Malware Simply Called "Antivirus Software"

[OvenMaster]

@mustardgas: I am so sorry my info didn't work for you. That's how this stupid virus works: disabling one .exe file after another until the whole computer's useless.. I've seen that you have to do what I said as soon as you recognize what's going on... the fact you'd done it once already shows this would work otherwise. Again, I'm sorry.

 

[mustardgas]

@mustardgas: I am so sorry my info didn't work for you. That's how this stupid virus works: disabling one .exe file after another until the whole computer's useless.. I've seen that you have to do what I said as soon as you recognize what's going on... the fact you'd done it once already shows this would work otherwise. Again, I'm sorry.

No need to apologize OvenMaster. I hadn't mentioned that I tried that approach last time. If this were my first such malware episode, your reply would've been exactly what I needed. In fact, even before you replied, I too was considering that approach again. Your reply gave me a convenient means to try what I might've ended up trying anyway. So thanks.

 

[deanj20]

Did you try the suggestions in my last post? Or are you sick of messing with it for now?

 

[mustardgas]

HijackThis Log #2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:44 AM, on 4/3/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18444)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

--
End of file - 3532 bytes

As for the ethernet cord, there's one that goes from my roommate's router (the one where I normally connect via wifi) into her computer. I tried connecting the cord into my computer, but didnt get any results. Perhaps this was stupid of me to begin with? If so, how should I go about establishing a connection?

 

[deanj20]

No - that should work - take the Ethernet cord from the back of her computer and plug it in to yours. If you're in Safe Mode with Networking, then you should be able to get online. Try it out - it will save you a lot of headache.

C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

I do not know why these would be running in safe mode. Suspicious if you ask me. Other than that, your log looks fine. Moving on to step 2 - I'm going to copy and paste the Combofix "Rant" that johnb35 and others often use. Please follow the directions:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

* Download this file here :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* Then double click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply please post:

* The ComboFix log
* A fresh HiJackThis log
* An update on how your computer is running

 

[deanj20]

Well it's way past my bedtime (5:30AM ). I hope Combofix is able to remove whatever is plaguing you. I'm fairly certain that these files

C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

are actually the virus(es) disguised as legitimate looking processes, unless your PC is a Tablet PC. If Combofix doesn't find anything, I would just go to their respective folders and rename them to WISPTIS.EXE.BAD and TabTip.exe.BAD, then reboot into Safe Mode, run HijackThis! again and check the log for running processes. If they're gone, then boot into normal mode and see if your PC behaves normally.

Someone else will be along to help soon I'm sure. Good night and good luck.

 

[johnb35]

Try downloading and running superantispyware as I ususally run that when malwarebytes won't catch the infection.

http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html

 

[mustardgas]

No - that should work - take the Ethernet cord from the back of her computer and plug it in to yours. If you're in Safe Mode with Networking, then you should be able to get online. Try it out - it will save you a lot of headache.



I do not know why these would be running in safe mode. Suspicious if you ask me. Other than that, your log looks fine. Moving on to step 2 - I'm going to copy and paste the Combofix "Rant" that johnb35 and others often use. Please follow the directions:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

* Download this file here :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* Then double click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply please post:

* The ComboFix log
* A fresh HiJackThis log
* An update on how your computer is running

ComboFix log:

ComboFix 10-04-03.01 - filmmaker 04/03/2010 16:33:47.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.3083 [GMT -5:00]
Running from: H:\ComboFix2.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))
.

