Infected PC

Dell / Latitude d505
April 19, 2009 at 05:37:32
Specs: Windows XP
Please help !

I've had AVG advise that I am infected with various Trojan horse droppers and a rootkit.
Can someone hold my hand through the removal of this please?
Cheers,
Darren


See More: Infected PC

Report •


#1
April 19, 2009 at 08:25:51
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
April 19, 2009 at 13:56:12
Ok, here are the logs from Hijack This and Malwarebytes:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:00 AM, on 20/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Administrator\Desktop\tools.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Shareaza MediaBar - {196C3A46-4758-433D-A600-802C804AF39C} - C:\Program Files\Shareaza Applications\Shareaza MediaBar\ShareazaMediaBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.bigwphotos.com.au/bigw/a...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID...
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://mrmorbid.myphotoalbum.com/Im...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8331 bytes

Malwarebytes' Anti-Malware 1.36
Database version: 2011
Windows 5.1.2600 Service Pack 3

20/04/2009 6:08:12 AM
mbam-log-2009-04-20 (06-08-12).txt

Scan type: Quick Scan
Objects scanned: 75770
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 7
Registry Keys Infected: 12
Registry Values Infected: 10
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\wusorevo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jisagoyi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wufewoga.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\petonuho.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\bejanapo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\msdpsols.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\jh9fgo4ksdgf.dll (Trojan.Ertfor) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b171c360-fa63-4ded-bbbc-011978216880} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b171c360-fa63-4ded-bbbc-011978216880} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d7bf4552-94f1-42bd-f434-3604812c856d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b171c360-fa63-4ded-bbbc-011978216880} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7bf4552-94f1-42bd-f434-3604812c856d} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d7bf4552-94f1-42bd-f434-3604812c856d} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\34af6c16 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lojajojope (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm379c5f8a (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d7bf4552-94f1-42bd-f434-3604812c856d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows logon applicationedc (Rogue.Installer) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asexoj (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: msdpsols.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\jisagoyi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jisagoyi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\bejanapo.dll -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wusorevo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\overosuw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\petonuho.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\bejanapo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wufewoga.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\msdpsols.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jh9fgo4ksdgf.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\jisagoyi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\winlogon.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ak1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bapenuge.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ftp_non_crp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\sjgh4kdg4rg4.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACe565.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\w4lni.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\WINDOWS\ofuroqaxac.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\4026295200.exe (Trojan.Downloader) -> Delete on reboot.


Cheers,
Darren


Report •

#3
April 19, 2009 at 14:49:43
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Spyware Doctor and any other antispyware that you may have.Combofix will not operate properly with them running.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

To get AVG completly shut down click the systray icon and click exit. Then click the desktop icon> click resident shield> uncheck the box to the left of "Resident shield Active" > then click save.

To get AVG running again restart the computer the, check the box you unchecked> click save.


Report •

Related Solutions

#4
April 20, 2009 at 01:36:27
Ok, here is the log:

