# Malware Simply Called "Antivirus Software"



## mustardgas (Apr 2, 2010)

Hi.

I posted on here a couple weeks back complaining about malware called "Vista Defender Pro" which practically took over my whole pc.  Now I have new malware called "Antivirus Software" which is even worse.  The pop ups are relentless, and I can't access ANYTHING on my pc.  I can neither do an update on Malwarebytes (which seems necessary since a scan with the current version I have is not effective), nor uninstall malwarebytes to make room for a fresh version.  

Last time I posted, the problem was quickly resolved.  But someone on here (John35 or something like that) asked that I post my malwarebytes log/download hijackthis and post the latter's log.  I didn't post the log of either.  Was it crucial that I do so in order to avoid this current problem?

Please help.

Thanks.
-m


----------



## Respital (Apr 2, 2010)

mustardgas said:


> Hi.
> 
> I posted on here a couple weeks back complaining about malware called "Vista Defender Pro" which practically took over my whole pc.  Now I have new malware called "Antivirus Software" which is even worse.  The pop ups are relentless, and I can't access ANYTHING on my pc.  I can neither do an update on Malwarebytes (which seems necessary since a scan with the current version I have is not effective), nor uninstall malwarebytes to make room for a fresh version.
> 
> ...



This is absolutely crucial, we need these in order to further look into your system to determine any other problems and possibles fixes. Please post both of those in your next reply.


----------



## mustardgas (Apr 3, 2010)

I'd be happy to post them, but how can I now?  The virus has completely hijacked my system.  No matter what I try to get at, a message pops up saying "something.exe is infected," or something to that effect.  What should I do?


----------



## Respital (Apr 3, 2010)

mustardgas said:


> I'd be happy to post them, but how can I now?  The virus has completely hijacked my system.  No matter what I try to get at, a message pops up saying "something.exe is infected," or something to that effect.  What should I do?



I recommend you run ComboFix. 

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
*NOTE: IF COMBOFIX FAILS TO RUN TRY RENAMING THE FILE TO 'ANYTHING.EXE' WITHOUT THE QUOTES*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.

How to run a scan and post a log with *HiJackThis*.

*Click here* to download *HJTsetup.exe*
Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Additional Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

In your next reply i will need:

The ComboFix log
A HiJackThis log
An update on how your computer is running


----------



## mustardgas (Apr 3, 2010)

I can't download any of this onto my own computer, because my computer is completely hijacked.  Right now I'm using my roommate's computer, which is clean.  Should I download the programs you suggested onto my roommate's computer, then transfer them onto mine via flash drive?  And if I do that, won't the virus still block the new programs?  Should I save the programs to my flash drive, then wait until uploading them onto my own computer before installing them?


----------



## deanj20 (Apr 3, 2010)

I removed this from a clients computer about a month ago. What a pain in the ass. You will need to boot into Safe Mode with Networking, and then do what Respital suggested. To enter Safe Mode with Networking, reboot the computer, and press F8 repeatedly until you get a black and white menu with several options, and choose Safe Mode with Networking. Then you should be able to follow the directions previously posted. 

Post back and let us know.


----------



## mustardgas (Apr 3, 2010)

I can't seem to connect to the internet while in safe mode.  Is that normal?  In any case, without the internet, I can't download what Respital recommends.  Besides, even if I could download those things while in safe mode, will they carry over into normal mode?


----------



## Respital (Apr 3, 2010)

mustardgas said:


> I can't download any of this onto my own computer, because my computer is completely hijacked.  Right now I'm using my roommate's computer, which is clean.  *Should I download the programs you suggested onto my roommate's computer, then transfer them onto mine via flash drive? * And if I do that, won't the virus still block the new programs?  Should I save the programs to my flash drive, then wait until uploading them onto my own computer before installing them?



Go ahead and do this.


----------



## johnb35 (Apr 3, 2010)

If you can't get anything to run even in safe mode, try downloading and running Rkill, it will temporarily disable any active process running on your system, and then run malwarebytes and hijackthis.  Download rkill here.

http://www.technibble.com/rkill-repair-tool-of-the-week/

Once you download and run this tool, DO NOT reboot the system as it will activate the malware again.

If you have a flash drive then save combofix to it and then boot to safe mode on your computer and then run it.


----------



## mustardgas (Apr 3, 2010)

I tried uploading combofix onto my computer via flash drive, but the virus instantly blocked it and stated "the file combofix.exe is infected..."  blah, blah, blah.  So, I can't seem to get combofix onto my computer.  What do I do?


----------



## johnb35 (Apr 3, 2010)

Download the file rkill to see if it will kill it temporarily.  The link is in my previous post.  Do you have another computer that you can slave this drive in and scan it using a fully updated antivirus and malwarebytes?


----------



## deanj20 (Apr 3, 2010)

You should be able to access the internet in Safe Mode *with Networking*. Not just regular safe mode. 



> I tried uploading combofix onto my computer via flash drive



You'll have to do this in safe mode, too. If it's the same nasty I dealt with, it doesn't run in safe mode. 

Remember - Safe Mode *with Networking*.  :good:


----------



## mustardgas (Apr 3, 2010)

*Combofix Log- Created During Safe Mode*

ComboFix 10-04-01.02 - filmmaker 04/02/2010  20:18:39.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.3581.3109 [GMT -5:00]
Running from: H:\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1983731332-1696846115-1830654632-500
c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\users\filmmaker\AppData\Local\Microsoft\Windows\Temporary Internet Files\0riV4.jpg
c:\users\filmmaker\AppData\Local\Microsoft\Windows\Temporary Internet Files\3lfSi23K1.jpg
c:\users\filmmaker\AppData\Local\Microsoft\Windows\Temporary Internet Files\j650Ly55.jpg
c:\users\filmmaker\AppData\Local\Microsoft\Windows\Temporary Internet Files\oNJkd.jpg
c:\users\filmmaker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
c:\windows\system32\oem7.inf

.
(((((((((((((((((((((((((   Files Created from 2010-03-03 to 2010-04-03  )))))))))))))))))))))))))))))))
.