2010-04-03 21:40 . 2010-04-03 21:40 -------- d-----w- c:\users\filmmaker\AppData\Local\temp
2010-04-03 21:40 . 2010-04-03 21:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-03 21:40 . 2010-04-03 21:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-03 21:31 . 2010-04-03 21:32 -------- d-----w- C:\32788R22FWJFW
2010-04-03 02:37 . 2010-04-03 02:37 -------- d-----w- c:\program files\Trend Micro
2010-04-02 11:38 . 2010-04-02 11:38 -------- d-----w- c:\users\filmmaker\AppData\Local\vwhnyiffe
2010-04-02 02:55 . 2010-04-02 02:59 -------- d-----w- c:\users\filmmaker\AppData\Local\nos
2010-04-02 02:55 . 2010-04-02 02:55 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-04-02 02:55 . 2010-04-02 03:18 -------- d-----w- c:\programdata\NOS
2010-04-01 19:09 . 2010-04-01 19:09 4076824 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-04-01 19:09 . 2010-04-01 19:09 2059544 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-04-01 19:09 . 2010-04-01 19:09 1598744 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-04-01 19:09 . 2010-04-01 19:09 1274136 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-01 19:09 . 2010-04-01 19:09 598296 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-04-01 19:09 . 2010-04-01 19:09 556824 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2010-04-01 19:09 . 2010-04-01 19:09 459544 ----a-w- c:\programdata\avg9\update\backup\avgcclix.dll
2010-04-01 19:09 . 2010-04-01 19:09 4250976 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-01 19:09 . 2010-04-01 19:09 313112 ----a-w- c:\programdata\avg9\update\backup\avglogx.dll
2010-04-01 19:09 . 2010-04-01 19:09 1515224 ----a-w- c:\programdata\avg9\update\backup\avgwd.dll
2010-04-01 19:09 . 2010-04-01 19:09 1086744 ----a-w- c:\programdata\avg9\update\backup\avgchsvx.exe
2010-04-01 19:09 . 2010-04-01 19:09 301336 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-04-01 19:08 . 2010-04-01 19:08 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-01 19:08 . 2010-04-01 19:08 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-03-31 03:09 . 2010-03-31 03:09 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-03-29 07:15 . 2010-03-29 07:15 -------- d-----w- c:\program files\Gabest
2010-03-26 05:25 . 2010-03-26 05:25 -------- d-----w- c:\program files\iPod
2010-03-26 05:25 . 2010-03-26 05:26 -------- d-----w- c:\program files\iTunes
2010-03-26 05:19 . 2010-03-26 05:19 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-22 23:58 . 2010-03-22 23:58 -------- d-----w- c:\programdata\Comodo Downloader
2010-03-22 23:56 . 2010-04-02 03:43 -------- d-----w- c:\programdata\COMODO
2010-03-22 23:52 . 2010-03-22 23:52 -------- d-----w- c:\program files\COMODO
2010-03-19 08:52 . 2010-03-19 08:52 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-18 10:30 . 2010-03-18 10:30 -------- d-----w- c:\users\filmmaker\AppData\Roaming\Malwarebytes
2010-03-18 10:30 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-18 10:30 . 2010-03-19 08:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-18 10:30 . 2010-03-18 10:30 -------- d-----w- c:\programdata\Malwarebytes
2010-03-18 10:30 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 19:26 . 2010-03-13 19:26 360584 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-03-05 03:14 . 2010-04-01 23:12 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-05 03:14 . 2010-03-05 03:14 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-03-05 03:14 . 2010-03-05 03:14 -------- d-----w- c:\program files\AVG
2010-03-05 03:14 . 2010-03-05 03:14 -------- d-----w- c:\programdata\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-03 06:44 . 2009-04-19 18:08 -------- d-----w- c:\users\filmmaker\AppData\Roaming\WTablet
2010-04-02 11:45 . 2009-04-14 22:47 -------- d-----w- c:\users\filmmaker\AppData\Roaming\uTorrent
2010-04-02 11:24 . 2009-03-07 01:56 7342 ----a-w- c:\users\filmmaker\AppData\Roaming\wklnhst.dat
2010-04-02 04:06 . 2009-03-04 00:39 70488 ----a-w- c:\users\filmmaker\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-02 02:59 . 2009-02-17 07:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-02 02:57 . 2009-09-14 22:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-01 01:51 . 2009-04-16 23:06 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2010-04-01 01:51 . 2009-04-16 23:06 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2010-04-01 00:03 . 2009-03-08 14:53 55857 ----a-w- c:\programdata\nvModes.dat
2010-03-26 05:25 . 2009-10-25 02:05 -------- d-----w- c:\program files\Common Files\Apple
2010-03-26 05:23 . 2009-03-20 01:06 -------- d-----w- c:\program files\QuickTime
2010-03-18 09:34 . 2009-03-17 02:15 8268 ----a-w- c:\users\filmmaker\AppData\Local\d3d9caps.dat
2010-03-13 19:26 . 2010-03-13 19:26 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-03-13 19:26 . 2010-03-13 19:26 28424 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-03-13 19:26 . 2010-03-05 03:14 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 19:26 . 2010-03-13 19:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 19:26 . 2010-03-05 03:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 19:25 . 2010-03-05 03:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 09:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-09 16:28 . 2010-03-30 20:24 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-30 20:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-30 20:24 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-05 03:14 . 2010-03-05 16:49 3777280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-03-05 03:14 . 2010-03-13 19:24 800536 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-03-05 03:14 . 2010-03-13 19:24 613656 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-02-24 15:16 . 2009-10-03 23:20 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:39 . 2010-03-11 09:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 09:00 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 09:00 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-01 01:45 . 2009-09-14 22:26 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-01 01:45 . 2009-09-14 22:22 38784 ----a-w- c:\users\filmmaker\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-25 12:48 . 2010-02-23 21:33 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-02-23 21:33 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-02-23 21:33 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-02-23 21:33 472064 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-02-23 21:33 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-02-23 21:33 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-02-23 21:33 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-02-23 21:33 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-02-23 21:33 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44 . 2010-02-23 21:33 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-22 01:01 . 2010-01-22 01:01 1 ----a-w- c:\users\filmmaker\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-22 00:16 . 2010-01-22 00:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-16 19:33 . 2010-01-16 19:33 1956072 ----a-w- c:\users\filmmaker\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-08 19:38 . 2010-01-08 19:38 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-01-08 19:37 . 2010-01-08 19:37 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-02-17 07:15 . 2009-02-17 07:15 75 --sh--r- c:\windows\CT4CET.bin
2009-02-17 08:34 . 2009-02-17 08:30 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 19:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-02-17 07:27 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Dell Remote Access.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Dell Remote Access.lnk
backup=c:\windows\pss\Dell Remote Access.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^filmmaker^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\filmmaker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-10-27 09:54 3563520 ----a-w- c:\windows\System32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2009-04-09 22:29 1762032 ----a-w- c:\program files\Dell DataSafe Online\DataSafeOnline.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 19:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-02-12 19:37 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 21:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 04:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-08-18 12:20 13548064 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2008-08-18 12:20 96800 ----a-w- c:\windows\System32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-08-18 12:20 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2008-04-18 10:08 36864 ----a-w- c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 16:57 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-22 00:16 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-24 06:09 1029416 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2008-12-04 09:05 442467 ----a-w- c:\program files\IDT\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-13 216200]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe [2008-12-04 73728]
R4 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-13 916760]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
R4 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
R4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-05-01 3032360]
R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-03-27 2789672]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-03-13 242696]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-03-24 183808]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-03 16:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-03 16:41:27
ComboFix-quarantined-files.txt 2010-04-03 21:41
ComboFix2.txt 2010-04-03 01:27