ComboFix 09-04-20.02 - Administrator 20/04/2009 17:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1022.583 [GMT 9.5:30]
Running from: c:\documents and settings\Administrator\Desktop\toolb.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-20 06:06 . 2009-04-20 06:07 -------- d-----w C:\toolb
2009-04-19 20:29 . 2009-04-19 20:29 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-19 20:29 . 2009-04-06 06:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-19 20:29 . 2009-04-06 06:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-19 20:29 . 2009-04-19 20:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 10:44 . 2009-04-16 10:44 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-16 10:29 . 2009-04-20 08:01 109010 ----a-w c:\windows\system32\drivers\7d28fde9.sys
2009-04-15 10:39 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 10:39 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 10:39 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 10:39 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 10:39 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 10:39 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 10:39 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 10:39 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 10:39 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 10:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 10:38 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 10:38 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 07:53 . 2009-04-15 07:53 5376 ----a-w c:\windows\system32\drivers\MS1000.sys
2009-04-12 12:39 . 2009-04-12 12:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Sammsoft
2009-04-12 11:31 . 2009-04-12 11:33 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-04-11 11:16 . 2009-04-11 11:17 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-10 21:12 . 2009-04-10 21:12 -------- d-----w c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-04-10 21:10 . 2008-03-07 17:02 98304 -c----w c:\windows\system32\dllcache\nlhtml.dll
2009-04-10 21:10 . 2008-03-07 17:02 29696 -c----w c:\windows\system32\dllcache\mimefilt.dll
2009-04-10 21:10 . 2008-03-07 17:02 192000 -c----w c:\windows\system32\dllcache\offfilt.dll
2009-04-10 21:08 . 2009-04-10 21:08 -------- d-----w c:\windows\system32\URTTEMP
2009-04-08 12:18 . 2009-04-19 20:22 0 ----a-w c:\windows\Qlufij.bin
2009-04-08 12:18 . 2009-04-08 12:18 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\{DC478AF1-C38C-4C93-9179-353540375E28}
2009-04-08 12:18 . 2009-04-16 12:45 408 ----a-w c:\windows\Umomis.dat
2009-04-01 09:55 . 2009-01-09 19:19 1089593 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-03-31 20:22 . 2009-03-10 11:48 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-03-31 20:22 . 2009-02-09 08:21 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-03-31 20:22 . 2009-03-31 20:22 -------- d-----w c:\windows\system32\KB905474
2009-03-31 20:22 . 2009-03-10 11:56 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-03-31 20:13 . 2009-03-31 20:13 -------- d-----w c:\windows\system32\XPSViewer
2009-03-31 20:12 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-03-31 20:12 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-31 20:12 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-31 20:12 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-03-31 20:12 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-03-31 20:12 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-03-31 20:12 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-31 20:12 . 2009-03-31 20:12 -------- d-----w C:\597e665749074f67f4c1
2009-03-31 09:54 . 2009-03-31 09:54 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-03-28 08:42 . 2009-03-28 08:43 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-28 08:34 . 2009-03-05 13:29 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 05:57 . 2008-08-21 10:19 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-19 21:21 . 2007-11-12 10:56 -------- d--h--r c:\documents and settings\Administrator\Application Data\yahoo!
2009-04-19 21:21 . 2007-11-12 02:58 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-19 21:20 . 2007-11-12 02:39 -------- d-----w c:\program files\Yahoo!
2009-04-19 20:49 . 2008-12-10 10:20 -------- d-----w c:\program files\LimeWire
2009-04-19 20:29 . 2009-04-19 20:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-19 12:13 . 2009-04-19 12:13 2967800 ----a-w c:\program files\mbam-setup.exe
2009-04-19 12:01 . 2008-09-14 04:30 -------- d-----w c:\program files\Spyware Doctor
2009-04-15 07:53 . 2009-04-15 07:50 -------- d-----w c:\program files\The Cleaner Free
2009-04-15 07:52 . 2008-09-14 04:24 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-12 12:38 . 2009-04-12 12:38 -------- d-----w c:\program files\Advanced Registry Optimizer
2009-04-10 21:13 . 2009-04-10 21:13 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-10 21:13 . 2009-04-10 21:13 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-10 21:13 . 2009-04-10 21:13 -------- d-----w c:\program files\Microsoft
2009-04-10 21:12 . 2009-04-10 21:12 -------- d-----w c:\program files\Windows Desktop Search
2009-04-08 06:07 . 2007-12-08 10:27 -------- d-----w c:\program files\Java
2009-04-06 20:42 . 2008-12-10 10:20 -------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-04-06 11:35 . 2008-09-14 09:19 -------- d-----w c:\documents and settings\Administrator\Application Data\Shareaza
2009-04-06 10:07 . 2007-10-18 13:17 20216 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-31 20:13 . 2009-03-31 20:13 -------- d-----w c:\program files\MSBuild
2009-03-31 20:12 . 2009-03-31 20:12 -------- d-----w c:\program files\Reference Assemblies
2009-03-31 09:54 . 2009-03-31 09:46 -------- d-----w c:\program files\BrainWave Generator
2009-03-28 08:43 . 2008-10-22 10:48 -------- d-----w c:\program files\iTunes
2009-03-28 08:42 . 2009-03-28 08:42 -------- d-----w c:\program files\iPod
2009-03-28 08:42 . 2007-10-07 01:04 -------- d-----w c:\program files\Common Files\Apple
2009-03-28 08:39 . 2009-03-28 08:39 -------- d-----w c:\program files\Bonjour
2009-03-28 08:38 . 2009-03-28 08:37 -------- d-----w c:\program files\QuickTime
2009-03-08 19:49 . 2009-01-07 10:33 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 13:29 . 2007-10-07 01:05 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-22 05:59 . 2008-05-29 10:29 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-19 08:47 . 2009-02-19 08:47 -------- d-----w c:\documents and settings\All Users\Application Data\B40
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 09:32 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-28 05:28 . 2008-05-29 10:30 10520 ----a-w c:\windows\system32\avgrsstx.dll
2008-05-25 00:43 . 2008-05-25 00:42 47787248 ----a-w c:\program files\avg_free_stf_en_8_100a1295.exe
2007-11-19 04:01 . 2008-07-01 23:43 3686400 ----a-w c:\program files\Shortcut to IKEA Home Planner.lnk
2007-11-03 02:22 . 2007-11-03 02:22 4318165 ----a-w c:\program files\allok_ipodconverter.exe
2007-10-07 01:03 . 2007-10-07 00:57 51422520 ----a-w c:\program files\iTunes743Setup.exe
2008-11-06 10:51 . 2008-11-06 10:52 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008110620081107\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{196C3A46-4758-433D-A600-802C804AF39C}"= "c:\program files\Shareaza Applications\Shareaza MediaBar\ShareazaMediaBar.dll" [2008-09-02 529856]