2010-04-03 01:25 . 2010-04-03 01:25	--------	d-----w-	c:\users\filmmaker\AppData\Local\temp
2010-04-03 01:25 . 2010-04-03 01:25	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-04-03 01:15 . 2010-04-03 01:16	--------	d-----w-	C:\32788R22FWJFW
2010-04-02 11:38 . 2010-04-02 11:38	--------	d-----w-	c:\users\filmmaker\AppData\Local\vwhnyiffe
2010-04-02 02:55 . 2010-04-02 02:59	--------	d-----w-	c:\users\filmmaker\AppData\Local\nos
2010-04-02 02:55 . 2010-04-02 02:55	86016	----a-w-	c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-04-02 02:55 . 2010-04-02 03:18	--------	d-----w-	c:\programdata\NOS
2010-04-01 19:09 . 2010-04-01 19:09	4076824	----a-w-	c:\programdata\avg9\update\backup\avgui.exe
2010-04-01 19:09 . 2010-04-01 19:09	2059544	----a-w-	c:\programdata\avg9\update\backup\avgtray.exe
2010-04-01 19:09 . 2010-04-01 19:09	1598744	----a-w-	c:\programdata\avg9\update\backup\avgssie.dll
2010-04-01 19:09 . 2010-04-01 19:09	1274136	----a-w-	c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-01 19:09 . 2010-04-01 19:09	598296	----a-w-	c:\programdata\avg9\update\backup\avgsrmx.dll
2010-04-01 19:09 . 2010-04-01 19:09	556824	----a-w-	c:\programdata\avg9\update\backup\avgchjwx.dll
2010-04-01 19:09 . 2010-04-01 19:09	459544	----a-w-	c:\programdata\avg9\update\backup\avgcclix.dll
2010-04-01 19:09 . 2010-04-01 19:09	4250976	----a-w-	c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-01 19:09 . 2010-04-01 19:09	313112	----a-w-	c:\programdata\avg9\update\backup\avglogx.dll
2010-04-01 19:09 . 2010-04-01 19:09	1515224	----a-w-	c:\programdata\avg9\update\backup\avgwd.dll
2010-04-01 19:09 . 2010-04-01 19:09	1086744	----a-w-	c:\programdata\avg9\update\backup\avgchsvx.exe
2010-04-01 19:09 . 2010-04-01 19:09	301336	----a-w-	c:\programdata\avg9\update\backup\avgchclx.dll
2010-04-01 19:08 . 2010-04-01 19:08	1685784	----a-w-	c:\programdata\avg9\update\backup\avgupd.dll
2010-04-01 19:08 . 2010-04-01 19:08	1035032	----a-w-	c:\programdata\avg9\update\backup\avgupd.exe
2010-03-31 03:09 . 2010-03-31 03:09	690952	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-03-29 07:15 . 2010-03-29 07:15	--------	d-----w-	c:\program files\Gabest
2010-03-26 05:25 . 2010-03-26 05:25	--------	d-----w-	c:\program files\iPod
2010-03-26 05:25 . 2010-03-26 05:26	--------	d-----w-	c:\program files\iTunes
2010-03-26 05:19 . 2010-03-26 05:19	72488	----a-w-	c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-22 23:58 . 2010-03-22 23:58	--------	d-----w-	c:\programdata\Comodo Downloader
2010-03-22 23:56 . 2010-04-02 03:43	--------	d-----w-	c:\programdata\COMODO
2010-03-22 23:52 . 2010-03-22 23:52	--------	d-----w-	c:\program files\COMODO
2010-03-19 08:52 . 2010-03-19 08:52	5115824	----a-w-	c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-18 10:30 . 2010-03-18 10:30	--------	d-----w-	c:\users\filmmaker\AppData\Roaming\Malwarebytes
2010-03-18 10:30 . 2010-01-07 21:07	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-18 10:30 . 2010-03-19 08:52	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-03-18 10:30 . 2010-03-18 10:30	--------	d-----w-	c:\programdata\Malwarebytes
2010-03-18 10:30 . 2010-01-07 21:07	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-03-13 19:26 . 2010-03-13 19:26	360584	----a-w-	c:\programdata\avg9\update\backup\avgtdix.sys
2010-03-05 03:14 . 2010-04-01 23:12	--------	d-----w-	c:\windows\system32\drivers\Avg
2010-03-05 03:14 . 2010-03-05 03:14	--------	d-----w-	c:\programdata\AVG Security Toolbar
2010-03-05 03:14 . 2010-03-05 03:14	--------	d-----w-	c:\program files\AVG
2010-03-05 03:14 . 2010-03-05 03:14	--------	d-----w-	c:\programdata\avg9

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-03 00:55 . 2009-04-19 18:08	--------	d-----w-	c:\users\filmmaker\AppData\Roaming\WTablet
2010-04-02 11:45 . 2009-04-14 22:47	--------	d-----w-	c:\users\filmmaker\AppData\Roaming\uTorrent
2010-04-02 11:24 . 2009-03-07 01:56	7342	----a-w-	c:\users\filmmaker\AppData\Roaming\wklnhst.dat
2010-04-02 04:06 . 2009-03-04 00:39	70488	----a-w-	c:\users\filmmaker\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-02 02:59 . 2009-02-17 07:20	--------	d-----w-	c:\program files\Common Files\Adobe
2010-04-02 02:57 . 2009-09-14 22:26	--------	d-----w-	c:\program files\Common Files\Adobe AIR
2010-04-01 01:51 . 2009-04-16 23:06	2828	--sha-w-	c:\programdata\KGyGaAvL.sys
2010-04-01 01:51 . 2009-04-16 23:06	2828	--sha-w-	c:\programdata\KGyGaAvL.sys
2010-04-01 00:03 . 2009-03-08 14:53	55857	----a-w-	c:\programdata\nvModes.dat
2010-03-26 05:25 . 2009-10-25 02:05	--------	d-----w-	c:\program files\Common Files\Apple
2010-03-26 05:23 . 2009-03-20 01:06	--------	d-----w-	c:\program files\QuickTime
2010-03-18 09:34 . 2009-03-17 02:15	8268	----a-w-	c:\users\filmmaker\AppData\Local\d3d9caps.dat
2010-03-13 19:26 . 2010-03-13 19:26	333192	----a-w-	c:\programdata\avg9\update\backup\avgldx86.sys
2010-03-13 19:26 . 2010-03-13 19:26	28424	----a-w-	c:\programdata\avg9\update\backup\avgmfx86.sys
2010-03-13 19:26 . 2010-03-05 03:14	242696	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-03-13 19:26 . 2010-03-13 19:26	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-03-13 19:26 . 2010-03-05 03:14	29512	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 19:25 . 2010-03-05 03:14	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-03-11 09:17 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-03-09 16:28 . 2010-03-30 20:24	833024	----a-w-	c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-30 20:24	78336	----a-w-	c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-30 20:24	26624	----a-w-	c:\windows\system32\ieUnatt.exe
2010-03-05 03:14 . 2010-03-05 16:49	3777280	----a-w-	c:\programdata\avg9\update\backup\setup.exe
2010-03-05 03:14 . 2010-03-13 19:24	800536	----a-w-	c:\programdata\avg9\update\backup\avginet.dll
2010-03-05 03:14 . 2010-03-13 19:24	613656	----a-w-	c:\programdata\avg9\update\backup\avgiproxy.exe
2010-02-24 15:16 . 2009-10-03 23:20	181632	------w-	c:\windows\system32\MpSigStub.exe
2010-02-20 23:39 . 2010-03-11 09:00	24064	----a-w-	c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 09:00	31232	----a-w-	c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 09:00	411136	----a-w-	c:\windows\system32\drivers\http.sys
2010-02-01 01:45 . 2009-09-14 22:26	38784	----a-w-	c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-01 01:45 . 2009-09-14 22:22	38784	----a-w-	c:\users\filmmaker\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-25 12:48 . 2010-02-23 21:33	472576	----a-w-	c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-02-23 21:33	151040	----a-w-	c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-02-23 21:33	151040	----a-w-	c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-02-23 21:33	472064	----a-w-	c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-02-23 21:33	329216	----a-w-	c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-02-23 21:33	346624	----a-w-	c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-02-23 21:33	523776	----a-w-	c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-02-23 21:33	511488	----a-w-	c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-02-23 21:33	347136	----a-w-	c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44 . 2010-02-23 21:33	2048	----a-w-	c:\windows\system32\tzres.dll
2010-01-22 01:01 . 2010-01-22 01:01	1	----a-w-	c:\users\filmmaker\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-22 00:16 . 2010-01-22 00:16	411368	----a-w-	c:\windows\system32\deploytk.dll
2010-01-16 19:33 . 2010-01-16 19:33	1956072	----a-w-	c:\users\filmmaker\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-08 19:38 . 2010-01-08 19:38	652296	----a-w-	c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-01-08 19:37 . 2010-01-08 19:37	416128	----a-w-	c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-02-17 07:15 . 2009-02-17 07:15	75	--sh--r-	c:\windows\CT4CET.bin
2009-02-17 08:34 . 2009-02-17 08:30	8192	--sha-w-	c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 19:04	1664256	----a-w-	c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"edmpcdub"="c:\users\filmmaker\AppData\Local\vwhnyiffe\vdqvidftssd.exe" [2010-04-02 270592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-24 1029416]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-04-18 36864]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-12-04 442467]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-18 13548064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-18 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-08-18 96800]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-27 3563520]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-04-09 1762032]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-22 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\filmmaker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut10_F66A31D978314FBABA02C411C0047CC5.exe [2009-2-17 53248]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-3-13 1207376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-02-17 07:27	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-13 216200]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe [2008-12-04 73728]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-13 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-05-01 3032360]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-03-27 2789672]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-03-13 242696]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-03-24 183808]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE
*NewlyCreated* - PXHELP20
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-02 20:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-02  20:27:23
ComboFix-quarantined-files.txt  2010-04-03 01:27

