slow...?


Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

[Glaswegian]

Hi again

You can use the computer normally again – all your logs are clean.

If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

I did notice that you were here last year with an infected system. Please ensure you read all the information posted below.


The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below



Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK:


ComboFix /u



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:


General Protection
Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.


Ad-aware 2008 Free Edition
Download and install Ad-Aware 2008 Free Edition. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.



SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.


MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon


Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.


Web of Trust
WOT warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.


ERUNT & NTREGOPT
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system.


Additional Reading
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.
Think Prevention!

Have a look here if your PC is still running a bit slow
Is your PC running slow...?


Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

[cleancutkid]

Hey-
Sorry I've taken so long to get back to you. I was busy with work and away from the computer for most of the weekend. The computer does still appear to be working excellently. I'll finish cleaning up the stuff I scanned it with and installing more protection tomorrow and reply again here when I am completely done. I do have a question, though: do you recommend installing all of those programs, or would they interfere/overlap in purpose a bit? (e.g. Spyware Blaster and Spyware Guard, etc.)

Thanks again for all the help clearing this up!

[Glaswegian]

Hi

I use everything listed in my signature - with no conflicts. You probably don't need to install everything - make sure you have a firewall, AV, HJosts file, Spywareblaster, Spywareguard and a couple of scanners, such as SpyBot and any other.