[HKEY_CLASSES_ROOT\clsid\{196c3a46-4758-433d-a600-802c804af39c}]
[HKEY_CLASSES_ROOT\ShareazaMediaBar.StockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{89807A16-AC31-4449-AB91-06A753813543}]
[HKEY_CLASSES_ROOT\ShareazaMediaBar.StockBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{196C3A46-4758-433D-A600-802C804AF39C}"= "c:\program files\Shareaza Applications\Shareaza MediaBar\ShareazaMediaBar.dll" [2008-09-02 529856]

[HKEY_CLASSES_ROOT\clsid\{196c3a46-4758-433d-a600-802c804af39c}]
[HKEY_CLASSES_ROOT\ShareazaMediaBar.StockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{89807A16-AC31-4449-AB91-06A753813543}]
[HKEY_CLASSES_ROOT\ShareazaMediaBar.StockBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2008-04-01 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-25 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-18 1347584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-08-29 188416]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2003-08-29 77824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-28 1601304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-28 05:28 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Graboid\\GraboidVideo\\1.2.2.1\\GraboidClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2003-09-16 152576]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-28 325128]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-01-28 107272]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-28 903960]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-28 298264]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchinjdrv
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 03:04]

2009-04-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-13 20:17]

2009-04-19 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 06:34]

2009-04-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 06:34]

2009-04-19 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-31 11:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} - hxxp://mrmorbid.myphotoalbum.com/ImageUploader4.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 17:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxkvrjlqjo.sys 83456 bytes executable
c:\windows\system32\ovfsthxewqxmqsn.dll 60928 bytes executable
c:\windows\system32\ovfsthxoenbgrtd.dat 31045 bytes
c:\windows\system32\ovfsthxrrcpakal.dat 43 bytes
c:\windows\system32\ovfsthxtltdhtpm.dll 18432 bytes executable
c:\windows\system32\ovfsthxuiuiqait.dll 18432 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ovfsthxkyfvkipp]
"imagepath"="\systemroot\system32\drivers\ovfsthxkvrjlqjo.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\7d28fde9]
"ImagePath"="\SystemRoot\System32\drivers\7d28fde9.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ovfsthxkyfvkipp]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxkvrjlqjo.sys"
"inst"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(2640)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-20 17:33
ComboFix-quarantined-files.txt 2009-04-20 08:03

Pre-Run: 19,829,379,072 bytes free
Post-Run: 20,338,724,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

250 --- E O F --- 2009-04-15 17:41


Report •

#5
April 20, 2009 at 02:30:18
Sorry, just a side note.
When I downloaded Malware I didn't rename it as instructed, I just saved the file as was onto my desktop. Will this have affected the process at all?
I do apologise for being such drongo (Aussie for idiot!) and not reading the instructions properly.
Cheers,
Darren

Report •

#6
April 20, 2009 at 15:46:26
Some vira will not let Malwarebytes run without renaming it, so your ok.

Please go to Virus Total and upload the following file for analysis:

C:\Windows\\System32\drivers\7d28fde9.sys

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report •

#7
April 21, 2009 at 01:39:08
This is what came back:

0 bytes size received / Se ha recibido un archivo vacio


Report •

#8
April 23, 2009 at 04:00:06
G'day jabuck,

Just re posting to see if you got my last post regarding the results?

Cheers,
Darren


Report •

#9
April 25, 2009 at 05:33:04
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#10
April 26, 2009 at 01:38:43
G'day jabuck,

Sorry, but the virus is preventing me from accessing the Kaspersky website. Can you advise any other way to access?

Cheers,
Darren


Report •

#11
April 26, 2009 at 07:45:06
Please then reboot your computer in Safe Mode with Networking by doing the following :
Restart your computer.
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select Safe Mode with Networking, then press "Enter".
Choose your usual account.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


Report •

#12
April 26, 2009 at 14:16:28

[b]SDFix: Version 1.240 [/b]
Run by Administrator on Mon 27/04/2009 at 06:15 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\WINDOWS\system32\p2hhr.bat - Deleted

Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 06:31:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 1381
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 1381
disk error: C:\Documents and Settings\Administrator\ntuser.dat, 1381
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\Program Files\\Graboid\\GraboidVideo\\1.2.2.1\\GraboidClient.exe"="C:\\Program Files\\Graboid\\GraboidVideo\\1.2.2.1\\GraboidClient.exe:*:Enabled: "
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Thu 16 Apr 2009 31,232 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1341.tmp"
Thu 16 Apr 2009 31,232 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2569.tmp"
Sat 9 Feb 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 19 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

[b]Finished![/b]


Cheers,
Darren


Report •

#13
April 26, 2009 at 14:47:47
Please go to Virus Total and upload the following files one at the time for analysis:

c:\windows\Qlufij.bin


c:\windows\Umomis.dat

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report •

#14
April 27, 2009 at 03:55:41
First file came up with 0 bytes recieved.

