1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

[Closed - dupe] Lost All Programs due to some virus

Discussion in 'Malware and Virus Removal Archive' started by larsonjean, 2011/04/04.

Thread Status:
Not open for further replies.
  1. 2011/04/04
    larsonjean

    larsonjean Well-Known Member Thread Starter

    Joined:
    2002/06/03
    Messages:
    766
    Likes Received:
    2
    Hi,
    I have a freiend's computer here now and as a matter of fact I am typing this on his computer. I think he has major problems.
    He said he was on "You Tube" and clicked on a site that caused all his icons to disappear from his desktop. Also when I go to Start, All Programs, it was completely empty until I tried to load Lavasoft, Ad Aware & Google Chrome.

    I tried to do a system restore, it will not allow me to revert to an earlier version. It just won't load the "next" page.

    I tried to run Malware Bytes. It gave me this error message: An error has occurred. Please report error to our support team.
    MBAM.error_expanding_variable (0, 453).

    I was able to defrag and run a system check but didn't make any difference.

    He is running Windows XP, Internet Explorer 8, Service Pack 3.

    I tried to run msconfig and turn off all startup items and this is the message I get: "An access denied error was returned while attempting to change a service. You need Administrator right. "

    I tried logging on as Administrator and it didn't make any difference.

    I also tried several times to start it in safe mode and didn't get anywhere with that either.

    Do you think you can help getting rid of this virus or does the system need to be reformatted.

    Thank you for any help you can provide.

    Jean
     
    larsonjean,
    #1
  2. 2011/04/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, complete all steps listed here: this post

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
    broni,
    #2


  3. to hide this advert.

  4. 2011/04/05
    larsonjean

    larsonjean Well-Known Member Thread Starter

    Joined:
    2002/06/03
    Messages:
    766
    Likes Received:
    2
    Thank you for your help. I will start the cleaning process and get back to you soon.
    Jean
     
    larsonjean,
    #3
  5. 2011/04/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok :)
     
    broni,
    #4
  6. 2011/04/05
    larsonjean

    larsonjean Well-Known Member Thread Starter

    Joined:
    2002/06/03
    Messages:
    766
    Likes Received:
    2
    I just finished running the MBR check program and I couldn't load it into Wordpad or Notepad but I saved it at .rtf file. Here it is. I will continue with the next step.

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-04-05 11:15:46
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e SAMSUNG_HD080HJ rev.WT100-33
    Running: 05q74xhv.exe; Driver: C:\DOCUME~1\Peter\LOCALS~1\Temp\pgdyapoc.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF78BBF80]

    ---- Devices - GMER 1.0.15 ----

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

    ---- EOF - GMER 1.0.15 ----
     
    larsonjean,
    #5
  7. 2011/04/05
    larsonjean

    larsonjean Well-Known Member Thread Starter

    Joined:
    2002/06/03
    Messages:
    766
    Likes Received:
    2
    Here are the files you wanted from dds. thank you for all your help.
    Jean