Pre-Run: 102,235,049,984 bytes free
Post-Run: 102,692,622,336 bytes free

- - End Of File - - A344EA3ADEB1E895DB5C4EBD585340CE


----------



## johnb35 (Apr 3, 2010)

Now, can you post a hijackthis log?


----------



## mustardgas (Apr 3, 2010)

deanj20 said:


> You should be able to access the internet in Safe Mode *with Networking*. Not just regular safe mode.
> 
> 
> 
> ...



I did do safe mode with networking.  I did a search on my roommates computer and found that you can't connect to the internet wirelessly during safe mode.  My connection is wireless.


----------



## deanj20 (Apr 3, 2010)

Ah. That explains it.  Don't I feel helpful. 

Just do what johnb35 suggests. He'll get you fixed right up.


----------



## mustardgas (Apr 3, 2010)

johnb35 said:


> Now, can you post a hijackthis log?



I saved the HJT download to my flash, uploaded it onto my computer in safe mode, then tried opening it for the install process only to get the following message:  "Illegal operation attempted on a registry key that has been marked for deletion."


----------



## mustardgas (Apr 3, 2010)

johnb35 said:


> Download the file rkill to see if it will kill it temporarily.  The link is in my previous post.  Do you have another computer that you can slave this drive in and scan it using a fully updated antivirus and malwarebytes?



I'm not sure what you mean.


----------



## johnb35 (Apr 3, 2010)

mustardgas said:


> I'm not sure what you mean.



never mind about that now...  Try running malwarebytes now, i'm sure it will catch more infections.  Then post its log and a hijackthis log.


----------



## mustardgas (Apr 3, 2010)

johnb35 said:


> never mind about that now...  Try running malwarebytes now, i'm sure it will catch more infections.  Then post its log and a hijackthis log.



I can't open malwarebytes in either safe mode or regular mode.  The virus is still fully present.


----------



## mustardgas (Apr 3, 2010)

As for opening malwarebytes in safe mode, the message is the safe as the one shown when I tried to open the HJT install- "...marked for deletion."


----------



## johnb35 (Apr 3, 2010)

Go here and download rkill, click on the rkill.com or rkill.scr link and see if it will run.  This should temporarily disable the active infection to where you can run malwarebytes.

http://www.technibble.com/rkill-repair-tool-of-the-week/


----------



## mustardgas (Apr 3, 2010)

johnb35 said:


> Go here and download rkill, click on the rkill.com or rkill.scr link and see if it will run.  This should temporarily disable the active infection to where you can run malwarebytes.
> 
> http://www.technibble.com/rkill-repair-tool-of-the-week/



Do I upload the file during safe mode?


----------



## mustardgas (Apr 3, 2010)

Wait, will rkill.exe also suffice?  I happened to just download that version before reading your response.


----------



## johnb35 (Apr 3, 2010)

Well, i'm thinking the infection will stop any exe from running, thats why i told you to download .com or .scr file.


----------



## mustardgas (Apr 3, 2010)

I was able to run rkill in safe mode, which allowed me to open malwarebytes.  However, when I tried to update malwarebytes, I got an error message.  I assume this is because I can't connect to the internet during safe mode.  Is there any way I could get around this?

Here's the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:50 PM, on 4/2/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18444)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\helppane.exe
C:\Windows\Explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [edmpcdub] C:\Users\filmmaker\AppData\Local\vwhnyiffe\vdqvidftssd.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Dell Remote Access.lnk = ?
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll 
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Advanced Networking Service (hnmsvc) - Dell Inc. - c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Windows\system32\Wacom_Tablet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 8158 bytes


----------



## johnb35 (Apr 3, 2010)

For now just run malwarebytes not updated and lets see if it kills the process that is stopping it from getting updated.  Post the log from malwarebytes after running it.  You have one infection here and most likely many hidden still.

O4 - HKCU\..\Run: [edmpcdub] C:\Users\filmmaker\AppData\Local\vwhnyiffe\vdqvidf tssd.exe


----------



## johnb35 (Apr 3, 2010)

Just an offer here, if you are willing, I could remote into your system and help you that way.


----------



## deanj20 (Apr 3, 2010)

How would you go about that johnb35? RealVNC?


----------



## johnb35 (Apr 3, 2010)

log me in, team viewer, remote assistance via windows live messenger are just a few different ways.


----------



## mustardgas (Apr 3, 2010)

johnb35 said:


> Just an offer here, if you are willing, I could remote into your system and help you that way.



Although you and the others who've responded have been EXTREMELY helpful, I'm not exactly comfortable letting you have direct access to my computer.  To be honest, I feel a little strange having given you all the log information earlier, as I don't quite understand that stuff, and therefore don't know exactly what you or others could do with that info if you had malicious intent.  I probably sound pretty paranoid and ignorant (I certainly am when it comes to computers), but it's hard for me to be too trusting of others online, especially after these crazy virus episodes I've been experiencing.  

I tried a malwarebytes scan.  Nothing was detected.  But it was a quick scan.  Should I try the full scan?


----------



## mustardgas (Apr 3, 2010)

johnb35 said:


> For now just run malwarebytes not updated and lets see if it kills the process that is stopping it from getting updated.  Post the log from malwarebytes after running it.  You have one infection here and most likely many hidden still.
> 
> O4 - HKCU\..\Run: [edmpcdub] C:\Users\filmmaker\AppData\Local\vwhnyiffe\vdqvidf tssd.exe



How can I update it without an internet connection?


----------



## deanj20 (Apr 3, 2010)

> I'm not exactly comfortable letting you have direct access to my computer.



Don't blame you there. He's just trying to help out, but you don't know that... 



> To be honest, I feel a little strange having given you all the log information earlier, as I don't quite understand that stuff, and therefore don't know exactly what you or others could do with that info if you had malicious intent.



Once again, I don't blame you. Better safe than sorry, right? But fear not - those logs are useless to anyone who has malicious intent - they simply show what processes, etc are running on your machine and browser variables. At best, someone could see that you're running a program that _could_ be exploited (I don't see any), but they would have to know your IP address (which they would have to have server access to get), then get around what security (if any) your ISP has in place, past your router security _and_ your firewall _and_ actually know how to exploit said software. So... pretty harmless information there. 



> I tried a malwarebytes scan. Nothing was detected. But it was a quick scan. Should I try the full scan?


Definitely run a full scan.



> How can I update it without an internet connection?