Second file as follows:

File Umomis.dat received on 04.27.2009 11:59:34 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.27 -
AhnLab-V3 5.0.0.2 2009.04.27 -
AntiVir 7.9.0.156 2009.04.27 -
Antiy-AVL 2.0.3.1 2009.04.27 -
Authentium 5.1.2.4 2009.04.26 -
Avast 4.8.1335.0 2009.04.26 -
AVG 8.5.0.287 2009.04.27 -
BitDefender 7.2 2009.04.27 -
CAT-QuickHeal 10.00 2009.04.27 -
ClamAV 0.94.1 2009.04.27 -
Comodo 1137 2009.04.27 -
DrWeb 4.44.0.09170 2009.04.27 -
eSafe 7.0.17.0 2009.04.23 -
eTrust-Vet 31.6.6475 2009.04.24 -
F-Prot 4.4.4.56 2009.04.26 -
F-Secure 8.0.14470.0 2009.04.27 -
Fortinet 3.117.0.0 2009.04.27 -
GData 19 2009.04.27 -
Ikarus T3.1.1.49.0 2009.04.27 -
K7AntiVirus 7.10.716 2009.04.25 -
Kaspersky 7.0.0.125 2009.04.27 -
McAfee 5597 2009.04.26 -
McAfee+Artemis 5597 2009.04.26 -
McAfee-GW-Edition 6.7.6 2009.04.27 -
Microsoft 1.4602 2009.04.27 -
NOD32 4036 2009.04.27 -
Norman 6.00.06 2009.04.24 -
nProtect 2009.1.8.0 2009.04.27 -
Panda 10.0.0.14 2009.04.26 -
PCTools 4.4.2.0 2009.04.26 -
Prevx1 3.0 2009.04.27 -
Rising 21.27.02.00 2009.04.27 -
Sophos 4.41.0 2009.04.27 -
Sunbelt 3.2.1858.2 2009.04.24 -
Symantec 1.4.4.12 2009.04.27 -
TheHacker 6.3.4.1.315 2009.04.27 -
TrendMicro 8.700.0.1004 2009.04.27 -
VBA32 3.12.10.3 2009.04.27 -
ViRobot 2009.4.27.1710 2009.04.27 -
VirusBuster 4.6.5.0 2009.04.26 -

Additional information
File size: 408 bytes
MD5...: 97992b41e6581cdcf5bc235d4e82d693
SHA1..: 5722bdd7bd3a8d0613147ae1404f9edee42c690a
SHA256: 26fc6199003002bc4ac428412edad5d48ff989c980d8a429e3540415d7d058cd
SHA512: 083a5944dd139104e22739212354592d3f9b5b89a46f0b2184a739208c93a360
2d201af32970480b999d781dfb05ea67bcc9b456b2a2a5f64b12190c3624c258
ssdeep: 12:ykW4WGvT1SwdXgm58RTqj9HT4pFRl+AEm6x:4EvT1SSwaATY9yFRnEm6x

PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set
-
<table border="1"><tr><td colspan="4">File Umomis.dat received on 04.27.2009 11:59:34 (CET)</td></tr><tr><td>Antivirus</td><td>Version</td><td>Last Update</td><td>Result</td</tr><tr><td>a-squared</td><td>4.0.0.101</td><td>2009.04.27</td><td>-</td</tr><tr><td>AhnLab-V3</td><td>5.0.0.2</td><td>2009.04.27</td><td>-</td</tr><tr><td>AntiVir</td><td>7.9.0.156</td><td>2009.04.27</td><td>-</td</tr><tr><td>Antiy-AVL</td><td>2.0.3.1</td><td>2009.04.27</td><td>-</td</tr><tr><td>Authentium</td><td>5.1.2.4</td><td>2009.04.26</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1335.0</td><td>2009.04.26</td><td>-</td</tr><tr><td>AVG</td><td>8.5.0.287</td><td>2009.04.27</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2009.04.27</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>10.00</td><td>2009.04.27</td><td>-</td</tr><tr><td>ClamAV</td><td>0.94.1</td><td>2009.04.27</td><td>-</td</tr><tr><td>Comodo</td><td>1137</td><td>2009.04.27</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2009.04.27</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.17.0</td><td>2009.04.23</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.6.6475</td><td>2009.04.24</td><td>-</td</tr><tr><td>F-Prot</td><td>4.4.4.56</td><td>2009.04.26</td><td>-</td</tr><tr><td>F-Secure</td><td>8.0.14470.0</td><td>2009.04.27</td><td>-</td</tr><tr><td>Fortinet</td><td>3.117.0.0</td><td>2009.04.27</td><td>-</td</tr><tr><td>GData</td><td>19</td><td>2009.04.27</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.49.0</td><td>2009.04.27</td><td>-</td</tr><tr><td>K7AntiVirus</td><td>7.10.716</td><td>2009.04.25</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2009.04.27</td><td>-</td</tr><tr><td>McAfee</td><td>5597</td><td>2009.04.26</td><td>-</td</tr><tr><td>McAfee+Artemis</td><td>5597</td><td>2009.04.26</td><td>-</td</tr><tr><td>McAfee-GW-Edition</td><td>6.7.6</td><td>2009.04.27</td><td>-</td</tr><tr><td>Microsoft</td><td>1.4602</td><td>2009.04.27</td><td>-</td</tr><tr><td>NOD32</td><td>4036</td><td>2009.04.27</td><td>-</td</tr><tr><td>Norman</td><td>6.00.06</td><td>2009.04.24</td><td>-</td</tr><tr><td>nProtect</td><td>2009.1.8.0</td><td>2009.04.27</td><td>-</td</tr><tr><td>Panda</td><td>10.0.0.14</td><td>2009.04.26</td><td>-</td</tr><tr><td>PCTools</td><td>4.4.2.0</td><td>2009.04.26</td><td>-</td</tr><tr><td>Prevx1</td><td>3.0</td><td>2009.04.27</td><td>-</td</tr><tr><td>Rising</td><td>21.27.02.00</td><td>2009.04.27</td><td>-</td</tr><tr><td>Sophos</td><td>4.41.0</td><td>2009.04.27</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.2.1858.2</td><td>2009.04.24</td><td>-</td</tr><tr><td>Symantec</td><td>1.4.4.12</td><td>2009.04.27</td><td>-</td</tr><tr><td>TheHacker</td><td>6.3.4.1.315</td><td>2009.04.27</td><td>-</td</tr><tr><td>TrendMicro</td><td>8.700.0.1004</td><td>2009.04.27</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.10.3</td><td>2009.04.27</td><td>-</td</tr><tr><td>ViRobot</td><td>2009.4.27.1710</td><td>2009.04.27</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.6.5.0</td><td>2009.04.26</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">Additional information</td></tr><tr><td colspan="4">File size: 408 bytes</td></tr><tr><td colspan="4">MD5...: 97992b41e6581cdcf5bc235d4e82d693</td></tr><tr><td colspan="4">SHA1..: 5722bdd7bd3a8d0613147ae1404f9edee42c690a</td></tr><tr><td colspan="4">SHA256: 26fc6199003002bc4ac428412edad5d48ff989c980d8a429e3540415d7d058cd</td></tr><tr><td colspan="4">SHA512: 083a5944dd139104e22739212354592d3f9b5b89a46f0b2184a739208c93a360
2d201af32970480b999d781dfb05ea67bcc9b456b2a2a5f64b12190c3624c258</td></tr><tr><td colspan="4">ssdeep: 12:ykW4WGvT1SwdXgm58RTqj9HT4pFRl+AEm6x:4EvT1SSwaATY9yFRnEm6x
</td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">TrID..: File type identification
Unknown!</td></tr><tr><td colspan="4">PEInfo: -</td></tr><tr><td colspan="4">PDFiD.: -</td></tr><tr><td colspan="4">RDS...: NSRL Reference Data Set
-</td></tr></table>
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.27 -
AhnLab-V3 5.0.0.2 2009.04.27 -
AntiVir 7.9.0.156 2009.04.27 -
Antiy-AVL 2.0.3.1 2009.04.27 -
Authentium 5.1.2.4 2009.04.26 -
Avast 4.8.1335.0 2009.04.26 -
AVG 8.5.0.287 2009.04.27 -
BitDefender 7.2 2009.04.27 -
CAT-QuickHeal 10.00 2009.04.27 -
ClamAV 0.94.1 2009.04.27 -
Comodo 1137 2009.04.27 -
DrWeb 4.44.0.09170 2009.04.27 -
eSafe 7.0.17.0 2009.04.23 -
eTrust-Vet 31.6.6475 2009.04.24 -
F-Prot 4.4.4.56 2009.04.26 -
F-Secure 8.0.14470.0 2009.04.27 -
Fortinet 3.117.0.0 2009.04.27 -
GData 19 2009.04.27 -
Ikarus T3.1.1.49.0 2009.04.27 -
K7AntiVirus 7.10.716 2009.04.25 -
Kaspersky 7.0.0.125 2009.04.27 -
McAfee 5597 2009.04.26 -
McAfee+Artemis 5597 2009.04.26 -
McAfee-GW-Edition 6.7.6 2009.04.27 -
Microsoft 1.4602 2009.04.27 -
NOD32 4036 2009.04.27 -
Norman 6.00.06 2009.04.24 -
nProtect 2009.1.8.0 2009.04.27 -
Panda 10.0.0.14 2009.04.26 -
PCTools 4.4.2.0 2009.04.26 -
Prevx1 3.0 2009.04.27 -
Rising 21.27.02.00 2009.04.27 -
Sophos 4.41.0 2009.04.27 -
Sunbelt 3.2.1858.2 2009.04.24 -
Symantec 1.4.4.12 2009.04.27 -
TheHacker 6.3.4.1.315 2009.04.27 -
TrendMicro 8.700.0.1004 2009.04.27 -
VBA32 3.12.10.3 2009.04.27 -
ViRobot 2009.4.27.1710 2009.04.27 -
VirusBuster 4.6.5.0 2009.04.26 -