    From Attach Text:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/15/2005 8:40:47 PM
    System Uptime: 4/5/2011 9:11:38 AM (2 hours ago)
    .
    Motherboard: Dell Inc. | | 0M3918
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 71 GiB total, 54.418 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP449: 2/5/2011 8:06:17 AM - Software Distribution Service 3.0
    RP450: 2/5/2011 11:06:55 AM - Software Distribution Service 3.0
    RP451: 2/5/2011 1:21:27 PM - Software Distribution Service 3.0
    RP452: 2/6/2011 11:49:34 AM - Software Distribution Service 3.0
    RP453: 2/7/2011 12:18:32 PM - System Checkpoint
    RP454: 2/7/2011 3:00:17 PM - Software Distribution Service 3.0
    RP455: 2/7/2011 9:56:39 PM - Software Distribution Service 3.0
    RP456: 2/10/2011 4:49:03 PM - System Checkpoint
    RP457: 2/10/2011 6:31:43 PM - Software Distribution Service 3.0
    RP458: 2/11/2011 5:13:27 PM - Software Distribution Service 3.0
    RP459: 2/12/2011 11:15:23 AM - Software Distribution Service 3.0
    RP460: 2/12/2011 2:48:48 PM - Software Distribution Service 3.0
    RP461: 2/13/2011 10:26:41 AM - Software Distribution Service 3.0
    RP462: 2/13/2011 1:30:54 PM - Software Distribution Service 3.0
    RP463: 2/14/2011 2:46:33 PM - Software Distribution Service 3.0
    RP464: 2/14/2011 3:00:19 PM - Software Distribution Service 3.0
    RP465: 2/14/2011 3:52:39 PM - Software Distribution Service 3.0
    RP466: 2/15/2011 9:38:44 AM - Software Distribution Service 3.0
    RP467: 2/15/2011 3:31:31 PM - Software Distribution Service 3.0
    RP468: 2/15/2011 4:35:00 PM - Software Distribution Service 3.0
    RP469: 2/16/2011 3:00:29 PM - Software Distribution Service 3.0
    RP470: 2/16/2011 7:29:58 PM - Software Distribution Service 3.0
    RP471: 2/17/2011 2:00:50 PM - Software Distribution Service 3.0
    RP472: 2/18/2011 2:10:58 PM - System Checkpoint
    RP473: 2/18/2011 3:00:20 PM - Software Distribution Service 3.0
    RP474: 2/18/2011 4:11:17 PM - Software Distribution Service 3.0
    RP475: 2/18/2011 5:50:28 PM - Software Distribution Service 3.0
    RP476: 2/18/2011 6:58:08 PM - Software Distribution Service 3.0
    RP477: 2/18/2011 7:05:56 PM - Software Distribution Service 3.0
    RP478: 2/19/2011 1:31:34 PM - Software Distribution Service 3.0
    RP479: 2/20/2011 1:43:25 PM - System Checkpoint
    RP480: 2/20/2011 3:00:21 PM - Software Distribution Service 3.0
    RP481: 2/20/2011 6:53:36 PM - Software Distribution Service 3.0
    RP482: 2/21/2011 11:29:14 AM - Software Distribution Service 3.0
    RP483: 2/21/2011 7:38:23 PM - Software Distribution Service 3.0
    RP484: 2/22/2011 1:02:11 PM - Software Distribution Service 3.0
    RP485: 2/22/2011 5:36:26 PM - Software Distribution Service 3.0
    RP486: 2/23/2011 2:52:24 PM - Software Distribution Service 3.0
    RP487: 2/24/2011 9:33:58 AM - Software Distribution Service 3.0
    RP488: 2/24/2011 3:00:20 PM - Software Distribution Service 3.0
    RP489: 2/24/2011 6:58:32 PM - Software Distribution Service 3.0
    RP490: 2/25/2011 4:03:25 PM - Software Distribution Service 3.0
    RP491: 2/25/2011 6:11:55 PM - Software Distribution Service 3.0
    RP492: 2/26/2011 2:25:53 PM - Software Distribution Service 3.0
    RP493: 2/27/2011 2:33:00 PM - System Checkpoint
    RP494: 2/27/2011 3:00:16 PM - Software Distribution Service 3.0
    RP495: 2/27/2011 3:36:14 PM - Software Distribution Service 3.0
    RP496: 3/1/2011 4:18:26 PM - System Checkpoint
    RP497: 3/1/2011 6:55:59 PM - Software Distribution Service 3.0
    RP498: 3/2/2011 3:00:23 PM - Software Distribution Service 3.0
    RP499: 3/2/2011 4:03:44 PM - Software Distribution Service 3.0
    RP500: 3/3/2011 3:00:19 PM - Software Distribution Service 3.0
    RP501: 3/3/2011 4:34:48 PM - Software Distribution Service 3.0
    RP502: 3/4/2011 6:19:46 PM - Software Distribution Service 3.0
    RP503: 3/5/2011 2:21:55 PM - Software Distribution Service 3.0
    RP504: 3/7/2011 9:57:48 AM - System Checkpoint
    RP505: 3/7/2011 10:44:01 AM - Software Distribution Service 3.0
    RP506: 3/7/2011 7:37:19 PM - Software Distribution Service 3.0
    RP507: 3/7/2011 7:58:18 PM - Software Distribution Service 3.0
    RP508: 3/8/2011 10:14:42 AM - Software Distribution Service 3.0
    RP509: 3/9/2011 11:31:45 AM - System Checkpoint
    RP510: 3/9/2011 12:17:27 PM - Software Distribution Service 3.0
    RP511: 3/9/2011 7:24:38 PM - Software Distribution Service 3.0
    RP512: 3/10/2011 11:05:15 AM - Software Distribution Service 3.0
    RP513: 3/10/2011 12:54:42 PM - Software Distribution Service 3.0
    RP514: 3/10/2011 2:56:00 PM - Software Distribution Service 3.0
    RP515: 3/10/2011 3:05:13 PM - Software Distribution Service 3.0
    RP516: 3/11/2011 10:37:45 AM - Software Distribution Service 3.0
    RP517: 3/11/2011 12:19:08 PM - Software Distribution Service 3.0
    RP518: 3/13/2011 9:05:33 AM - System Checkpoint
    RP519: 3/13/2011 9:48:48 AM - Software Distribution Service 3.0
    RP520: 3/13/2011 9:53:39 PM - Software Distribution Service 3.0
    RP521: 3/13/2011 10:23:21 PM - Software Distribution Service 3.0
    RP522: 3/14/2011 7:35:00 AM - Software Distribution Service 3.0
    RP523: 3/14/2011 12:24:15 PM - Avg Update
    RP524: 3/14/2011 12:26:27 PM - Avg Update
    RP525: 3/14/2011 3:00:19 PM - Software Distribution Service 3.0
    RP526: 3/14/2011 3:20:31 PM - Software Distribution Service 3.0
    RP527: 3/14/2011 9:02:25 PM - Software Distribution Service 3.0
    RP528: 3/15/2011 6:56:59 PM - Software Distribution Service 3.0
    RP529: 3/16/2011 3:00:33 PM - Software Distribution Service 3.0
    RP530: 3/16/2011 7:52:05 PM - Software Distribution Service 3.0
    RP531: 3/19/2011 10:25:36 PM - Software Distribution Service 3.0
    RP532: 3/22/2011 12:42:25 PM - System Checkpoint
    RP533: 3/22/2011 3:00:21 PM - Software Distribution Service 3.0
    RP534: 3/22/2011 10:22:00 PM - Software Distribution Service 3.0
