Inactive Malware / warnings of infection

[DENNISEPT]

I have a vary poorly worded warning that persists on my dektop that says " Your computer is making unauthorized copies of youe system and Internet files. You should imideatly run a full scan your system to prevent any unauthorized access to your data.

This is the exact text, spelling and gramatical errors are axact copies of the warning.

Log file to follow.


DAS: C:\Documents and Settings

D: C:\Documents and Settings\All Users\Desktop
D: C:\Documents and Settings\Default User\Desktop
D: C:\Documents and Settings\Dennis\Desktop
D: C:\WINDOWS\system32\config\systemprofile\Desktop

SM: C:\Documents and Settings\All Users\Start Menu
SM: C:\Documents and Settings\Default User\Start Menu
SM: C:\Documents and Settings\Dennis\Start Menu
SM: C:\Documents and Settings\LocalService\Start Menu
SM: C:\WINDOWS\system32\config\systemprofile\Start Menu

UR: C:\Documents and Settings\All Users
UR: C:\Documents and Settings\Default User
UR: C:\Documents and Settings\Dennis
UR: C:\Documents and Settings\LocalService
UR: C:\Documents and Settings\NetworkService
UR: C:\WINDOWS\system32\config\systemprofile

F: C:\Documents and Settings\All Users\Favorites
F: C:\Documents and Settings\Default User\Favorites
F: C:\Documents and Settings\Dennis\Favorites
F: C:\Documents and Settings\LocalService\Favorites
F: C:\WINDOWS\system32\config\systemprofile\Favorites

AD: C:\Documents and Settings\All Users\Application Data
AD: C:\Documents and Settings\Dennis\Application Data
AD: C:\Documents and Settings\Default User\Application Data
AD: C:\Documents and Settings\LocalService\Application Data
AD: C:\Documents and Settings\NetworkService\Application Data
AD: C:\WINDOWS\system32\config\systemprofile\Application Data

QL: C:\Documents and Settings\Dennis\Application Data\Microsoft\Internet Explorer\Quick Launch

TF: C:\Documents and Settings\Default User\Local Settings\Temp
TF: C:\Documents and Settings\Dennis\Local Settings\Temp
TF: C:\Documents and Settings\LocalService\Local Settings\Temp
TF: C:\Documents and Settings\NetworkService\Local Settings\Temp
TF: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp
TF: C:\WINDOWS\Temp

P: C:\Documents and Settings\All Users\Start Menu\Programs
P: C:\Documents and Settings\Default User\Start Menu\Programs
P: C:\Documents and Settings\Dennis\Start Menu\Programs
P: C:\Documents and Settings\LocalService\Start Menu\Programs
P: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs

S: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
S: C:\Documents and Settings\Default User\Start Menu\Programs\Startup
S: C:\Documents and Settings\Dennis\Start Menu\Programs\Startup
S: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup

D: C:\Documents and Settings\All Users\Documents
D: C:\Documents and Settings\Default User\My Documents
D: C:\Documents and Settings\Dennis\My Documents
D: C:\WINDOWS\system32\config\systemprofile\My Documents


DDS (Ver_10-10-21.02) - NTFSx86
Run by Dennis at 21:49:09.20 on 30/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.174 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\lexmark\drivers\3500-4500\Lexmark 3500-4500 Series\lxdimon.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\system32\SearchIndexer.exe
C:\lexmark\drivers\3500-4500\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nexus Radio\Nexus Radio.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dennis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Nexus Radio] c:\program files\nexus radio\Nexus Radio.exe -0
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [lxdimon.exe] "c:\lexmark\drivers\3500-4500\lexmark 3500-4500 series\lxdimon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [lxdiamon] "c:\lexmark\drivers\3500-4500\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\office
Trusted Zone: msn.ca\sympatico
Trusted Zone: windowsupdate.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/a/f/b/afba1967-2025-49da-8356-bc4132038945/VirtualEarth3D.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://secure.learning.gov.ab.ca/edarts.internet/includes/smsx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1287500169764
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://64.114.25.196/Vernon/cabfile/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188480287067
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188480276792
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-9 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-9 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-31 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008-2-6 99248]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-3-21 114952]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-6-23 16512]
S3 cpuz132;cpuz132;\??\c:\docume~1\dennis\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\dennis\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 EuMusDesignVirtualAudioCableWdm_s2x;Sound2x Audio Cable (WDM);c:\windows\system32\drivers\vacs2xkd.sys [2008-6-23 42880]