Additional information
File size: 408 bytes
MD5...: 97992b41e6581cdcf5bc235d4e82d693
SHA1..: 5722bdd7bd3a8d0613147ae1404f9edee42c690a
SHA256: 26fc6199003002bc4ac428412edad5d48ff989c980d8a429e3540415d7d058cd
SHA512: 083a5944dd139104e22739212354592d3f9b5b89a46f0b2184a739208c93a360
2d201af32970480b999d781dfb05ea67bcc9b456b2a2a5f64b12190c3624c258
ssdeep: 12:ykW4WGvT1SwdXgm58RTqj9HT4pFRl+AEm6x:4EvT1SSwaATY9yFRnEm6x

PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set
-


Report •

#15
April 27, 2009 at 14:38:14
See if you can run the Kaspersky scan.

If not try this one:

Please run Esets online scanner from this link:

ESET

1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.


Report •

#16
April 28, 2009 at 05:37:05
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 28, 2009 10:42:50
Records in database: 2086087
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 49578
Threat name: 3
Infected objects: 20
Suspicious objects: 0
Duration of the scan: 02:07:46


File name / Threat name / Threats count
C:\WINDOWS\TEMP\msb.dll/C:\WINDOWS\TEMP\msb.dll Infected: Trojan-Spy.Win32.Agent.amjg 11
C:\Documents and Settings\Administrator\protect.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ChkDisk.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Documents and Settings\LocalService\protect.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\WINDOWS\system32\autochk.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\WINDOWS\system32\config\systemprofile\protect.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\WINDOWS\system32\lmppcsetup.exe Infected: Trojan-Dropper.Win32.Agent.amnc 1
C:\WINDOWS\system32\winglsetup.exe Infected: Trojan-Dropper.Win32.Agent.anrj 1
C:\WINDOWS\Temp\msb.dll Infected: Trojan-Spy.Win32.Agent.amjg 1

The selected area was scanned.