    RP535: 3/25/2011 8:53:45 PM - Software Distribution Service 3.0
    RP536: 3/25/2011 9:30:42 PM - Software Distribution Service 3.0
    RP537: 3/25/2011 9:51:39 PM - Software Distribution Service 3.0
    RP538: 3/27/2011 8:34:08 PM - Software Distribution Service 3.0
    RP539: 3/28/2011 3:00:29 PM - Software Distribution Service 3.0
    RP540: 3/28/2011 7:10:40 PM - Software Distribution Service 3.0
    RP541: 3/29/2011 9:41:44 PM - Software Distribution Service 3.0
    RP542: 3/29/2011 10:33:20 PM - Software Distribution Service 3.0
    RP543: 3/31/2011 7:37:08 PM - Software Distribution Service 3.0
    RP544: 3/31/2011 7:50:26 PM - Software Distribution Service 3.0
    RP545: 4/1/2011 9:56:59 PM - Software Distribution Service 3.0
    RP546: 4/3/2011 8:15:50 AM - Software Distribution Service 3.0
    RP547: 4/3/2011 9:17:47 AM - Software Distribution Service 3.0
    RP548: 4/3/2011 11:26:40 AM - Software Distribution Service 3.0
    RP549: 4/3/2011 8:00:11 PM - Software Distribution Service 3.0
    RP550: 4/3/2011 9:09:55 PM - Software Distribution Service 3.0
    RP551: 4/4/2011 8:08:47 PM - Restore Operation
    RP552: 4/4/2011 8:14:27 PM - Restore Operation
    RP553: 4/4/2011 8:14:50 PM - jean
    RP554: 4/4/2011 8:15:12 PM - Restore Operation
    RP555: 4/4/2011 8:19:00 PM - Restore Operation
    RP556: 4/4/2011 10:47:25 PM - Removed AVG Free 9.0
    RP557: 4/4/2011 10:50:48 PM - Installed AVG Free 9.0
    RP558: 4/4/2011 11:11:11 PM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Shockwave Player 11
    AOL Uninstaller
    ArcSoft Panorama Maker 3
    CCleaner
    CleanUp!
    ClientTools
    Conexant D850 56K V.9x DFVc Modem
    Critical Update for Windows Media Player 11 (KB959772)
    Dell Driver Reset Tool
    Dell Photo Printer 720
    Dell Picture Studio v3.0
    Dell Support 3.2.1
    Dell Support Center (Support Software)
    DellConnect
    Digital Line Detect
    EasyCleaner
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Hoyle Board Games 4
    Hoyle Card Games 3 Demo
    Hoyle Casino 5
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet for Wired Connections
    Internet Explorer Default Page
    Jasc Paint Shop Photo Album
    Jasc Paint Shop Photo Album 5
    Jasc Paint Shop Pro 8 Dell Edition
    Jasc Paint Shop Pro Studio, Dell Editon
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 17
    Learn2 Player (Uninstall Only)
    Macromedia Flash Player
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Modem Helper
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    My Way Search Assistant
    NetWaiting
    Nikon Message Center
    PictureProject
    PictureProject In Touch Downloader 1.0
    Qualxserve Service Agreement
    QuickBooks Simple Start Special Edition
    QuickTime
    Revo Uninstaller 1.91
    Rhapsody Player Engine
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sonic DLA
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    TWC Client ActiveX Controls
    Ultimate Solitaire
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB980302)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Verizon Yahoo! Applications
    Verizon Yahoo! Music Jukebox
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebCyberCoach 3.2 Dell
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Management Framework Core
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 10
    Windows Media Player 11
    Windows XP Service Pack 3
    WordPerfect Office 12
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/5/2011 4:18:32 AM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    4/5/2011 12:24:46 AM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
    4/5/2011 1:08:06 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
    4/4/2011 8:48:34 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    4/4/2011 8:41:19 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00132056CD1B has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    4/4/2011 12:31:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    4/4/2011 12:20:16 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
    4/4/2011 12:20:16 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    4/4/2011 12:20:16 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    4/4/2011 12:20:16 PM, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start.
    4/4/2011 12:20:16 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    4/4/2011 12:20:16 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    4/4/2011 12:20:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    4/4/2011 12:19:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    4/4/2011 12:19:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    4/4/2011 11:46:13 AM, error: Service Control Manager [7000] - The X4HSX32 service failed to start due to the following error: The system cannot find the path specified.
    4/4/2011 11:46:13 AM, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start due to the following error: The system cannot find the path specified.
    4/4/2011 11:37:42 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
    4/4/2011 10:18:26 PM, error: Service Control Manager [7034] - The SupportSoft Sprocket Service (dellsupportcenter) service terminated unexpectedly. It has done this 1 time(s).
    4/4/2011 10:18:26 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    4/4/2011 10:18:26 PM, error: Service Control Manager [7034] - The AVG Free E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
    4/4/2011 10:18:26 PM, error: Service Control Manager [7031] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/4/2011 10:18:26 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    4/3/2011 9:09:57 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070003: Update for Windows XP (KB961118).
    4/3/2011 11:20:36 AM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00132056CD1B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================