He's hoping that after Malwarebyte's Antimalware runs, you post your new HJT log and we tell you what else need to do, you _will_ be able to get internet access. johnb35 will probably be back on in a bit. I'd be happy to guide you until then. Just run a _full_ scan with Malwarebytes, then post your HJT log here and we'll go from there.


----------



## mustardgas (Apr 3, 2010)

deanj20 said:


> Don't blame you there. He's just trying to help out, but you don't know that...
> 
> 
> 
> ...



I accept and appreciate any guidance you can give.


----------



## OvenMaster (Apr 3, 2010)

I had this POS virus hit my Vista laptop a few days ago.

1. http://www.myantispyware.com/2010/0...are-2010-vista-antivirus-2010-vista-guardian/

2. cut and paste all of this following text in Notepad and save it as a .reg file called "fix.reg" on your desktop.

*Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"*

3. Double-click that .reg file. It will look like nothing has happened. Not true. Reboot and run Malwarebytes and do a FULL scan on your computer.

4. After you are done, search for av.exe or ave.exe and delete it in case Malwarebytes does not erase it for you. It should.

5. You should be just fine after this. A full virus scan would not hurt. 

This worked perfectly for me. Good luck!


----------



## mustardgas (Apr 3, 2010)

He's hoping that after Malwarebyte's Antimalware runs, you post your new HJT log and we tell you what else need to do, you _will_ be able to get internet access. johnb35 will probably be back on in a bit. I'd be happy to guide you until then. Just run a _full_ scan with Malwarebytes, then post your HJT log here and we'll go from there. [/QUOTE]

Full scan revealed no infections.


----------



## mustardgas (Apr 3, 2010)

mustardgas said:


> He's hoping that after Malwarebyte's Antimalware runs, you post your new HJT log and we tell you what else need to do, you _will_ be able to get internet access. johnb35 will probably be back on in a bit. I'd be happy to guide you until then. Just run a _full_ scan with Malwarebytes, then post your HJT log here and we'll go from there.



Full scan revealed no infections.


----------



## mustardgas (Apr 3, 2010)

OvenMaster said:


> I had this POS virus hit my Vista laptop a few days ago.
> 
> 1. http://www.myantispyware.com/2010/0...are-2010-vista-antivirus-2010-vista-guardian/
> 
> ...



So I perform steps 1-3 in safe mode, then perform steps 4 and 5 in normal mode?


----------



## mustardgas (Apr 3, 2010)

OvenMaster said:


> I had this POS virus hit my Vista laptop a few days ago.
> 
> 1. http://www.myantispyware.com/2010/0...are-2010-vista-antivirus-2010-vista-guardian/
> 
> ...



Ok, I gave special attention to the reply containing the above quote, becuase I tried the exact same thing during my last malware episode, and the problem was resolved.  However, this instance is different; I tried the above steps while my computer was in safe mode, then rebooted into normal mode so I could run a malwarebytes scan. Whoops- malwarebytes is still blocked.  The above steps had no effect.  My computer is the same.  Additionally, I thought I might be able to try the above steps while in normal mode.  Turns out I CAN'T EVEN OPEN NOTEPAD!  It's as if I have access to nothing now.  And during safe mode, and I can't even access the internet because my computer is a wifi laptop.  

Is this completely hopeless?


----------



## deanj20 (Apr 3, 2010)

> Is this completely hopeless?



No. 

Run HijackThis! in Safe Mode - do a System Scan and put a check next to this entry:

O4 - HKCU\..\Run: [edmpcdub] C:\Users\filmmaker\AppData\Local\vwhnyiffe\vdqvidf tssd.exe

and click "Fix Selected".

Then go to Start-->Run-->type 'msconfig' and hit <enter>

In the Startup tab, click 'Disable All'
then, in the Services tab, *check 'Hide All Microsoft Services'* and click 'Disable All'

Click 'OK' and restart the computer *in Safe Mode*.

Run HijackThis! again, and post the log here. Also - is there any way you can plug you computer into the router with an ethernet cable? I'm sure you're tired of running back and forth between computers?


----------



## OvenMaster (Apr 3, 2010)

@mustardgas: I am so sorry my info didn't work for you.  That's how this stupid virus works: disabling one .exe file after another until the whole computer's useless.. I've seen that you have to do what I said as soon as you recognize what's going on... the fact you'd done it once already shows this would work otherwise. Again, I'm sorry.


----------



## mustardgas (Apr 3, 2010)

OvenMaster said:


> @mustardgas: I am so sorry my info didn't work for you.  That's how this stupid virus works: disabling one .exe file after another until the whole computer's useless.. I've seen that you have to do what I said as soon as you recognize what's going on... the fact you'd done it once already shows this would work otherwise. Again, I'm sorry.



No need to apologize OvenMaster.  I hadn't mentioned that I tried that approach last time.  If this were my first such malware episode, your reply would've been exactly what I needed.  In fact, even before you replied, I too was considering that approach again.  Your reply gave me a convenient means to try what I might've ended up trying anyway.  So thanks.


----------



## deanj20 (Apr 3, 2010)

Did you try the suggestions in my last post? Or are you sick of messing with it for now?


----------



## mustardgas (Apr 3, 2010)

*HijackThis Log #2*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:44 AM, on 4/3/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18444)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll 
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

--
End of file - 3532 bytes

As for the ethernet cord, there's one that goes from my roommate's router (the one where I normally connect via wifi) into her computer.  I tried connecting the cord into my computer, but didnt get any results.  Perhaps this was stupid of me to begin with?  If so, how should I go about establishing a connection?


----------



## deanj20 (Apr 3, 2010)

No - that should work - take the Ethernet cord from the back of her computer and plug it in to yours. If you're in Safe Mode with Networking, then you _should_ be able to get online. Try it out - it will save you a lot of headache.



> C:\Windows\SYSTEM32\WISPTIS.EXE
> C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe



I do not know why these would be running in safe mode. Suspicious if you ask me. Other than that, your log looks fine. Moving on to step 2 - I'm going to copy and paste the Combofix "Rant" that johnb35 and others often use. Please follow the directions:

*Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

** Download this file* here :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    * Then double click *combofix.exe* & follow the prompts.
    * When finished, it shall produce *a log* for you. *Post that log* in your next reply

*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply please post:

    * The ComboFix log
    * A fresh HiJackThis log
    * An update on how your computer is running


----------



## deanj20 (Apr 3, 2010)

Well it's _way_ past my bedtime (5:30AM ). I hope Combofix is able to remove whatever is plaguing you. I'm fairly certain that these files


> C:\Windows\SYSTEM32\WISPTIS.EXE
> C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe



are actually the virus(es) disguised as legitimate looking processes, *unless your PC is a Tablet PC*. If Combofix doesn't find anything, I would just go to their respective folders and rename them to WISPTIS.EXE.BAD and TabTip.exe.BAD, then reboot into Safe Mode, run HijackThis! again and check the log for running processes. If they're gone, then boot into normal mode and see if your PC behaves normally. 

Someone else will be along to help soon I'm sure. Good night and good luck.


----------



## johnb35 (Apr 3, 2010)

Try downloading and running superantispyware as I ususally run that when malwarebytes won't catch the infection.

http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html


----------



## mustardgas (Apr 3, 2010)

deanj20 said:


> No - that should work - take the Ethernet cord from the back of her computer and plug it in to yours. If you're in Safe Mode with Networking, then you _should_ be able to get online. Try it out - it will save you a lot of headache.
> 
> 
> 
> ...