=============== Created Last 30 ================

2010-10-31 04:14:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-31 04:14:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-31 03:34:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-30 20:34:19 78040 ----a-w- c:\windows\system32\drivers\klmd.sys
2010-10-30 19:43:46 -------- dc----w- C:\TDSSKiller_Quarantine
2010-10-29 14:15:44 -------- d-----w- c:\program files\iPod
2010-10-29 14:15:36 -------- d-----w- c:\program files\iTunes
2010-10-29 14:14:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-10-29 14:14:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-10-29 14:14:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-10-29 14:14:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-10-29 14:14:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-10-29 14:14:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-10-29 14:14:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-10-26 13:21:43 -------- dc----w- c:\docume~1\alluse~1\applic~1\{C3243856-7746-4A05-8837-51A28C1CDD82}
2010-10-17 17:55:31 -------- dc----w- c:\documents and settings\all users\Uniblue
2010-10-17 16:45:53 -------- dc----w- c:\docume~1\alluse~1\applic~1\ReviverSoft
2010-10-17 16:45:20 -------- d-----w- c:\docume~1\dennis\locals~1\applic~1\OpenCandy
2010-10-17 16:45:12 -------- d-----w- c:\docume~1\dennis\applic~1\OpenCandy
2010-10-17 16:13:37 -------- d-----w- c:\docume~1\dennis\applic~1\DriverCure
2010-10-17 16:13:15 -------- dc----w- c:\docume~1\alluse~1\applic~1\DriverCure
2010-10-17 16:05:40 -------- dc----w- c:\docume~1\alluse~1\applic~1\Driver Whiz
2010-10-17 15:51:13 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-10-17 15:51:12 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-10-17 15:47:39 -------- d-----w- c:\program files\Bonjour
2010-10-16 01:41:36 -------- dc----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-10-06 20:38:54 165376 ----a-w- c:\windows\system32\unrar.dll
2010-10-06 19:06:54 -------- d-----w- c:\docume~1\dennis\applic~1\WindSolutions
2010-10-06 19:06:43 -------- dc----w- c:\docume~1\alluse~1\applic~1\WindSolutions
2010-10-05 13:14:25 -------- d-----w- c:\program files\YouTube Downloader

==================== Find3M ====================

2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 18:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-13 12:53:02 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 21:51:05.55 ===============


GMER 1.0.15.15477 - http://www.gmer.net
Rootkit quick scan 2010-10-30 21:46:55
Windows 5.1.2600 Service Pack 3
Running: 8yf0d7gz.exe; Driver: C:\DOCUME~1\Dennis\LOCALS~1\Temp\pgpyypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHDS728040PLAT20_________________________PF1OA2AA#5&1e66e99f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Threads - GMER 1.0.15 ----

Thread System [4:564] F8939730
Thread System [4:576] F873A078
Thread System [4:584] F86CBE8A

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [MANUAL] vbma1edb <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

 

[crunchie]

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

[DENNISEPT]

I down loaded Combofix, disabled antispyware and firewall but when I tried to run Combofix I didn't see any prompts. The center portion of my screen is covered by a large black box with a warning that says "YOUR SYSTEM IS INFECTED". This may well be covering any Combofix prompts.

 

[crunchie]

Is there any way to move that black box? If not, try running combofix in safe mode please.

 

[DENNISEPT]

The black box doesn't move. How do I run cpombofix in safe mode?

 

[crunchie]

When you first start your PC, immediately after pressing the power button, start tapping the F8 key on the keyboard until you get a menu with safe mode on it .