Pre-Run: 102,657,966,080 bytes free
Post-Run: 102,625,353,728 bytes free

- - End Of File - - A76EB3437F854D6EB31F06450A120FFA

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:43 PM, on 4/3/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18444)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

--
End of file - 3576 bytes

Malwarebytes Log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

4/3/2010 5:02:13 PM
mbam-log-2010-04-03 (17-02-13).txt

Scan type: Quick scan
Objects scanned: 102057
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

My computer appears to be fully functional again. I can access the internet, update malwarebytes, and so forth. The virus no longer seems present. However, a quick scan by malwarebytes revealed no infections. Does that mean that the procedure I just went through (the above quoted instructions) eliminated the virus? Or is there more yet to be done?

 

[mustardgas]

Well, I guess the problem's resolved, then? Thanks to everyone who helped me out. I greatly appreciate it. Btw, how do I go about preventing this from happening again in the future? It's a firewall issue, right? I had Comodo for a while, but its popups became so obnoxious that I deleted it. Crazy thing is, the day I deleted it was the day I got this most recent virus. Is there a way of setting up my computer with freeware such that I can use the internet without feeling threatened, as well as be free of obnoxious popups coming from the freeware itself? Man, the internet has become a pain in the ass to use.

 

[johnb35]

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

DIRLOOK::
c:\users\filmmaker\AppData\Local\vwhnyiffe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

 

[mustardgas]

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

DIRLOOK::
c:\users\filmmaker\AppData\Local\vwhnyiffe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

LOG

ComboFix 10-04-03.01 - filmmaker 04/04/2010 3:58.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2205 [GMT -5:00]
Running from: H:\ComboFix2.exe
Command switches used :: c:\users\filmmaker\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 )))))))))))))))))))))))))))))))
.

2010-04-04 09:06 . 2010-04-04 09:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-04 09:06 . 2010-04-04 09:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-03 21:41 . 2010-04-04 09:06 -------- d-----w- c:\users\filmmaker\AppData\Local\temp
2010-04-03 02:37 . 2010-04-03 02:37 -------- d-----w- c:\program files\Trend Micro
2010-04-02 11:38 . 2010-04-02 11:38 -------- d-----w- c:\users\filmmaker\AppData\Local\vwhnyiffe
2010-04-02 02:55 . 2010-04-02 02:59 -------- d-----w- c:\users\filmmaker\AppData\Local\nos
2010-04-02 02:55 . 2010-04-02 02:55 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-04-02 02:55 . 2010-04-02 03:18 -------- d-----w- c:\programdata\NOS
2010-04-01 19:09 . 2010-04-01 19:09 4076824 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-04-01 19:09 . 2010-04-01 19:09 2059544 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-04-01 19:09 . 2010-04-01 19:09 1598744 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-04-01 19:09 . 2010-04-01 19:09 1274136 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-01 19:09 . 2010-04-01 19:09 598296 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-04-01 19:09 . 2010-04-01 19:09 556824 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2010-04-01 19:09 . 2010-04-01 19:09 459544 ----a-w- c:\programdata\avg9\update\backup\avgcclix.dll
2010-04-01 19:09 . 2010-04-01 19:09 4250976 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-01 19:09 . 2010-04-01 19:09 313112 ----a-w- c:\programdata\avg9\update\backup\avglogx.dll
2010-04-01 19:09 . 2010-04-01 19:09 1515224 ----a-w- c:\programdata\avg9\update\backup\avgwd.dll
2010-04-01 19:09 . 2010-04-01 19:09 1086744 ----a-w- c:\programdata\avg9\update\backup\avgchsvx.exe
2010-04-01 19:09 . 2010-04-01 19:09 301336 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-04-01 19:08 . 2010-04-01 19:08 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-01 19:08 . 2010-04-01 19:08 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-03-31 03:09 . 2010-03-31 03:09 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-03-29 07:15 . 2010-03-29 07:15 -------- d-----w- c:\program files\Gabest
2010-03-26 05:25 . 2010-03-26 05:25 -------- d-----w- c:\program files\iPod
2010-03-26 05:25 . 2010-03-26 05:26 -------- d-----w- c:\program files\iTunes
2010-03-26 05:19 . 2010-03-26 05:19 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-22 23:58 . 2010-03-22 23:58 -------- d-----w- c:\programdata\Comodo Downloader
2010-03-22 23:56 . 2010-04-02 03:43 -------- d-----w- c:\programdata\COMODO
2010-03-22 23:52 . 2010-03-22 23:52 -------- d-----w- c:\program files\COMODO