*ComboFix **log*:

ComboFix 10-04-03.01 - filmmaker 04/03/2010  16:33:47.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.3581.3083 [GMT -5:00]
Running from: H:\ComboFix2.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((   Files Created from 2010-03-03 to 2010-04-03  )))))))))))))))))))))))))))))))
.

2010-04-03 21:40 . 2010-04-03 21:40	--------	d-----w-	c:\users\filmmaker\AppData\Local\temp
2010-04-03 21:40 . 2010-04-03 21:40	--------	d-----w-	c:\users\Public\AppData\Local\temp
2010-04-03 21:40 . 2010-04-03 21:40	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-04-03 21:31 . 2010-04-03 21:32	--------	d-----w-	C:\32788R22FWJFW
2010-04-03 02:37 . 2010-04-03 02:37	--------	d-----w-	c:\program files\Trend Micro
2010-04-02 11:38 . 2010-04-02 11:38	--------	d-----w-	c:\users\filmmaker\AppData\Local\vwhnyiffe
2010-04-02 02:55 . 2010-04-02 02:59	--------	d-----w-	c:\users\filmmaker\AppData\Local\nos
2010-04-02 02:55 . 2010-04-02 02:55	86016	----a-w-	c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-04-02 02:55 . 2010-04-02 03:18	--------	d-----w-	c:\programdata\NOS
2010-04-01 19:09 . 2010-04-01 19:09	4076824	----a-w-	c:\programdata\avg9\update\backup\avgui.exe
2010-04-01 19:09 . 2010-04-01 19:09	2059544	----a-w-	c:\programdata\avg9\update\backup\avgtray.exe
2010-04-01 19:09 . 2010-04-01 19:09	1598744	----a-w-	c:\programdata\avg9\update\backup\avgssie.dll
2010-04-01 19:09 . 2010-04-01 19:09	1274136	----a-w-	c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-01 19:09 . 2010-04-01 19:09	598296	----a-w-	c:\programdata\avg9\update\backup\avgsrmx.dll
2010-04-01 19:09 . 2010-04-01 19:09	556824	----a-w-	c:\programdata\avg9\update\backup\avgchjwx.dll
2010-04-01 19:09 . 2010-04-01 19:09	459544	----a-w-	c:\programdata\avg9\update\backup\avgcclix.dll
2010-04-01 19:09 . 2010-04-01 19:09	4250976	----a-w-	c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-01 19:09 . 2010-04-01 19:09	313112	----a-w-	c:\programdata\avg9\update\backup\avglogx.dll
2010-04-01 19:09 . 2010-04-01 19:09	1515224	----a-w-	c:\programdata\avg9\update\backup\avgwd.dll
2010-04-01 19:09 . 2010-04-01 19:09	1086744	----a-w-	c:\programdata\avg9\update\backup\avgchsvx.exe
2010-04-01 19:09 . 2010-04-01 19:09	301336	----a-w-	c:\programdata\avg9\update\backup\avgchclx.dll
2010-04-01 19:08 . 2010-04-01 19:08	1685784	----a-w-	c:\programdata\avg9\update\backup\avgupd.dll
2010-04-01 19:08 . 2010-04-01 19:08	1035032	----a-w-	c:\programdata\avg9\update\backup\avgupd.exe
2010-03-31 03:09 . 2010-03-31 03:09	690952	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-03-29 07:15 . 2010-03-29 07:15	--------	d-----w-	c:\program files\Gabest
2010-03-26 05:25 . 2010-03-26 05:25	--------	d-----w-	c:\program files\iPod
2010-03-26 05:25 . 2010-03-26 05:26	--------	d-----w-	c:\program files\iTunes
2010-03-26 05:19 . 2010-03-26 05:19	72488	----a-w-	c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-22 23:58 . 2010-03-22 23:58	--------	d-----w-	c:\programdata\Comodo Downloader
2010-03-22 23:56 . 2010-04-02 03:43	--------	d-----w-	c:\programdata\COMODO
2010-03-22 23:52 . 2010-03-22 23:52	--------	d-----w-	c:\program files\COMODO
2010-03-19 08:52 . 2010-03-19 08:52	5115824	----a-w-	c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-18 10:30 . 2010-03-18 10:30	--------	d-----w-	c:\users\filmmaker\AppData\Roaming\Malwarebytes
2010-03-18 10:30 . 2010-01-07 21:07	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-18 10:30 . 2010-03-19 08:52	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-03-18 10:30 . 2010-03-18 10:30	--------	d-----w-	c:\programdata\Malwarebytes
2010-03-18 10:30 . 2010-01-07 21:07	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-03-13 19:26 . 2010-03-13 19:26	360584	----a-w-	c:\programdata\avg9\update\backup\avgtdix.sys
2010-03-05 03:14 . 2010-04-01 23:12	--------	d-----w-	c:\windows\system32\drivers\Avg
2010-03-05 03:14 . 2010-03-05 03:14	--------	d-----w-	c:\programdata\AVG Security Toolbar
2010-03-05 03:14 . 2010-03-05 03:14	--------	d-----w-	c:\program files\AVG
2010-03-05 03:14 . 2010-03-05 03:14	--------	d-----w-	c:\programdata\avg9

