Author Topic: [Resolved] dr. guard virus (Read 4447 times)

1972vet · « **Reply #15 on:** March 21, 2010, 08:51:42 AM »

In your reply #12, you imply that the issue resolved after running mbam. May I please see THAT log? Thanks!

phillip 245 · « **Reply #16 on:** March 21, 2010, 09:42:57 AM »

Hi: hope this is the log you want from mbam I do not have the log from hijack for the 17th only the one I posted today thanks Phillip.

Malwarebytes' Anti-Malware 1.44
Database version: 3878
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/17/2010 8:28:07 PM
mbam-log-2010-03-17 (20-28-07).txt

Scan type: Quick Scan
Objects scanned: 123641
Time elapsed: 9 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
ted today Thanks Phillip

1972vet · « **Reply #17 on:** March 21, 2010, 10:21:59 AM »

Ok, great! You can run hijackthis now and check/fix these:
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0028311268695257) (0028311268695257mcinstcleanup) - Unknown owner - C:\DOCUME~1\Phillip\LOCALS~1\Temp\002831~1.EXE (file missing)
...close all windows before clicking Fix Checked.

Post back a fresh HijackThis log...please advise what you intent to do for your on board antivirus protection. TM and McAfee both appear to be damaged. One should be removed and the other re-installed.

phillip 245 · « **Reply #18 on:** March 22, 2010, 04:04:23 AM »

HI:1972
I have tried to delete the 023 entry in the registry but it will not come out,What or how do I do to delete the trend Micro or mcafee files. I did a search for them and not much luck finding them, there is nothing in control panel Thanks PhillipLogfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:56:12 AM, on 3/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196655279875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: intu-qt2009 - {03947252-2355-4E9B-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0028311268695257) (0028311268695257mcinstcleanup) - Unknown owner - C:\DOCUME~1\Phillip\LOCALS~1\Temp\002831~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: The Cleaner 2011 Helper Service (moohelp) - MooSoft Development LLC - C:\Program Files\The Cleaner\mhelper.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (file missing)

--
End of file - 6392 bytes

1972vet · « **Reply #19 on:** March 22, 2010, 06:01:28 AM »

Use the McAfee Removal Tool to completely uninstall their products.

Please select and install One of these free antivirus applications:
AVG Free for Windows
AntiVir Personal Edition Classic
Avast! 4 Home Edition
After successful installation, please reboot the computer.

When the system comes up, run a manual update to the antivirus product you just installed. Download and install everything that it finds. When that completes, run another manual update and d/l once again everything it finds and install them. Continue in that manner until the update finds nothing else to install. When that completes, boot to safe mode and run a complete system scan. Post back THAT log. Thanks!

phillip 245 · « **Reply #20 on:** March 22, 2010, 07:18:43 PM »

HI:1972
I have d/l AVG 9.0 did the updates and did a scan from safe mode and hopefully this is the log you requested. Question? I do have a Mcafee anti virus plus that i subscribe to do you think that maybe good as AVG. Thanks Phillip

AVG 9.0 Anti-Virus command line scanner
Copyright (c) 1992 - 2009 AVG Technologies
Program version 9.0.782, engine 9.0.788
Virus Database: Version 271.1.1/2764 2010-03-22

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\Phillip\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\Phillip\ntuser.dat.LOG Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\system32\config\default Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\software Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\system Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.

------------------------------------------------------------
Objects scanned : 209182
Found infections : 0
Found PUPs : 0
Healed infections : 0
Healed PUPs : 0
Warnings : 0
------------------------------------------------------------

1972vet · « **Reply #21 on:** March 22, 2010, 08:02:51 PM »

McAfee is fine as is AVG...probably not as good though as Avira Antivir would be though. The log shows that your system is clean.

If your McAfee subscription is current and does not expire for quite some time, you might go ahead now if you like, and uninstall the AVG to try a reinstall of McAfee. Since the installation you had was flawed, as the TM install...and since you asked how to delete the McAfee entries, I recommended their removal tool to remove them properly. Now that you have cleared the failed install, you should be able to reinstall it if you prefer that to any one of the free versions listed.

