Bad winupgro infection

Dell / Dimension 9100...
June 2, 2009 at 00:39:24
Specs: Microsoft Windows XP Home Edition, 2.992 GHz / 1022 MB
Please help. I am badly infected with Winupgro.

I'm on XP SP3.

I cannot boot to safe mode. Blue screen every time. Neither Spybot, SuperAntiSpyware, Avast, CCleaner, ATFcleaner, or Kaspersky's AVZ utility will run.

Malwarebytes runs but cannot get rid of the last instances of the virus. I even ran ComboFix on the advice of a different site but to no avail.

I have deleted all instances I found of the winupgro.exe file. I went through the registry to delete all references to winupgro. I have manually deleted all temp files and temporary internet files.

Malwarebytes' log is here, ComboFix's log is below.

Please can you help me.


Malwarebytes' log:

Malwarebytes' Anti-Malware 1.37
Database version: 2211
Windows 5.1.2600 Service Pack 3

02/06/2009 08:28:58
mbam-log-2009-06-02 (08-28-58).txt

Scan type: Quick Scan
Objects scanned: 91084
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\german.exe (Rootkit.Bagle) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsyskit (Rootkit.Bagle) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Rootkit.Bagle) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Combofix' log:

ComboFix 09-05-31.06 - iMagine 02/06/2009 8:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.1022.676 [GMT 1:00]
Running from: c:\documents and settings\iMagine\Desktop\toolthat.exe
AV: avast! antivirus 4.8.1335 [VPS 090601-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\iMagine\Application Data\drivers\downld

