1.

Solve : Virus removal?

Answer»

Hi I had posted at an earlier date about some viruses I had in my computer. I followed the steps given to me by patio for malware removal. I ran a scan and the viruses are gone but Hijack says I may need to remove some things but not to before I consult an expert. Here are the logs. Do I need to do anything more?


Here is the superanti spyware log...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/23/2009 at 12:58 PM

Application Version : 4.26.1002

Core Rules Database Version : 3908
Trace Rules Database Version: 1853

Scan type : Complete Scan
Total Scan Time : 00:45:29

Memory items scanned : 553
Memory threats detected : 0
Registry items scanned : 4899
Registry threats detected : 0
File items scanned : 64111
File threats detected : 1

Adware.Casino Games (Golden Palace Casino)
C:\HOLDEMV6\CASINO.EXE




Here is the log for the anti-malware


Malwarebytes' Anti-Malware 1.36
Database version: 2170
Windows 5.1.2600 Service Pack 3

5/23/2009 1:26:08 PM
mbam-log-2009-05-23 (13-26-08).txt

Scan type: Quick Scan
Objects scanned: 75560
Time elapsed: 2 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\NetworkService32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\NetworkService32\117.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\117.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\118.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\118.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\119.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\119.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\120.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\120.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\121.music.mp3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\121.music.mp3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\122.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\122.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\123.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\123.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\124.video.wmv (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\124.video.wmv.kwd (Worm.Archive) -> Quarantined and deleted successfully.


Hijack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:24 PM, on 5/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\INF\MSI\SlowDownCPU\SlowDownCPU.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Eastlink Internet Security\Common\FSM32.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Eastlink Internet Security\Anti-VIRUS\fsgk32st.exe
C:\Program Files\Eastlink Internet Security\Common\FSMA32.EXE
C:\Program Files\Eastlink Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Eastlink Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eastlink Internet Security\Common\FCH32.EXE
C:\Program Files\Eastlink Internet Security\Common\FAMEH32.EXE
C:\Program Files\Eastlink Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\Eastlink Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Eastlink Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Eastlink Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\Eastlink Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Eastlink Internet Security\FSAUA\program\fsus.exe
C:\Program Files\Eastlink Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myeastlink.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! TOOLBAR - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SlowDownCPU] C:\WINDOWS\INF\MSI\SlowDownCPU\SlowDownCPU.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Eastlink Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Eastlink Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Stacy Wessell\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Stacy Wessell\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\dmdlgs32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: c65d58d579 - C:\WINDOWS\System32\dmdlgs32.dll (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Eastlink Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Eastlink Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Eastlink Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Eastlink Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Eastlink Internet Security\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9762 bytes



Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O20 - AppInit_DLLs: C:\WINDOWS\System32\dmdlgs32.dll

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**NOTE: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixHello, I followed the last set of instructions and Ran Combo Fix here is the log for that.

Combofix Log:

ComboFix 09-05-26.05 - Stacy Wessell 05/28/2009 10:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.314 [GMT -3:00]
Running from: c:\documents and settings\Stacy Wessell\Desktop\PCRepair.exe
AV: Eastlink Internet Security Services 8.02 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Eastlink Internet Security Services 8.02 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Stacy Wessell\Application Data\02000000ac9a31c7579C.manifest
c:\documents and settings\Stacy Wessell\Application Data\02000000ac9a31c7579O.manifest
c:\documents and settings\Stacy Wessell\Application Data\02000000ac9a31c7579P.manifest
c:\documents and settings\Stacy Wessell\Application Data\02000000ac9a31c7579S.manifest
c:\windows\system32\EV02
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\ZblRPFPG3mLsS.vbs