Are you having any other issues?

phillip 245 · « **Reply #22 on:** March 23, 2010, 05:03:24 PM »

HI: 1972
The only other issue I have at times is a redirect when doing google searches it is a pain in the butt at times, It is a lot better since all the work you told me to do other than that I want to thank you and your team of moderators for the very helpful assistance you supplied. Thanks Phillip

1972vet · « **Reply #23 on:** March 24, 2010, 03:22:58 AM »

OK...hmmm. Well, you should NEVER have to endure ANY browser redirections. I didn't see anything in your logs that would account for any more problems so let's carry on here.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

1972vet · « **Reply #24 on:** March 25, 2010, 09:09:54 AM »

Still with us phillip 245?

phillip 245 · « **Reply #25 on:** March 25, 2010, 01:51:54 PM »

HI: 1972 I have run combo fix twice it has not made a log at c:\combofix.txt that i see I will post a txt. document from the folder that it is in, if this is any good.I watched it run it said it was deleting C:\windows\ temp\logishrd\LVPrc after it went through stage 50 ? All of my anti virus and firewall were shutdown no programs were running It said it made the combofix recovery console. Thanks Phillip

ComboFix 10-03-25.02 - Phillip 03/25/2010 16:30:14.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1017 [GMT -3:00]
Running from: C:\Documents and Settings\Phillip\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

1972vet · « **Reply #26 on:** March 25, 2010, 04:09:35 PM »

Please open the combofi.txt document once more and compare it to what you posted. Does that look like the entire log to you?

phillip 245 · « **Reply #27 on:** March 25, 2010, 05:52:28 PM »

Hi: 1972 I run combo fix again at 8:12 it did a backup, at 8:18 completed stage 50, Deleting files came up C:\windows\temp\logishrd\lvprc\injoi.dll then said rebooting windows 8:20 Windows rebooted.

A blue" Dos" window appeared for a couple of seconds and stated" preparing log " do not ? that is all I had time to see before the box disappeared.I waited 10 minutes then went to C:\ combofix on my computer. I looked to see if any combofix.txt was in the c:\ drive none to be seen. I then opened the folder C:\ combofix ,in the directory there is combofix size 1K text document. i will post that again. Am i looking in the wrong spot I did print the instructions from bleeping computer and followed them to a T. The only thing i see in the log is that it running from C:\Documents and Settings\Phillip\Desktop\ComboFix.exe Thanks Phillip

ComboFix 10-03-25.02 - Phillip 03/25/2010 20:13:36.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.905 [GMT -3:00]
Running from: C:\Documents and Settings\Phillip\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

1972vet · « **Reply #28 on:** March 25, 2010, 06:00:32 PM »

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

When the utility opens click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until the instruction is given.

Next, please do the following:

Step 1
Please download the free utility DDS.

Disable any script blocker you may have running, then double click dds.scr to run the tool.

When it completes, DDS will open two (2) logs:

DDS.txt
Attach.txt

Save both reports to your desktop.

Step 2
Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to your desktop
Double click GMER.exe. If asked to allow gmer.sys driver to load, please agree to do so
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All <--don't miss this one
Then click the Scan button & wait for it to finish
Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives.

Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance from an expert user.

Please include the following logs in your next reply, Thanks!:

DDS.txt
Attach.txt
ark.txt

***Note***
Although the document itself may instruct you to zip and attach when posting, please ignore that and copy/paste instead...unless of course, your log is so large that the forum software tells you that it is too large for posting. Only in that case would you need to zip it and attach it. Thanks!

phillip 245 · « **Reply #29 on:** March 25, 2010, 07:37:51 PM »

HI 1972 Getting into some trouble trying to run some of the programs. All i got is the dds the attach.txt did not come materialize when it finished. D/L gmer tried running got maybe 2/3 way done got this warning gmer has found system modification caused by rootkit activity system crashed after saying ok My drivers are still disabled Thanks Phillip