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-03 06:44 . 2009-04-19 18:08	--------	d-----w-	c:\users\filmmaker\AppData\Roaming\WTablet
2010-04-02 11:45 . 2009-04-14 22:47	--------	d-----w-	c:\users\filmmaker\AppData\Roaming\uTorrent
2010-04-02 11:24 . 2009-03-07 01:56	7342	----a-w-	c:\users\filmmaker\AppData\Roaming\wklnhst.dat
2010-04-02 04:06 . 2009-03-04 00:39	70488	----a-w-	c:\users\filmmaker\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-02 02:59 . 2009-02-17 07:20	--------	d-----w-	c:\program files\Common Files\Adobe
2010-04-02 02:57 . 2009-09-14 22:26	--------	d-----w-	c:\program files\Common Files\Adobe AIR
2010-04-01 01:51 . 2009-04-16 23:06	2828	--sha-w-	c:\programdata\KGyGaAvL.sys
2010-04-01 01:51 . 2009-04-16 23:06	2828	--sha-w-	c:\programdata\KGyGaAvL.sys
2010-04-01 00:03 . 2009-03-08 14:53	55857	----a-w-	c:\programdata\nvModes.dat
2010-03-26 05:25 . 2009-10-25 02:05	--------	d-----w-	c:\program files\Common Files\Apple
2010-03-26 05:23 . 2009-03-20 01:06	--------	d-----w-	c:\program files\QuickTime
2010-03-18 09:34 . 2009-03-17 02:15	8268	----a-w-	c:\users\filmmaker\AppData\Local\d3d9caps.dat
2010-03-13 19:26 . 2010-03-13 19:26	333192	----a-w-	c:\programdata\avg9\update\backup\avgldx86.sys
2010-03-13 19:26 . 2010-03-13 19:26	28424	----a-w-	c:\programdata\avg9\update\backup\avgmfx86.sys
2010-03-13 19:26 . 2010-03-05 03:14	242696	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-03-13 19:26 . 2010-03-13 19:26	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-03-13 19:26 . 2010-03-05 03:14	29512	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 19:25 . 2010-03-05 03:14	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-03-11 09:17 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-03-09 16:28 . 2010-03-30 20:24	833024	----a-w-	c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-30 20:24	78336	----a-w-	c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-30 20:24	26624	----a-w-	c:\windows\system32\ieUnatt.exe
2010-03-05 03:14 . 2010-03-05 16:49	3777280	----a-w-	c:\programdata\avg9\update\backup\setup.exe
2010-03-05 03:14 . 2010-03-13 19:24	800536	----a-w-	c:\programdata\avg9\update\backup\avginet.dll
2010-03-05 03:14 . 2010-03-13 19:24	613656	----a-w-	c:\programdata\avg9\update\backup\avgiproxy.exe
2010-02-24 15:16 . 2009-10-03 23:20	181632	------w-	c:\windows\system32\MpSigStub.exe
2010-02-20 23:39 . 2010-03-11 09:00	24064	----a-w-	c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 09:00	31232	----a-w-	c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 09:00	411136	----a-w-	c:\windows\system32\drivers\http.sys
2010-02-01 01:45 . 2009-09-14 22:26	38784	----a-w-	c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-01 01:45 . 2009-09-14 22:22	38784	----a-w-	c:\users\filmmaker\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-25 12:48 . 2010-02-23 21:33	472576	----a-w-	c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-02-23 21:33	151040	----a-w-	c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-02-23 21:33	151040	----a-w-	c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-02-23 21:33	472064	----a-w-	c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-02-23 21:33	329216	----a-w-	c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-02-23 21:33	346624	----a-w-	c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-02-23 21:33	523776	----a-w-	c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-02-23 21:33	511488	----a-w-	c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-02-23 21:33	347136	----a-w-	c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44 . 2010-02-23 21:33	2048	----a-w-	c:\windows\system32\tzres.dll
2010-01-22 01:01 . 2010-01-22 01:01	1	----a-w-	c:\users\filmmaker\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-22 00:16 . 2010-01-22 00:16	411368	----a-w-	c:\windows\system32\deploytk.dll
2010-01-16 19:33 . 2010-01-16 19:33	1956072	----a-w-	c:\users\filmmaker\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-08 19:38 . 2010-01-08 19:38	652296	----a-w-	c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-01-08 19:37 . 2010-01-08 19:37	416128	----a-w-	c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-02-17 07:15 . 2009-02-17 07:15	75	--sh--r-	c:\windows\CT4CET.bin
2009-02-17 08:34 . 2009-02-17 08:30	8192	--sha-w-	c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 19:04	1664256	----a-w-	c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-02-17 07:27	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Dell Remote Access.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Dell Remote Access.lnk
backup=c:\windows\pss\Dell Remote Access.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^filmmaker^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\filmmaker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57	948672	----a-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57	35760	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-10-27 09:54	3563520	----a-w-	c:\windows\System32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2009-04-09 22:29	1762032	----a-w-	c:\program files\Dell DataSafe Online\DataSafeOnline.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 19:46	206064	----a-w-	c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25	125952	----a-w-	c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-02-12 19:37	174872	----a-w-	c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07	141608	----a-w-	c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 21:07	1394000	----a-w-	c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 04:41	3882312	----a-w-	c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-08-18 12:20	13548064	----a-w-	c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2008-08-18 12:20	96800	----a-w-	c:\windows\System32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-08-18 12:20	92704	----a-w-	c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2008-04-18 10:08	36864	----a-w-	c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 16:57	128296	------w-	c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08	417792	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23	1233920	----a-w-	c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-22 00:16	149280	----a-w-	c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-24 06:09	1029416	----a-w-	c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2008-12-04 09:05	442467	----a-w-	c:\program files\IDT\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23	1008184	----a-w-	c:\program files\Windows Defender\MSASCui.exe

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-13 216200]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe [2008-12-04 73728]
R4 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-13 916760]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
R4 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
R4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-05-01 3032360]
R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-03-27 2789672]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-03-13 242696]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-03-24 183808]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-03 16:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-03  16:41:27
ComboFix-quarantined-files.txt  2010-04-03 21:41
ComboFix2.txt  2010-04-03 01:27

Pre-Run: 102,657,966,080 bytes free
Post-Run: 102,625,353,728 bytes free

- - End Of File - - A76EB3437F854D6EB31F06450A120FFA

*HijackThis **Log*:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:43 PM, on 4/3/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18444)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll 
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

--
End of file - 3576 bytes

*Malwarebytes **Log*

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

4/3/2010 5:02:13 PM
mbam-log-2010-04-03 (17-02-13).txt

Scan type: Quick scan
Objects scanned: 102057
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

My computer appears to be fully functional again.  I can access the internet, update malwarebytes, and so forth.  The virus no longer seems present.  However, a quick scan by malwarebytes revealed no infections.  Does that mean that the procedure I just went through (the above quoted instructions) eliminated the virus?  Or is there more yet to be done?


----------



## mustardgas (Apr 4, 2010)

Well, I guess the problem's resolved, then?  Thanks to everyone who helped me out.  I greatly appreciate it.  Btw, how do I go about preventing this from happening again in the future?  It's a firewall issue, right?  I had Comodo for a while, but its popups became so obnoxious that I deleted it.  Crazy thing is, the day I deleted it was the day I got this most recent virus.  Is there a way of setting up my computer with freeware such that I can use the internet without feeling threatened, as well as be free of obnoxious popups coming from the freeware itself?  Man, the internet has become a pain in the ass to use.


----------



## johnb35 (Apr 4, 2010)

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box


```
DIRLOOK::
c:\users\filmmaker\AppData\Local\vwhnyiffe
```

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


----------



## mustardgas (Apr 4, 2010)

johnb35 said:


> 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
> It must be Notepad, not Wordpad.
> 2. Copy the text in the below code box
> 
> ...



*LOG*

ComboFix 10-04-03.01 - filmmaker 04/04/2010   3:58.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.3581.2205 [GMT -5:00]
Running from: H:\ComboFix2.exe
Command switches used :: c:\users\filmmaker\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((   Files Created from 2010-03-04 to 2010-04-04  )))))))))))))))))))))))))))))))
.