    From DDS file:

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Peter at 11:37:19.32 on Tue 04/05/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.190 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Documents and Settings\Peter\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://my.yahoo.com/?_bc=1
    uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
    uSEARCH PAGE = hxxp://www.google.com
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80229
    mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80229
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
    TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
    EB: {E16DC1FE-7C34-43F2-B754-F3AD12DDF97C} - No File
    EB: {FE54FA40-D68C-11D2-98FA-00C0F0318AFE} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103472 - "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" - "http://www.gatewayarch.com/Arch/arch.fun.bld.aspx "
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA "& "inst=NwA3AC0ANAA2ADEAMwA1ADIANAA0ADQALQBGAFAAOQArADYALQBUAEIAOQArADEALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAxAA "& "prod=90 "& "ver=9.0.894
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
    R1 MpKslf44a044c;MpKslf44a044c;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c783fa79-1365-4a51-aecd-c858f42114c7}\MpKslf44a044c.sys [2011-4-5 28752]
    S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
    .
    =============== Created Last 30 ================
    .
    2011-04-05 15:27:03 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{c783fa79-1365-4a51-aecd-c858f42114c7}\MpKslf44a044c.sys
    2011-04-05 15:26:18 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{c783fa79-1365-4a51-aecd-c858f42114c7}\mpengine.dll
    2011-04-05 08:26:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-05 08:26:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-05 03:08:44 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-04-05 03:05:09 -------- d-----w- c:\program files\Microsoft Security Client
    2011-04-05 02:40:17 -------- dc----w- C:\e114926840db1570eca7
    2011-04-05 01:00:42 6144 ----a-w- c:\windows\system32\kbd106.dll
    2011-04-05 01:00:42 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
    2011-04-05 00:56:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-03-14 16:27:10 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    .
    ==================== Find3M ====================
    .
    2011-04-05 15:16:23 56 --sh--r- c:\windows\system32\C62336B294.sys
    2011-04-05 15:16:23 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2011-02-09 13:53:52 270848 ---ha-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ---ha-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ---ha-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ---ha-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ---ha-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ---ha-w- c:\windows\system32\atmfd.dll
    .
    ============= FINISH: 11:38:20.89 ===============