DDS (Ver_10-03-17.01) - NTFSx86
Run by Phillip at 21:51:44.03 on Thu 03/25/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.911 [GMT -3:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Phillip\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\sort.exe
C:\Documents and Settings\Phillip\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sympatico.msn.ca/
mStart Page = hxxp://sympatico.msn.ca/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196655279875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phillip\applic~1\mozilla\firefox\profiles\a1bz1aag.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/
FF - component: c:\documents and settings\phillip\application data\mozilla\firefox\profiles\a1bz1aag.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\javasoft\jre\1.3.1_10\bin\NPJava11.dll
FF - plugin: c:\program files\javasoft\jre\1.3.1_10\bin\NPJava12.dll
FF - plugin: c:\program files\javasoft\jre\1.3.1_10\bin\NPJava131_10.dll
FF - plugin: c:\program files\javasoft\jre\1.3.1_10\bin\NPJava32.dll
FF - plugin: c:\program files\javasoft\jre\1.3.1_10\bin\NPOJI600.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-22 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-22 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-22 242696]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-3-23 226680]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-3-23 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-3-23 29560]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-22 308064]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2003-5-7 236368]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2010-3-23 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2010-3-23 3360760]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2003-5-7 19160]
S2 0028311268695257mcinstcleanup;McAfee Application Installer Cleanup (0028311268695257);c:\docume~1\phillip\locals~1\temp\002831~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\phillip\locals~1\temp\002831~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 moohelp;The Cleaner 2011 Helper Service;c:\program files\the cleaner\mhelper.exe [2010-3-15 813056]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys --> c:\windows\system32\drivers\tmpreflt.sys [?]
S3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys --> c:\windows\system32\drivers\inidvd.sys [?]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\tm_cfw.sys --> c:\windows\system32\drivers\TM_CFW.sys [?]
S3 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys --> c:\windows\system32\drivers\tmevtmgr.sys [?]
S3 TmPfw;Trend Micro Personal Firewall;"c:\program files\trend micro\internet security\tmpfw.exe" --> c:\program files\trend micro\internet security\TmPfw.exe [?]
S3 TmProxy;Trend Micro Proxy Service;"c:\program files\trend micro\internet security\tmproxy.exe" --> c:\program files\trend micro\internet security\TmProxy.exe [?]