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-25 19:07 . 2009-05-06 18:064784464----a-wc:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{7D42730E-E8A7-4BB8-B0E9-7DA8C36AB4D0}\mpengine.dll
2009-05-24 16:05 . 2009-05-24 16:0557344----a-wc:\documents and settings\Stacy Wessell\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-2172ceff-n\Decora-SSE.dll
2009-05-24 16:05 . 2009-05-24 16:0524064----a-wc:\documents and settings\Stacy Wessell\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-47437baa-n\Decora-D3D.dll
2009-05-24 16:05 . 2009-05-24 16:0520480----a-wc:\documents and settings\Stacy Wessell\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-496f5b54-n\jogl_awt.dll
2009-05-24 16:05 . 2009-05-24 16:05114688----a-wc:\documents and settings\Stacy Wessell\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-496f5b54-n\jogl_cg.dll
2009-05-24 16:05 . 2009-05-24 16:05315392----a-wc:\documents and settings\Stacy Wessell\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-496f5b54-n\jogl.dll
2009-05-24 16:05 . 2009-05-24 16:05499712----a-wc:\documents and settings\Stacy Wessell\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-25adae60-n\msvcp71.dll
2009-05-24 16:05 . 2009-05-24 16:05348160----a-wc:\documents and settings\Stacy Wessell\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-25adae60-n\msvcr71.dll
2009-05-24 16:05 . 2009-05-24 16:0520480----a-wc:\documents and settings\Stacy Wessell\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-16c72392-n\gluegen-rt.dll
2009-05-24 16:05 . 2009-05-24 16:05499712----a-wc:\documents and settings\Stacy Wessell\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-25adae60-n\jmc.dll
2009-05-23 19:37 . 2009-05-23 19:37--------d-----wc:\program files\Trend Micro
2009-05-23 16:21 . 2009-05-23 16:21--------d-----wc:\documents and settings\Stacy Wessell\Application Data\Malwarebytes
2009-05-23 16:21 . 2009-04-06 18:3215504----a-wc:\windows\system32\drivers\mbam.sys
2009-05-23 16:21 . 2009-04-06 18:3238496----a-wc:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 16:21 . 2009-05-23 16:21--------d-----wc:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-23 16:21 . 2009-05-23 16:21--------d-----wc:\program files\Malwarebytes' Anti-Malware
2009-05-23 15:08 . 2009-05-24 14:00117760----a-wc:\documents and settings\Stacy Wessell\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-23 15:07 . 2009-05-23 15:07--------d-----wc:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-23 15:07 . 2009-05-23 15:07--------d-----wc:\program files\SUPERAntiSpyware
2009-05-23 15:07 . 2009-05-23 15:07--------d-----wc:\documents and settings\Stacy Wessell\Application Data\SUPERAntiSpyware.com
2009-05-23 15:07 . 2009-05-23 15:07--------d-----wc:\program files\Common Files\Wise Installation Wizard
2009-05-23 14:57 . 2009-05-23 14:58--------d-----wc:\program files\CCleaner
2009-05-19 22:31 . 2009-05-06 18:064784464----a-wc:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2009-05-19 22:30 . 2009-05-19 22:30--------d-----wc:\program files\Windows Defender
2009-05-19 22:26 . 2009-05-19 22:2736---h--rc:\windows\sued.dat
2009-05-19 21:14 . 2009-05-19 21:1464160----a-wc:\windows\system32\drivers\Lbd.sys
2009-05-19 21:14 . 2009-05-19 21:1464160----a-wc:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-19 21:12 . 2009-05-19 21:12--------dc-h--wc:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-19 21:12 . 2009-03-12 08:172902048-c--a-wc:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-28 05:12 . 2008-08-23 23:38--------d-----wc:\program files\Eastlink Internet Security
2009-05-27 17:44 . 2008-08-29 14:01--------d-----wc:\documents and settings\Stacy Wessell\Application Data\LimeWire
2009-05-26 13:33 . 2009-04-24 12:52--------d-----wc:\program files\Full Tilt Poker
2009-05-24 22:16 . 2009-03-10 19:35--------d-----wc:\program files\PacificPoker
2009-05-23 19:25 . 2008-08-29 14:00--------d-----wc:\program files\Java
2009-05-23 19:24 . 2009-04-10 15:55152576----a-wc:\documents and settings\Stacy Wessell\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-19 21:14 . 2008-11-02 13:48--------d-----wc:\documents and settings\All Users\Application Data\Lavasoft
2009-05-19 21:01 . 2008-10-01 16:26--------d---a-wc:\documents and settings\All Users\Application Data\TEMP
2009-05-19 12:32 . 2009-03-10 19:35--------d-----wc:\documents and settings\Stacy Wessell\Application Data\PacificPoker
2009-05-15 15:15 . 2008-10-29 13:40--------d-----wc:\program files\LivePix 2.0
2009-05-15 14:44 . 2008-08-26 17:381080----a-wc:\windows\AUTOLNCH.REG
2009-05-14 18:46 . 2008-11-14 18:01--------d-----wc:\program files\PKR
2009-04-27 15:54 . 2008-09-29 11:09--------d-----wc:\program files\PokerStars
2009-04-24 12:52 . 2008-08-25 09:53--------d--h--wc:\program files\InstallShield Installation Information
2009-03-12 10:26 . 2009-03-12 01:5033408----a-wc:\windows\system32\drivers\fsbts.sys
2009-03-09 08:19 . 2008-12-19 00:15410984----a-wc:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00284160----a-wc:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00826368----a-wc:\windows\system32\wininet.dll
2004-07-22 13:51 . 2004-07-22 13:513432656----a-wc:\program files\ManagedDX.CAB
2004-07-20 01:58 . 2004-07-20 01:581156363----a-wc:\program files\BDANT.cab
2004-07-20 01:53 . 2004-07-20 01:53976020----a-wc:\program files\BDAXP.cab
2004-07-09 17:17 . 2004-07-09 17:1713265040----a-wc:\program files\dxnt.cab
2004-07-09 12:13 . 2004-07-09 12:1315493481----a-wc:\program files\DirectX.cab
2004-07-09 12:13 . 2004-07-09 12:13703080----a-wc:\program files\BDA.cab
2004-07-09 07:08 . 2004-07-09 07:08472576----a-wc:\program files\dxsetup.exe
2004-07-09 07:08 . 2004-07-09 07:082242560----a-wc:\program files\dsetup32.dll
2004-07-09 06:03 . 2004-07-09 06:0362976----a-wc:\program files\DSETUP.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-01 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SlowDownCPU"="c:\windows\INF\MSI\SlowDownCPU\SlowDownCPU.exe" [2005-06-09 212992]
"F-Secure Manager"="c:\program files\Eastlink Internet Security\Common\FSM32.EXE" [2009-02-19 182936]
"F-Secure TNB"="c:\program files\Eastlink Internet Security\FSGUI\TNBUtil.exe" [2009-02-19 957024]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-08-20 483328]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2001-10-02 77887]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-08-07 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-26 518488]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2004-06-21 143360]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-01 53248]