2010-03-19 08:52 . 2010-04-03 21:57 5918776 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-18 10:30 . 2010-03-18 10:30 -------- d-----w- c:\users\filmmaker\AppData\Roaming\Malwarebytes
2010-03-18 10:30 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-18 10:30 . 2010-04-03 21:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-18 10:30 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-18 10:30 . 2010-03-18 10:30 -------- d-----w- c:\programdata\Malwarebytes
2010-03-13 19:26 . 2010-03-13 19:26 360584 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-03-13 19:26 . 2010-03-13 19:26 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-03-13 19:26 . 2010-03-13 19:26 28424 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-03-13 19:26 . 2010-03-13 19:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 19:24 . 2010-03-05 03:14 800536 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-03-13 19:24 . 2010-03-05 03:14 613656 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-03-11 09:00 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-11 09:00 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-03-11 09:00 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-05 16:49 . 2010-03-05 03:14 3777280 ----a-w- c:\programdata\avg9\update\backup\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 08:59 . 2009-03-07 01:56 7456 ----a-w- c:\users\filmmaker\AppData\Roaming\wklnhst.dat
2010-04-04 01:16 . 2009-04-16 23:06 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2010-04-04 01:16 . 2009-04-16 23:06 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2010-04-03 06:44 . 2009-04-19 18:08 -------- d-----w- c:\users\filmmaker\AppData\Roaming\WTablet
2010-04-02 11:45 . 2009-04-14 22:47 -------- d-----w- c:\users\filmmaker\AppData\Roaming\uTorrent
2010-04-02 04:06 . 2009-03-04 00:39 70488 ----a-w- c:\users\filmmaker\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-02 02:59 . 2009-02-17 07:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-02 02:57 . 2009-09-14 22:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-01 00:03 . 2009-03-08 14:53 55857 ----a-w- c:\programdata\nvModes.dat
2010-03-26 05:25 . 2009-10-25 02:05 -------- d-----w- c:\program files\Common Files\Apple
2010-03-26 05:23 . 2009-03-20 01:06 -------- d-----w- c:\program files\QuickTime
2010-03-18 09:34 . 2009-03-17 02:15 8268 ----a-w- c:\users\filmmaker\AppData\Local\d3d9caps.dat
2010-03-13 19:26 . 2010-03-05 03:14 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 19:26 . 2010-03-05 03:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 19:25 . 2010-03-05 03:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 09:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-09 16:28 . 2010-03-30 20:24 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-30 20:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-30 20:24 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-05 03:14 . 2010-03-05 03:14 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-03-05 03:14 . 2010-03-05 03:14 -------- d-----w- c:\program files\AVG
2010-03-05 03:14 . 2010-03-05 03:14 -------- d-----w- c:\programdata\avg9
2010-02-24 15:16 . 2009-10-03 23:20 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-01 01:45 . 2009-09-14 22:26 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-01 01:45 . 2009-09-14 22:22 38784 ----a-w- c:\users\filmmaker\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-25 12:48 . 2010-02-23 21:33 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-02-23 21:33 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-02-23 21:33 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-02-23 21:33 472064 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-02-23 21:33 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-02-23 21:33 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-02-23 21:33 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-02-23 21:33 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-02-23 21:33 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44 . 2010-02-23 21:33 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-22 01:01 . 2010-01-22 01:01 1 ----a-w- c:\users\filmmaker\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-22 00:16 . 2010-01-22 00:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-16 19:33 . 2010-01-16 19:33 1956072 ----a-w- c:\users\filmmaker\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-08 19:38 . 2010-01-08 19:38 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-01-08 19:37 . 2010-01-08 19:37 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-02-17 07:15 . 2009-02-17 07:15 75 --sh--r- c:\windows\CT4CET.bin
2009-02-17 08:34 . 2009-02-17 08:30 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\filmmaker\AppData\Local\vwhnyiffe ----