2010-04-04 09:06 . 2010-04-04 09:06	--------	d-----w-	c:\users\Public\AppData\Local\temp
2010-04-04 09:06 . 2010-04-04 09:06	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-04-03 21:41 . 2010-04-04 09:06	--------	d-----w-	c:\users\filmmaker\AppData\Local\temp
2010-04-03 02:37 . 2010-04-03 02:37	--------	d-----w-	c:\program files\Trend Micro
2010-04-02 11:38 . 2010-04-02 11:38	--------	d-----w-	c:\users\filmmaker\AppData\Local\vwhnyiffe
2010-04-02 02:55 . 2010-04-02 02:59	--------	d-----w-	c:\users\filmmaker\AppData\Local\nos
2010-04-02 02:55 . 2010-04-02 02:55	86016	----a-w-	c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-04-02 02:55 . 2010-04-02 03:18	--------	d-----w-	c:\programdata\NOS
2010-04-01 19:09 . 2010-04-01 19:09	4076824	----a-w-	c:\programdata\avg9\update\backup\avgui.exe
2010-04-01 19:09 . 2010-04-01 19:09	2059544	----a-w-	c:\programdata\avg9\update\backup\avgtray.exe
2010-04-01 19:09 . 2010-04-01 19:09	1598744	----a-w-	c:\programdata\avg9\update\backup\avgssie.dll
2010-04-01 19:09 . 2010-04-01 19:09	1274136	----a-w-	c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-01 19:09 . 2010-04-01 19:09	598296	----a-w-	c:\programdata\avg9\update\backup\avgsrmx.dll
2010-04-01 19:09 . 2010-04-01 19:09	556824	----a-w-	c:\programdata\avg9\update\backup\avgchjwx.dll
2010-04-01 19:09 . 2010-04-01 19:09	459544	----a-w-	c:\programdata\avg9\update\backup\avgcclix.dll
2010-04-01 19:09 . 2010-04-01 19:09	4250976	----a-w-	c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-01 19:09 . 2010-04-01 19:09	313112	----a-w-	c:\programdata\avg9\update\backup\avglogx.dll
2010-04-01 19:09 . 2010-04-01 19:09	1515224	----a-w-	c:\programdata\avg9\update\backup\avgwd.dll
2010-04-01 19:09 . 2010-04-01 19:09	1086744	----a-w-	c:\programdata\avg9\update\backup\avgchsvx.exe
2010-04-01 19:09 . 2010-04-01 19:09	301336	----a-w-	c:\programdata\avg9\update\backup\avgchclx.dll
2010-04-01 19:08 . 2010-04-01 19:08	1685784	----a-w-	c:\programdata\avg9\update\backup\avgupd.dll
2010-04-01 19:08 . 2010-04-01 19:08	1035032	----a-w-	c:\programdata\avg9\update\backup\avgupd.exe
2010-03-31 03:09 . 2010-03-31 03:09	690952	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-03-29 07:15 . 2010-03-29 07:15	--------	d-----w-	c:\program files\Gabest
2010-03-26 05:25 . 2010-03-26 05:25	--------	d-----w-	c:\program files\iPod
2010-03-26 05:25 . 2010-03-26 05:26	--------	d-----w-	c:\program files\iTunes
2010-03-26 05:19 . 2010-03-26 05:19	72488	----a-w-	c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-22 23:58 . 2010-03-22 23:58	--------	d-----w-	c:\programdata\Comodo Downloader
2010-03-22 23:56 . 2010-04-02 03:43	--------	d-----w-	c:\programdata\COMODO
2010-03-22 23:52 . 2010-03-22 23:52	--------	d-----w-	c:\program files\COMODO
2010-03-19 08:52 . 2010-04-03 21:57	5918776	----a-w-	c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-18 10:30 . 2010-03-18 10:30	--------	d-----w-	c:\users\filmmaker\AppData\Roaming\Malwarebytes
2010-03-18 10:30 . 2010-03-30 05:46	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-18 10:30 . 2010-04-03 21:57	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-03-18 10:30 . 2010-03-30 05:45	20824	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-03-18 10:30 . 2010-03-18 10:30	--------	d-----w-	c:\programdata\Malwarebytes
2010-03-13 19:26 . 2010-03-13 19:26	360584	----a-w-	c:\programdata\avg9\update\backup\avgtdix.sys
2010-03-13 19:26 . 2010-03-13 19:26	333192	----a-w-	c:\programdata\avg9\update\backup\avgldx86.sys
2010-03-13 19:26 . 2010-03-13 19:26	28424	----a-w-	c:\programdata\avg9\update\backup\avgmfx86.sys
2010-03-13 19:26 . 2010-03-13 19:26	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-03-13 19:24 . 2010-03-05 03:14	800536	----a-w-	c:\programdata\avg9\update\backup\avginet.dll
2010-03-13 19:24 . 2010-03-05 03:14	613656	----a-w-	c:\programdata\avg9\update\backup\avgiproxy.exe
2010-03-11 09:00 . 2010-02-20 23:39	24064	----a-w-	c:\windows\system32\nshhttp.dll
2010-03-11 09:00 . 2010-02-20 23:37	31232	----a-w-	c:\windows\system32\httpapi.dll
2010-03-11 09:00 . 2010-02-20 21:18	411136	----a-w-	c:\windows\system32\drivers\http.sys
2010-03-05 16:49 . 2010-03-05 03:14	3777280	----a-w-	c:\programdata\avg9\update\backup\setup.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 08:59 . 2009-03-07 01:56	7456	----a-w-	c:\users\filmmaker\AppData\Roaming\wklnhst.dat
2010-04-04 01:16 . 2009-04-16 23:06	2828	--sha-w-	c:\programdata\KGyGaAvL.sys
2010-04-04 01:16 . 2009-04-16 23:06	2828	--sha-w-	c:\programdata\KGyGaAvL.sys
2010-04-03 06:44 . 2009-04-19 18:08	--------	d-----w-	c:\users\filmmaker\AppData\Roaming\WTablet
2010-04-02 11:45 . 2009-04-14 22:47	--------	d-----w-	c:\users\filmmaker\AppData\Roaming\uTorrent
2010-04-02 04:06 . 2009-03-04 00:39	70488	----a-w-	c:\users\filmmaker\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-02 02:59 . 2009-02-17 07:20	--------	d-----w-	c:\program files\Common Files\Adobe
2010-04-02 02:57 . 2009-09-14 22:26	--------	d-----w-	c:\program files\Common Files\Adobe AIR
2010-04-01 00:03 . 2009-03-08 14:53	55857	----a-w-	c:\programdata\nvModes.dat
2010-03-26 05:25 . 2009-10-25 02:05	--------	d-----w-	c:\program files\Common Files\Apple
2010-03-26 05:23 . 2009-03-20 01:06	--------	d-----w-	c:\program files\QuickTime
2010-03-18 09:34 . 2009-03-17 02:15	8268	----a-w-	c:\users\filmmaker\AppData\Local\d3d9caps.dat
2010-03-13 19:26 . 2010-03-05 03:14	242696	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-03-13 19:26 . 2010-03-05 03:14	29512	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 19:25 . 2010-03-05 03:14	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-03-11 09:17 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-03-09 16:28 . 2010-03-30 20:24	833024	----a-w-	c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-30 20:24	78336	----a-w-	c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-30 20:24	26624	----a-w-	c:\windows\system32\ieUnatt.exe
2010-03-05 03:14 . 2010-03-05 03:14	--------	d-----w-	c:\programdata\AVG Security Toolbar
2010-03-05 03:14 . 2010-03-05 03:14	--------	d-----w-	c:\program files\AVG
2010-03-05 03:14 . 2010-03-05 03:14	--------	d-----w-	c:\programdata\avg9
2010-02-24 15:16 . 2009-10-03 23:20	181632	------w-	c:\windows\system32\MpSigStub.exe
2010-02-01 01:45 . 2009-09-14 22:26	38784	----a-w-	c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-01 01:45 . 2009-09-14 22:22	38784	----a-w-	c:\users\filmmaker\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-25 12:48 . 2010-02-23 21:33	472576	----a-w-	c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-02-23 21:33	151040	----a-w-	c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-02-23 21:33	151040	----a-w-	c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-02-23 21:33	472064	----a-w-	c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-02-23 21:33	329216	----a-w-	c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-02-23 21:33	346624	----a-w-	c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-02-23 21:33	523776	----a-w-	c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-02-23 21:33	511488	----a-w-	c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-02-23 21:33	347136	----a-w-	c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44 . 2010-02-23 21:33	2048	----a-w-	c:\windows\system32\tzres.dll
2010-01-22 01:01 . 2010-01-22 01:01	1	----a-w-	c:\users\filmmaker\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-22 00:16 . 2010-01-22 00:16	411368	----a-w-	c:\windows\system32\deploytk.dll
2010-01-16 19:33 . 2010-01-16 19:33	1956072	----a-w-	c:\users\filmmaker\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-08 19:38 . 2010-01-08 19:38	652296	----a-w-	c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-01-08 19:37 . 2010-01-08 19:37	416128	----a-w-	c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-02-17 07:15 . 2009-02-17 07:15	75	--sh--r-	c:\windows\CT4CET.bin
2009-02-17 08:34 . 2009-02-17 08:30	8192	--sha-w-	c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\filmmaker\AppData\Local\vwhnyiffe ----