.
((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-06-02 06:13 . 2009-06-02 06:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-02 06:13 . 2009-06-02 06:13 -------- d-----w- c:\documents and settings\iMagine\Application Data\SUPERAntiSpyware.com
2009-06-02 06:00 . 2009-06-02 06:00 6406688 ----a-w- C:\SUPAnSp.exe
2009-06-02 05:36 . 2009-06-02 05:36 -------- d-----w- C:\avz4
2009-06-02 05:35 . 2009-06-02 05:35 4626422 ----a-w- C:\avz4.zip
2009-06-02 05:19 . 2009-06-02 06:13 125461 ----a-w- c:\documents and settings\iMagine\Application Data\drivers\111wfs1intwq.sys
2009-06-02 05:19 . 2009-06-02 06:13 7168 ----a-w- c:\documents and settings\iMagine\Application Data\drivers\11s11ro1s1a2.sys
2009-06-02 05:18 . 2009-06-02 07:04 -------- d--h--w- c:\documents and settings\iMagine\Application Data\drivers
2009-06-02 04:14 . 2009-06-02 04:14 -------- d-----w- c:\documents and settings\iMagine\Application Data\Malwarebytes
2009-06-02 04:14 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 04:14 . 2009-06-02 04:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-02 04:14 . 2009-06-02 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-02 04:14 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-02 04:11 . 2009-06-02 04:13 106945 ----a-w- C:\MGlogs.zip
2009-06-02 04:11 . 2009-06-02 04:13 -------- d-----w- C:\MGtools
2009-06-02 04:01 . 2009-06-02 04:01 1342151 ----a-w- C:\MaGatools.exe
2009-06-02 03:59 . 2009-06-02 04:00 3371384 ----a-w- C:\mb-major.exe
2009-06-02 01:42 . 2009-06-02 01:45 -------- d-----w- c:\documents and settings\iMagine\.housecall6.6
2009-06-02 01:40 . 2009-06-02 01:40 407680 ----a-w- C:\aswclnr.exe
2009-06-02 01:03 . 2009-03-09 19:06 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-02 00:46 . 2009-06-02 00:46 299352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-02 00:46 . 2009-06-02 00:46 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-02 00:46 . 2009-06-02 00:46 165728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-02 00:46 . 2009-06-02 00:46 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-02 00:46 . 2009-06-02 00:46 343888 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-02 00:46 . 2009-06-02 00:46 289632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-02 00:46 . 2009-06-02 00:46 82784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-02 00:46 . 2009-06-02 00:46 1629024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-02 00:46 . 2009-06-02 00:46 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-02 00:46 . 2009-06-02 00:46 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-02 00:46 . 2009-06-02 00:46 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-02 00:46 . 2009-06-02 00:46 632680 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-02 00:45 . 2009-06-02 00:45 539512 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-02 00:45 . 2009-06-02 00:45 552808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-02 00:45 . 2009-06-02 00:45 2324808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-02 00:45 . 2009-06-02 00:45 626000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-02 00:45 . 2009-06-02 00:45 516440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-02 00:45 . 2009-06-02 04:37 953168 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-02 00:31 . 2009-06-02 00:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-02 00:31 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-01 23:21 . 2009-06-02 00:14 -------- d-----w- c:\program files\PFConfig
2009-05-21 04:49 . 2009-05-21 15:17 -------- d-----w- c:\documents and settings\iMagine\Local Settings\Application Data\Eraser
2009-05-21 04:49 . 2009-05-21 04:49 -------- d--h--w- c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2009-05-21 04:49 . 2007-12-31 09:46 2375336 ----a-w- c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}\EraserSetup32.exe
2009-05-21 04:49 . 2009-05-21 04:49 -------- d-----w- c:\program files\Eraser
2009-05-17 18:28 . 2009-05-17 18:28 -------- d-----w- c:\program files\GetData
2009-05-16 19:17 . 2009-05-16 19:17 -------- d-----w- c:\program files\Free M4a to MP3 Converter
2009-05-16 15:57 . 2009-05-16 15:57 -------- d-----w- c:\program files\Common Files\COWON
2009-05-14 06:42 . 2006-02-27 10:45 36864 ----a-w- c:\windows\system32\SDDEVMGR.dll
2009-05-14 06:42 . 2009-05-14 06:42 -------- d-----w- c:\program files\Panasonic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 07:02 . 2008-12-15 22:40 2873646 ----a-w- C:\ComboFix.exe
2009-06-02 06:25 . 2005-08-24 21:05 -------- d-----w- c:\documents and settings\iMagine\Application Data\Free Download Manager
2009-06-02 06:13 . 2006-03-03 04:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-02 03:47 . 2008-11-04 01:09 -------- d-----w- c:\documents and settings\iMagine\Application Data\U3
2009-06-02 03:09 . 2008-02-25 18:00 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-06-02 01:06 . 2008-06-18 20:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-02 01:02 . 2008-09-24 00:40 -------- d-----w- c:\program files\PeerGuardian2
2009-06-02 00:32 . 2006-05-27 01:59 -------- d-----w- c:\documents and settings\iMagine\Application Data\Skype
2009-06-02 00:31 . 2007-07-04 00:38 -------- d-----w- c:\program files\Lavasoft
2009-05-21 12:52 . 2008-02-13 05:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-19 16:03 . 2005-08-24 22:58 -------- d-----w- c:\documents and settings\iMagine\Application Data\Canon
2009-05-16 22:44 . 2008-02-18 20:21 -------- d-----w- c:\program files\Motorola Phone Tools
2009-05-16 16:06 . 2005-12-29 03:31 -------- d-----w- c:\documents and settings\iMagine\Application Data\vlc
2009-05-16 16:03 . 2005-12-29 03:29 -------- d-----w- c:\program files\VideoLAN
2009-05-16 15:59 . 2005-08-24 10:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-16 15:59 . 2005-12-29 02:43 -------- d-----w- c:\program files\JetAudio
2009-05-16 12:13 . 2005-09-29 17:05 -------- d-----w- c:\program files\ABC
2009-05-08 06:32 . 2006-06-06 18:18 -------- d-----w- c:\documents and settings\iMagine\Application Data\Vso
2009-04-26 02:39 . 2006-02-20 22:31 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-04-26 02:39 . 2008-12-29 02:24 -------- d-----w- c:\program files\Roxio
2009-03-10 22:21 . 2009-03-10 22:21 103744 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-03-06 14:22 . 2005-08-22 15:13 284160 ----a-w- c:\windows\system32\pdh.dll
2007-11-22 06:45 . 2007-11-22 06:44 560 ----a-w- c:\program files\Global.sw
2006-03-10 05:55 . 2006-03-10 05:55 604 ---ha-w- c:\program files\STLL Notifier
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
1998-02-10 18:34 . 2005-08-24 21:58 128000 ----a-w- c:\program files\UNWISE.EXE
2008-07-29 11:00 . 2007-11-05 20:37 96 --sh--w- c:\windows\S764F50FF.tmp
2006-10-02 06:12 . 2006-10-02 02:31 88 --sh--r- c:\windows\system32\7CD33AD795.sys
2008-11-17 15:06 . 2006-10-02 02:31 4960 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-05-12 03:20 . 2007-07-09 22:27 332285216 --sha-w- c:\windows\system32\drivers\fidbox.dat
2008-05-12 03:20 . 2007-07-09 22:27 5415200 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-06-02_06.35.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-02 06:59 . 2009-06-02 06:59 16384 c:\windows\temp\Perflib_Perfdata_5d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2006-03-02 860160]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2009-06-02 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-06-02 81000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"=
"c:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [02/06/2009 02:03 64160]
R1 111111s1ro1s1a;111111s1ro1s1a;c:\documents and settings\iMagine\Application Data\drivers\111wfs1intwq.sys [02/06/2009 06:19 125461]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [24/08/2005 20:42 3712]
S0 vburner;vburner;c:\windows\system32\drivers\vburner.sys [25/11/2007 04:04 17408]
S1 aswSP;avast! Self Protection; [x]
S1 c2scsi;c2scsi; [x]
S2 AnyTrial;BugSoft AnyTrial;c:\windows\AnyTrial.exe --> c:\windows\AnyTrial.exe [?]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S2 Ca504av;Mega Camera, WDM Video Capture;c:\windows\system32\drivers\CA504AV.SYS [24/06/2008 01:01 516149]
S2 gupdate1c9aaa0fd7b5f20;Google Update Service (gupdate1c9aaa0fd7b5f20);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 951632]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [24/08/2007 16:53 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [24/08/2007 16:52 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [24/08/2007 16:52 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\iMagine\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\iMagine\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [25/08/2005 11:34 227200]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [26/05/2008 04:37 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/03/2008 02:23 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [26/05/2008 04:37 42112]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [24/08/2007 16:53 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [24/08/2007 16:52 1083888]
S3 USBCamera;Mega Camera Still Image Capture, Version 1.00;c:\windows\system32\drivers\Bulk504.sys [24/06/2008 01:01 10986]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2008-12-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-06-18 15:31]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys
SafeBoot-aawservice