2010-04-02 11:38 . 2010-04-02 11:37 270592 ----a-w- c:\users\filmmaker\AppData\Local\vwhnyiffe\vdqvidftssd.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 19:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-02-17 07:27 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Dell Remote Access.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Dell Remote Access.lnk
backup=c:\windows\pss\Dell Remote Access.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^filmmaker^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\filmmaker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-10-27 09:54 3563520 ----a-w- c:\windows\System32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2009-04-09 22:29 1762032 ----a-w- c:\program files\Dell DataSafe Online\DataSafeOnline.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 19:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-02-12 19:37 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 05:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 04:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-08-18 12:20 13548064 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2008-08-18 12:20 96800 ----a-w- c:\windows\System32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-08-18 12:20 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2008-04-18 10:08 36864 ----a-w- c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 16:57 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-22 00:16 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-24 06:09 1029416 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2008-12-04 09:05 442467 ----a-w- c:\program files\IDT\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe [2008-12-04 73728]
R4 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-13 916760]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
R4 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
R4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-05-01 3032360]
R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-03-27 2789672]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-13 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-03-13 242696]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-03-24 183808]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 04:06
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-04 04:09:03
ComboFix-quarantined-files.txt 2010-04-04 09:09
ComboFix2.txt 2010-04-03 21:41
ComboFix3.txt 2010-04-03 01:27