    I just read further where I was supposed to start a new log. I will do it later as I have a meeting right now.

    Jean
     
    larsonjean,
    #6
  8. 2011/04/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/


    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    • Close SUPERAntiSpyware.
    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    • Open SUPERAntiSpyware.
    • Under "Configuration and Preferences ", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan ", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK ".
    • Make sure everything has a checkmark next to it and click "Next ".
    • A notification will appear that "Quarantine and Removal is Complete ". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes ".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Copy and paste the Scan Log results in your next reply.
    • Click Close to exit the program.

    Post SUPERAntiSpyware log.
     
    broni,
    #7
  9. 2011/04/06
    larsonjean

    larsonjean Well-Known Member Thread Starter

    Joined:
    2002/06/03
    Messages:
    766
    Likes Received:
    2
    Hello, How do I close this posting? I can't see anything on the web page that lets me close it.

    Thank you. Jean
     
    larsonjean,
    #8
  10. 2011/04/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Why do you want to close this topic?
     
    broni,
    #9
  11. 2011/04/06
    larsonjean

    larsonjean Well-Known Member Thread Starter

    Joined:
    2002/06/03
    Messages:
    766
    Likes Received:
    2
    I want to close it because this is the first part of my friend's problem. I then posted a new message as instructed with the title: "Posting Log Files as instructed to rid of virus ".

    Shouldn't they both close at the same time. I'm confused.

    Jean
     
    larsonjean,
    #10
  12. 2011/04/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I see now.
    You confused me.
    Next time, keep all info in one topic.
    I'll close this one.
     
    broni,
    #11
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...