Cheers,
Darren


Report •

#17
April 28, 2009 at 14:31:23
All of this looks like a totally new infection.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\TEMP\msb.dll
C:\Documents and Settings\Administrator\protect.dll
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ChkDisk.dll
C:\Documents and Settings\LocalService\protect.dll
C:\WINDOWS\system32\autochk.dll
C:\WINDOWS\system32\config\systemprofile\protect.dll
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
C:\WINDOWS\system32\lmppcsetup.exe
C:\WINDOWS\system32\winglsetup.exe
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#18
April 29, 2009 at 03:01:38
ComboFix 09-04-28.02 - Administrator 29/04/2009 18:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1022.574 [GMT 9.5:30]
Running from: c:\documents and settings\Administrator\Desktop\toolb.exe.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Administrator\protect.dll
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\LocalService\protect.dll
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\winglsetup.exe
c:\windows\TEMP\msb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\protect.dll
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\protect.dll
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\winglsetup.exe
c:\windows\TEMP\msb.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-27 21:00 . 2009-04-27 21:00 29696 ----a-w c:\windows\system32\loader49.exe
2009-04-26 20:59 . 2009-04-26 20:59 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-26 20:45 . 2009-04-26 20:45 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-26 20:42 . 2009-04-26 20:43 -------- d-----w c:\windows\ERUNT
2009-04-26 20:41 . 2009-04-26 21:02 -------- d-----w C:\SDFix
2009-04-24 09:24 . 2009-04-24 09:24 -------- d-----w c:\program files\VirusTotalUploader
2009-04-23 12:20 . 2009-04-23 12:20 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\WMTools Downloaded Files
2009-04-23 12:09 . 2009-04-23 12:09 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-23 12:08 . 2009-04-23 12:09 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-23 11:38 . 2009-04-25 01:06 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Graboid
2009-04-20 06:06 . 2009-04-20 06:07 -------- d-----w C:\toolb
2009-04-19 20:29 . 2009-04-19 20:29 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-19 20:29 . 2009-04-06 06:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-19 20:29 . 2009-04-06 06:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-19 20:29 . 2009-04-19 20:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-19 20:29 . 2009-04-19 20:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-19 12:13 . 2009-04-19 12:13 2967800 ----a-w c:\program files\mbam-setup.exe
2009-04-16 10:44 . 2009-04-16 10:44 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-16 10:29 . 2009-04-29 09:43 109010 ----a-w c:\windows\system32\drivers\7d28fde9.sys
2009-04-15 10:39 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 10:39 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 10:39 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 10:39 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 10:39 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 10:39 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 10:39 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 10:39 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 10:39 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 10:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 10:38 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 07:53 . 2009-04-15 07:53 5376 ----a-w c:\windows\system32\drivers\MS1000.sys
2009-04-15 07:50 . 2009-04-15 07:53 -------- d-----w c:\program files\The Cleaner Free
2009-04-12 12:39 . 2009-04-12 12:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Sammsoft
2009-04-12 12:38 . 2009-04-12 12:38 -------- d-----w c:\program files\Advanced Registry Optimizer
2009-04-12 11:31 . 2009-04-12 11:33 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-04-11 11:16 . 2009-04-11 11:17 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-10 21:13 . 2009-04-10 21:13 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-10 21:13 . 2009-04-10 21:13 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-10 21:13 . 2009-04-10 21:13 -------- d-----w c:\program files\Microsoft
2009-04-10 21:12 . 2009-04-10 21:12 -------- d-----w c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-04-10 21:12 . 2009-04-10 21:12 -------- d-----w c:\program files\Windows Desktop Search
2009-04-10 21:10 . 2008-03-07 17:02 29696 -c----w c:\windows\system32\dllcache\mimefilt.dll
2009-04-10 21:10 . 2008-03-07 17:02 98304 -c----w c:\windows\system32\dllcache\nlhtml.dll
2009-04-10 21:10 . 2008-03-07 17:02 192000 -c----w c:\windows\system32\dllcache\offfilt.dll
2009-04-10 21:08 . 2009-04-10 21:08 -------- d-----w c:\windows\system32\URTTEMP
2009-04-08 12:18 . 2009-04-19 20:22 0 ----a-w c:\windows\Qlufij.bin
2009-04-08 12:18 . 2009-04-08 12:18 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\{DC478AF1-C38C-4C93-9179-353540375E28}
2009-04-08 12:18 . 2009-04-16 12:45 408 ----a-w c:\windows\Umomis.dat
2009-03-31 20:22 . 2009-03-10 11:48 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-03-31 20:22 . 2009-03-10 11:56 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-03-31 20:22 . 2009-03-31 20:22 -------- d-----w c:\windows\system32\KB905474
2009-03-31 20:13 . 2009-03-31 20:13 -------- d-----w c:\windows\system32\XPSViewer
2009-03-31 20:13 . 2009-03-31 20:13 -------- d-----w c:\program files\MSBuild
2009-03-31 20:12 . 2009-03-31 20:12 -------- d-----w c:\program files\Reference Assemblies
2009-03-31 20:12 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-03-31 20:12 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-31 20:12 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-31 20:12 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-31 20:12 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-03-31 20:12 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-03-31 20:12 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-03-31 20:12 . 2009-03-31 20:12 -------- d-----w C:\597e665749074f67f4c1
2009-03-31 09:54 . 2009-03-31 09:54 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-03-31 09:46 . 2009-03-31 09:54 -------- d-----w c:\program files\BrainWave Generator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 10:01 . 2008-09-14 04:30 -------- d-----w c:\program files\Spyware Doctor
2009-04-23 12:13 . 2008-05-13 11:14 -------- d-----w c:\program files\Google
2009-04-23 12:10 . 2007-09-15 09:03 -------- d-----w c:\program files\DivX
2009-04-23 11:38 . 2008-05-25 00:37 -------- d-----w c:\program files\Graboid
2009-04-19 21:20 . 2007-11-12 02:39 -------- d-----w c:\program files\Yahoo!
2009-04-19 20:49 . 2008-12-10 10:20 -------- d-----w c:\program files\LimeWire
2009-04-08 06:07 . 2007-12-08 10:27 -------- d-----w c:\program files\Java
2009-04-06 10:07 . 2007-10-18 13:17 20216 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 08:43 . 2008-10-22 10:48 -------- d-----w c:\program files\iTunes
2009-03-28 08:42 . 2009-03-28 08:42 -------- d-----w c:\program files\iPod
2009-03-28 08:42 . 2007-10-07 01:04 -------- d-----w c:\program files\Common Files\Apple
2009-03-28 08:39 . 2009-03-28 08:39 -------- d-----w c:\program files\Bonjour
2009-03-28 08:38 . 2009-03-28 08:37 -------- d-----w c:\program files\QuickTime
2009-03-08 19:49 . 2009-01-07 10:33 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 13:29 . 2009-03-28 08:34 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 13:29 . 2007-10-07 01:05 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 09:32 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-05-25 00:43 . 2008-05-25 00:42 47787248 ----a-w c:\program files\avg_free_stf_en_8_100a1295.exe
2007-11-19 04:01 . 2008-07-01 23:43 3686400 ----a-w c:\program files\Shortcut to IKEA Home Planner.lnk
2007-11-03 02:22 . 2007-11-03 02:22 4318165 ----a-w c:\program files\allok_ipodconverter.exe
2007-10-07 01:03 . 2007-10-07 00:57 51422520 ----a-w c:\program files\iTunes743Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{196C3A46-4758-433D-A600-802C804AF39C}"= "c:\program files\Shareaza Applications\Shareaza MediaBar\ShareazaMediaBar.dll" [2008-09-02 529856]