Pre-Run: 102,419,156,992 bytes free
Post-Run: 102,394,814,464 bytes free

- - End Of File - - 489A4CA07C2300DBFBB4FED6E2493416

 

[johnb35]

Ok. Then we need to delete the whole folder.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

File::
c:\windows\CT4CET.bin

Folder::
c:\users\filmmaker\AppData\Local\vwhnyiffe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Also post a fresh hijackthis log.

 

[mustardgas]

Ok. Then we need to delete the whole folder.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

File::
c:\windows\CT4CET.bin

Folder::
c:\users\filmmaker\AppData\Local\vwhnyiffe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Also post a fresh hijackthis log.

Wait, what exactly is being deleted here? I have to ask as my computer has been acting differently following all these fixes. It's not that it's been acting entirely bad, but I did have to repair Corel Painter, for example. Thus I wonder what else has been and will be effected by the fixes.

 

[johnb35]

I'm only having you delete bad files and folders. Most likely the infections you have messed up some of your programs, it's very common.

 

[mustardgas]

Ok. Then we need to delete the whole folder.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

File::
c:\windows\CT4CET.bin

Folder::
c:\users\filmmaker\AppData\Local\vwhnyiffe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Also post a fresh hijackthis log.

All I got was a message stating: "The drive or network connection that the shortcut " refers to is unavailable. Make sure that the disk is properly inserted or the network resource is available, and then try again." (the quotation mark after the word shortcut is not a typo or the end to the quote. The quotation mark was part of the message.)

 

[johnb35]

Try the procedure again making sure that when you save the cfscript file that you are saving directly to your desktop. Combofix should be placed on your desktop as well, if it's not already there.

 

[mustardgas]

I got the same message. I'm positive I followed your instructions correctly on both attempts.

 

[johnb35]

Seems like you are creating a shortcut some how, which won't work. Is combofix on your desktop? If not please move it there and then retry the procedure. You last ran combofix from drive H, please move it to your desktop.

 

[mustardgas]

Seems like you are creating a shortcut some how, which won't work. Is combofix on your desktop? If not please move it there and then retry the procedure. You last ran combofix from drive H, please move it to your desktop.

ComboFix is on my desktop. I did exactly as you said- went to start- run- Notepad.exe- ok- copied the code you provided- edit> paste (in notepad)- saved to desktop- dragged the saved notepad document into ComboFix, which is also on the desktop.

I can try it again, but there's actually some concerns I'm starting to have about these procedures anyway. For one, my Wacom tablet is not working properly anymore. Of course, I can't say for sure if that has anything to do with the cleansing procedures we've gone through. However, it seems odd to me that my tablet would only now start acting up after this whole virus episode, when I haven't done anything to it. Also, Corel Painter is acting kind of funny, too, which makes me think the tablet problem correlates to any adverse effect the cleansing process might've had on my computer.

I don't mean to sound unappreciative of you efforts. I'm very grateful to you and everyone else who helped remove (or disable?) that hideous virus. Still, I worry about side effects. My tablet, for instance, cost me $350 dollars. If its dysfunction is related to these cleansing procedures, then maybe it's a sign to stop...? I don't know.

 

[johnb35]

I've dealt with infections personally that have messed up a few programs that have required to reinstall the program. I've seen infections mess with windows installer. What kind of problems are you having now with your software, you just said corel painter was acting funny.

You are still infected and i'm trying to get it all cleaned up. When you created the cfscript file, did you save it to your desktop? May I ask what drive you have labeled as drive H? Is it an external or flash drive or another hard drive?