c:\documents and settings\Stacy Wessell\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-8-21 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2008-8-25 200704]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05356352----a-wc:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [3/11/2009 10:50 PM 33408]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [8/23/2008 8:39 PM 79872]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/19/2009 6:14 PM 64160]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\Eastlink Internet Security\HIPS\drivers\fshs.sys [3/11/2009 10:49 PM 67808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Eastlink Internet Security\Anti-Virus\minifilter\fsgk.sys [8/23/2008 8:38 PM 86648]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Eastlink Internet Security\ORSP Client\fsorsp.exe [3/11/2009 10:49 PM 55904]
R3 SlowDownCPU;SlowDownCPU;c:\windows\inf\MSI\SlowDownCPU\NTGLM7X.SYS [8/23/2008 7:36 PM 25088]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 4:06 PM 1005904]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Eastlink Internet Security\Anti-Virus\win2k\fsfilter.sys [8/23/2008 8:38 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Eastlink Internet Security\Anti-Virus\win2k\fsrec.sys [8/23/2008 8:38 PM 25184]
.
Contents of the 'Scheduled Tasks' folder

2009-05-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 21:14]

2009-05-24 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard77002003-08-20 17:57Y37S1325MJE.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 17:57]

2009-05-28 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2008-08-24 21:23]

2009-05-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-c65d58d579 - c:\windows\System32\dmdlgs32.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myeastlink.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} - hxxp://www.nero.com/doc/NeroVersionCheckerControl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 10:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan COMPLETED successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-28 10:09
ComboFix-quarantined-files.txt 2009-05-28 13:09

Pre-Run: 138,389,540,864 bytes free
Post-Run: 138,481,037,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

189--- E O F ---2009-05-25 19:07

    • Click START then RUN
    • Now type Combofix /u in the runbox
    • Make sure there's a space between Combofix and /u
    • Then hit Enter.
    .
    • The above procedure will:
    • Delete the following:
    • ComboFix and its associated files and folders.
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Set a new, clean Restore Point.
    .
    ----------

    How is the computer running now?
All virus removed and computer running normal, thanks evil fantasy. so if I run into this problem again can I use the same steps to resolve. What was the - O20 - AppInit_DLLs: C:\WINDOWS\System32\dmdlgs32.dll that I removed when I ran HiJack this? thanks again

Dwayne Austin
I'm not sure what the dmdlgs32.dll was. I do know it wasn't supposed to be there.

Use the Secunia Software Inspector to check for out of date software.
  • Click Start Now
  • Check the box next to Enable thorough system inspection.
  • Click Start
  • Allow the scan to finish and scroll down to see if any updates are needed.
  • Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.


Discussion

No Comment Found

Related InterviewSolutions