[HKEY_CLASSES_ROOT\clsid\{196c3a46-4758-433d-a600-802c804af39c}]
[HKEY_CLASSES_ROOT\ShareazaMediaBar.StockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{89807A16-AC31-4449-AB91-06A753813543}]
[HKEY_CLASSES_ROOT\ShareazaMediaBar.StockBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{196C3A46-4758-433D-A600-802C804AF39C}"= "c:\program files\Shareaza Applications\Shareaza MediaBar\ShareazaMediaBar.dll" [2008-09-02 529856]

[HKEY_CLASSES_ROOT\clsid\{196c3a46-4758-433d-a600-802c804af39c}]
[HKEY_CLASSES_ROOT\ShareazaMediaBar.StockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{89807A16-AC31-4449-AB91-06A753813543}]
[HKEY_CLASSES_ROOT\ShareazaMediaBar.StockBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2008-04-01 2084480]
"autochk"="c:\docume~1\ADMINI~1\protect.dll" [2009-04-29 24064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-25 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-18 1347584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-08-29 188416]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2003-08-29 77824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-28 1601304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"autochk"="c:\windows\system32\autochk.dll" [2009-04-29 24064]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"autochk"="c:\windows\system32\config\SYSTEM~1\protect.dll" [2009-04-29 24064]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
ChkDisk.dll [2009-4-29 24064]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ChkDisk.dll [2009-4-29 24064]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2004-8-4 33280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-28 05:28 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 gupdate1c9c40c53cdd1e0;Google Update Service (gupdate1c9c40c53cdd1e0);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-23 133104]
R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2003-09-16 152576]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-28 325128]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-01-28 107272]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-28 903960]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-28 298264]

.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 03:04]

2009-04-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-13 20:17]

2009-04-29 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-23 12:08]

2009-04-28 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 06:34]

2009-04-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 06:34]

2009-04-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-31 11:48]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\3493784512.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} - hxxp://mrmorbid.myphotoalbum.com/ImageUploader4.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 19:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxkvrjlqjo.sys 83456 bytes executable
c:\windows\system32\ovfsthxewqxmqsn.dll 60928 bytes executable
c:\windows\system32\ovfsthxoenbgrtd.dat 674123 bytes
c:\windows\system32\ovfsthxrrcpakal.dat 43 bytes
c:\windows\system32\ovfsthxtltdhtpm.dll 18432 bytes executable
c:\windows\system32\ovfsthxuiuiqait.dll 18432 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3820)
c:\windows\TEMP\msb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\LVComS.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-04-29 19:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 09:46
ComboFix2.txt 2009-04-20 08:03

Pre-Run: 22,080,212,992 bytes free
Post-Run: 22,328,111,104 bytes free

286 --- E O F --- 2009-04-15 17:41


Cheers,
Darren


Report •

#19
May 5, 2009 at 04:39:56
Gday jabuck,

I'm still having issues. I ran AVG and Malwarebytes and had a few more trojans. Now IE crashes quite a lot and when I Google search, it is redirecting me to other pages.
Hope you can help.
Cheers,
Darren


Report •


Ask Question