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htm
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
TCP: {6827B580-85B4-4E0D-9F52-615D10A4DFBE} = 87.232.1.40,87.232.1.41
DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D}
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 08:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"="c:\\Documents and Settings\\iMagine\\Application Data\\drivers\\winupgro.exe"
"mule_st_key"="c:\\Documents and Settings\\iMagine\\Application Data\\m\\flec006.exe"
"german.exe"="c:\\WINDOWS\\system32\\wintems.exe"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-1788223648-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C232F793-C979-A9BD-D434-13C34F2BA8FE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abmbcfkefphmcpjjgonpgojkmjebagmhjo"=hex:61,62,67,61,62,6a,6c,69,6d,6d,6a,65,
62,6a,67,67,61,6a,68,69,6e,65,6d,65,6b,69,6b,6c,66,6d,6f,69,6c,61,00,77
"bbmbcfkefphmcpjjgogpfkoljjiodpjennma"=hex:61,62,6c,61,62,6a,65,6f,6a,6b,6e,66,
61,6e,61,6c,6a,6a,69,6c,64,68,65,62,69,62,69,64,62,69,61,6b,6f,63,00,77
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2988)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-02 8:07
ComboFix-quarantined-files.txt 2009-06-02 07:07

Pre-Run: 6,275,842,048 bytes free
Post-Run: 6,257,029,120 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
229 --- E O F --- 2009-04-30 04:53

Please can you help me?

Thank you,

Larkapal.


See More: Bad winupgro infection

Report •


#1
June 2, 2009 at 07:31:02
Have you read combofix disclaimer? What does it say?

-------------------------------------------------


Report •

#2
June 2, 2009 at 09:01:44
ComboFix's disclaimer?

That's merely a disclaimer of warranty on software. I don't understand how your reply helps me in the slightest.

Unless, of course, you are trying to be sarcastic, in which case I will politely decline this particular help.

Please clarify.

Thank you.


Report •

#3
June 2, 2009 at 09:12:08
Yes that was sarcastic comment please don't run things on your own before you ask for help. As it creates more mess to clean up. Anyways if you still need help then follow these:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Can you also make a new HijackThis log and upload it to rapidshare.com. Hijackthis: Here

-------------------------------------------------


Report •

Related Solutions


Ask Question