2010-04-02 11:38 . 2010-04-02 11:37	270592	----a-w-	c:\users\filmmaker\AppData\Local\vwhnyiffe\vdqvidftssd.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 19:04	1664256	----a-w-	c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-02-17 07:27	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Dell Remote Access.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Dell Remote Access.lnk
backup=c:\windows\pss\Dell Remote Access.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^filmmaker^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\filmmaker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57	948672	----a-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57	35760	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-10-27 09:54	3563520	----a-w-	c:\windows\System32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2009-04-09 22:29	1762032	----a-w-	c:\program files\Dell DataSafe Online\DataSafeOnline.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 19:46	206064	----a-w-	c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25	125952	----a-w-	c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-02-12 19:37	174872	----a-w-	c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07	141608	----a-w-	c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 05:46	1086856	----a-w-	c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 04:41	3882312	----a-w-	c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-08-18 12:20	13548064	----a-w-	c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2008-08-18 12:20	96800	----a-w-	c:\windows\System32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-08-18 12:20	92704	----a-w-	c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2008-04-18 10:08	36864	----a-w-	c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 16:57	128296	------w-	c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08	417792	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23	1233920	----a-w-	c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-22 00:16	149280	----a-w-	c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-24 06:09	1029416	----a-w-	c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2008-12-04 09:05	442467	----a-w-	c:\program files\IDT\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23	1008184	----a-w-	c:\program files\Windows Defender\MSASCui.exe

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe [2008-12-04 73728]
R4 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-13 916760]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
R4 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
R4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-05-01 3032360]
R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-03-27 2789672]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-13 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-03-13 242696]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-03-24 183808]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 04:06
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-04  04:09:03
ComboFix-quarantined-files.txt  2010-04-04 09:09
ComboFix2.txt  2010-04-03 21:41
ComboFix3.txt  2010-04-03 01:27

Pre-Run: 102,419,156,992 bytes free
Post-Run: 102,394,814,464 bytes free

- - End Of File - - 489A4CA07C2300DBFBB4FED6E2493416


----------



## johnb35 (Apr 4, 2010)

Ok. Then we need to delete the whole folder.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box


```
File::
c:\windows\CT4CET.bin

Folder::
c:\users\filmmaker\AppData\Local\vwhnyiffe
```


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Also post a fresh hijackthis log.


----------



## mustardgas (Apr 5, 2010)

johnb35 said:


> Ok. Then we need to delete the whole folder.
> 
> 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
> It must be Notepad, not Wordpad.
> ...



Wait, what exactly is being deleted here?  I have to ask as my computer has been acting differently following all these fixes.  It's not that it's been acting entirely bad, but I did have to repair Corel Painter, for example.  Thus I wonder what else has been and will be effected by the fixes.


----------



## johnb35 (Apr 5, 2010)

I'm only having you delete bad files and folders.  Most likely the infections you have messed up some of your programs, it's very common.


----------



## mustardgas (Apr 6, 2010)

johnb35 said:


> Ok. Then we need to delete the whole folder.
> 
> 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
> It must be Notepad, not Wordpad.
> ...



All I got was a message stating:  "The drive or network connection that the shortcut " refers to is unavailable.  Make sure that the disk is properly inserted or the network resource is available, and then try again."  (the quotation mark after the word shortcut is not a typo or the end to the quote.  The quotation mark was part of the message.)


----------



## johnb35 (Apr 6, 2010)

Try the procedure again making sure that when you save the cfscript file that you are saving directly to your desktop.  Combofix should be placed on your desktop as well, if it's not already there.


----------



## mustardgas (Apr 7, 2010)

I got the same message.  I'm positive I followed your instructions correctly on both attempts.


----------



## johnb35 (Apr 7, 2010)

Seems like you are creating a shortcut some how, which won't work.  Is combofix on your desktop?  If not please move it there and then retry the procedure.  You last ran combofix from drive H, please move it to your desktop.


----------



## mustardgas (Apr 8, 2010)

johnb35 said:


> Seems like you are creating a shortcut some how, which won't work.  Is combofix on your desktop?  If not please move it there and then retry the procedure.  You last ran combofix from drive H, please move it to your desktop.




ComboFix is on my desktop.  I did exactly as you said- went to start- run- Notepad.exe- ok- copied the code you provided- edit> paste (in notepad)- saved to desktop- dragged the saved notepad document into ComboFix, which is also on the desktop.  

I can try it again, but there's actually some concerns I'm starting to have about these procedures anyway.  For one, my Wacom tablet is not working properly anymore.  Of course, I can't say for sure if that has anything to do with the cleansing procedures we've gone through.  However, it seems odd to me that my tablet would only now start acting up after this whole virus episode, when I haven't done anything to it.  Also, Corel Painter is acting kind of funny, too, which makes me think the tablet problem correlates to any adverse effect the cleansing process might've had on my computer.  

I don't mean to sound unappreciative of you efforts.  I'm very grateful to you and everyone else who helped remove (or disable?) that hideous virus.  Still, I worry about side effects.  My tablet, for instance, cost me $350 dollars.  If its dysfunction is related to these cleansing procedures, then maybe it's a sign to stop...?  I don't know.


----------



## johnb35 (Apr 8, 2010)

I've dealt with infections personally that have messed up a few programs that have required to reinstall the program.   I've seen infections mess with windows installer.  What kind of problems are you having now with your software, you just said corel painter was acting funny. 

You are still infected and i'm trying to get it all cleaned up.  When you created the cfscript file, did you save it to your desktop?  May I ask what drive you have labeled as drive H?  Is it an external or flash drive or another hard drive?


----------



## mustardgas (Apr 10, 2010)

johnb35 said:


> I've dealt with infections personally that have messed up a few programs that have required to reinstall the program.   I've seen infections mess with windows installer.  What kind of problems are you having now with your software, you just said corel painter was acting funny.
> 
> You are still infected and i'm trying to get it all cleaned up.  When you created the cfscript file, did you save it to your desktop?  May I ask what drive you have labeled as drive H?  Is it an external or flash drive or another hard drive?



Corel wasn't working at all at one point, so I had to repair it.  Now, although it's up and running again, it's simply behaving a bit differently.  For instance, when I opened a document in there the other day, the zoom bar which once resided in the lower left corner was no longer there, nor were the buttons for minimizing or closing the specific document.  Not a big deal- but still.  Also, maybe the problem with my tablet has to do with corel rather than the tablet itself.  But I can't say for sure.  

Another problem is that itunes is no longer recognizing my ipod.  But this can probably be fixed pretty easy.  

I did save the cfscript file to my desktop.  And the drive labeled as H is a flash drive.


----------



## AhmedFaraz (Apr 14, 2010)

mustardgas said:


> I can't download any of this onto my own computer, because my computer is completely hijacked.  Right now I'm using my roommate's computer, which is clean.  Should I download the programs you suggested onto my roommate's computer, then transfer them onto mine via flash drive?  And if I do that, won't the virus still block the new programs?  Should I save the programs to my flash drive, then wait until uploading them onto my own computer before installing them?



An internet security program such like what you have, will cover all 3 of them. But not one program will catch everything.


----------