=============== Created Last 30 ================

2010-03-26 00:26:20   0   ----a-w-   c:\documents and settings\phillip\defogger_reenable
2010-03-26 00:08:59   0   d-----w-   c:\docume~1\phillip\applic~1\AVG9
2010-03-25 23:12:23   0   d-s---w-   C:\ComboFix
2010-03-25 18:57:20   0   d-sha-r-   C:\cmdcons
2010-03-25 00:41:39   0   d-----w-   c:\docume~1\phillip\applic~1\OnlineArmor
2010-03-25 00:41:39   0   d-----w-   c:\docume~1\alluse~1\applic~1\OnlineArmor
2010-03-24 00:10:04   29560   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-03-24 00:10:04   24440   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-03-24 00:10:04   226680   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-03-24 00:10:02   0   d-----w-   c:\program files\Tall Emu
2010-03-22 22:53:36   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-03-22 22:53:27   216200   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-03-22 22:53:20   0   d-----w-   c:\windows\system32\drivers\Avg
2010-03-22 22:52:36   242696   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-03-22 22:49:01   0   d-----w-   c:\program files\AVG
2010-03-22 22:48:35   0   d-----w-   c:\docume~1\alluse~1\applic~1\avg9
2010-03-22 22:48:18   0   d-----w-   c:\windows\SxsCaPendDel
2010-03-22 22:00:46   61224   ----a-w-   c:\documents and settings\phillip\GoToAssistDownloadHelper.exe
2010-03-16 13:07:44   98816   ----a-w-   c:\windows\sed.exe
2010-03-16 13:07:44   77312   ----a-w-   c:\windows\MBR.exe
2010-03-16 13:07:44   261632   ----a-w-   c:\windows\PEV.exe
2010-03-16 13:07:44   161792   ----a-w-   c:\windows\SWREG.exe
2010-03-16 12:59:50   1264   ----a-w-   c:\windows\system32\drivers\kgpcpy.cfg
2010-03-16 00:27:54   0   d-----w-   C:\32788R22FWJFW.3.tmp
2010-03-15 23:19:41   661808   ----a-w-   c:\windows\system32\UfWSC.cpl
2010-03-15 22:52:34   0   d-----w-   c:\program files\CleanMyPC
2010-03-15 21:55:32   0   d-----w-   c:\docume~1\alluse~1\applic~1\SITEguard
2010-03-15 21:52:56   0   d-----w-   c:\program files\common files\iS3
2010-03-15 21:52:55   0   d-----w-   c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-03-15 21:02:08   0   d-----w-   c:\docume~1\phillip\applic~1\thecleaner
2010-03-15 21:01:47   0   d-----w-   c:\program files\The Cleaner
2010-03-14 15:09:51   0   d-----w-   C:\Temp
2010-03-14 15:06:03   0   d-----w-   C:\MyWorks
2010-03-12 21:27:56   0   d-----w-   c:\docume~1\alluse~1\applic~1\PC Tools
2010-03-12 00:00:38   0   d-----w-   c:\docume~1\phillip\applic~1\Auslogics
2010-03-12 00:00:32   0   d-----w-   c:\program files\Auslogics
2010-03-11 23:52:14   0   d-----w-   c:\program files\AskBarDis
2010-03-09 20:58:14   0   d-----w-   c:\docume~1\phillip\applic~1\Uniblue
2010-03-09 11:01:26   622   ----a-w-   c:\windows\RegGenie.ini
2010-03-09 00:26:59   0   d-----w-   c:\docume~1\alluse~1\applic~1\Citrix
2010-03-09 00:20:19   0   d-----w-   c:\program files\Citrix
2010-03-07 18:31:16   0   d-----w-   c:\docume~1\alluse~1\applic~1\RegCure
2010-03-07 17:28:21   8212   ----a-w-   c:\windows\mfebcdata
2010-03-06 19:05:05   0   d-----w-   c:\docume~1\phillip\applic~1\Intuit Canada
2010-03-06 19:04:33   0   d-----w-   c:\program files\common files\AnswerWorks 4.0
2010-03-06 19:04:20   0   d-----w-   c:\program files\common files\Intuit
2010-03-06 19:04:01   0   d-----w-   c:\program files\QuickTax 2009
2010-03-06 19:03:32   0   d-----w-   c:\docume~1\alluse~1\applic~1\Intuit Canada
2010-02-26 11:03:44   352   ----a-w-   c:\windows\system32\inui09.dat

==================== Find3M ====================

2010-03-25 01:58:43   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-03-25 01:58:43   96512   ----a-w-   c:\windows\system32\drivers\atapi.svs
2010-03-24 23:50:19   2272   -c--a-w-   c:\windows\system32\winui08.dat
2010-01-06 20:32:30   1712201   ----a-w-   c:\windows\system32\InetClnt.dll
2010-01-05 10:00:29   832512   ------w-   c:\windows\system32\wininet.dll
2010-01-05 10:00:21   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00:20   17408   ------w-   c:\windows\system32\corpol.dll
2009-02-15 15:25:45   32768   -csha-w-   c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021520090216\index.dat

============= FINISH: 21:53:56.70 ===============

News:

Author Topic: [Resolved] dr. guard virus (Read 4447 times)

1972vet

Re: [Resolved] dr. guard virus

phillip 245

Re: [Resolved] dr. guard virus

1972vet

Re: [Resolved] dr. guard virus

phillip 245

Re: [Resolved] dr. guard virus

1972vet

Re: [Resolved] dr. guard virus

phillip 245

Re: [Resolved] dr. guard virus

1972vet

Re: [Resolved] dr. guard virus

phillip 245

Re: [Resolved] dr. guard virus

1972vet

Re: [Resolved] dr. guard virus

1972vet

Re: [Resolved] dr. guard virus

phillip 245

Re: [Resolved] dr. guard virus

1972vet

Re: [Resolved] dr. guard virus

phillip 245

Re: [Resolved] dr. guard virus

1972vet

Re: [Resolved] dr. guard virus

phillip 245

Re: [Resolved] dr. guard virus