Severe Virus Attack, was blue-screening, fixed that but problems remain

batook · 03-Nov-2010, 06:58 PM #1

My computer (Win XP SP3 32-bit with all latest security updates) was recently infected by several viruses. I first noticed that it came to a crawl and then started popping off error messages. I closed down my programs and opened task manager to find over 100 running processes, and over 50 with suspicious names involving a combination of random letters and numbers. I used SUPERAntiSpyware in safe mode which found over 100 trojans. I deleted everything in the local settings/temp folder and windows/temp folders since this stuff often hides out in there. When I rebooted, I got (and still get) 5 "Error loading" messages from rundll32.exe trying to run DLLs I deleted (they *were* all in windows/system32: hjpqq6gxr.dll, oh8qijo.dll, zb3uia6zyl.dll, g58ifw.dll, and vcaezkz66f.dll).

After about 30 seconds from booting into windows, I would get a blue screen of death involving uhwkjbhbm.sys. I googled this file and got zero hits. I tried deleting it in safe mode and safe mode command prompt, but just got the "windows cannot access the specified device, path, or file" error. I went into the Recovery Console via Win XP setup CD and was able to delete it. Boot back into windows and now it's stable, but still very infected. HiJackThis and GMER worked, but dds.com gives the "windows cannot access the specified device, path, or file" error. I booted into safe mode command prompt and was able to run it as administrator and save the logs, but just know that those dds.com logs might not be ideal since they were run in safe mode.

AVG is still seeing 2 instances of svchost.exe as "Trojan horse SpamTool.FYS" and one instance of services.exe as "Trojan horse Generic17.BKCS" running in memory, but reports "object is inaccessible" when removal is attempted. If I delete everything in "docs and settings/user/local settings/temp" and "windows/temp", and then run AVG, it is able to terminate these memory threats, and then things seem pretty good (I had 5 days of uptime with no problems after doing this), but everything reappears when rebooted.

I see a lot of stuff in the HiJackThis log that was running in task manager after the initial attack, but I havn't messed with anything further and will await instructions before moving forward. Thanks in advance for any help. OK, log time:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:07:03 PM, on 11/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\!INTER~1\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\!Internet\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\!Internet\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\!Internet\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\!Internet\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\!Internet\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\!Internet\AVG10\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\!INTER~1\AVG10\avgrsx.exe
C:\Program Files\!Internet\AVG10\avgcsrvx.exe
C:\Program Files\!Internet\Malware Removal Tools\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\!Internet\AVG10\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HNUnOXRrcrc] C:\DOCUME~1\User\LOCALS~1\Temp\s1ngkajtm.exe
O4 - HKLM\..\Run: [HNUnOXRsrqf] C:\DOCUME~1\User\LOCALS~1\Temp\ybizhbxjer.exe
O4 - HKLM\..\Run: [HNUnOXRoc_] C:\DOCUME~1\User\LOCALS~1\Temp\gm5dl54.exe
O4 - HKLM\..\Run: [HNUnOXRqDW] C:\DOCUME~1\User\LOCALS~1\Temp\q5t31ae.exe
O4 - HKLM\..\Run: [Djofateb] rundll32.exe "C:\WINDOWS\iqibotax.dll",Startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\!Internet\AVG10\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uPc+MV0NlxAaXms] rundll32.exe C:\WINDOWS\system32\vcaezkz66f.dll, SystemServer
O4 - HKCU\..\Run: [uPc+MV0NMdaXms] rundll32.exe C:\WINDOWS\system32\g58ifw.dll, SystemServer
O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
O4 - HKCU\..\Run: [HNUnOXRspe] C:\DOCUME~1\User\LOCALS~1\Temp\winamp.exe
O4 - HKCU\..\Run: [HNUnOXRota] C:\DOCUME~1\User\LOCALS~1\Temp\install.exe
O4 - HKCU\..\Run: [MKeta] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [HNUnOXRrxe] C:\DOCUME~1\User\LOCALS~1\Temp\system.exe
O4 - HKCU\..\Run: [MKeuf] C:\WINDOWS\spoolsv.exe
O4 - HKCU\..\Run: [MKayc] C:\WINDOWS\csrss.exe
O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe
O4 - HKCU\..\Run: [MKcuc] C:\WINDOWS\lsass.exe
O4 - HKCU\..\Run: [HNUnOXRrcrc] C:\DOCUME~1\User\LOCALS~1\Temp\s1ngkajtm.exe
O4 - HKCU\..\Run: [HNUnOXRsa] C:\DOCUME~1\User\LOCALS~1\Temp\win.exe
O4 - HKCU\..\Run: [MKeg] C:\WINDOWS\smss.exe
O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [HNUnOXRruf] C:\DOCUME~1\User\LOCALS~1\Temp\spoolsv.exe
O4 - HKCU\..\Run: [uPc+MV0NadjaXms] rundll32.exe C:\WINDOWS\system32\zb3uia6zyl.dll, SystemServer
O4 - HKCU\..\Run: [HNUnOXRsrqf] C:\DOCUME~1\User\LOCALS~1\Temp\ybizhbxjer.exe
O4 - HKCU\..\Run: [HNUnOXRsPc] C:\DOCUME~1\User\LOCALS~1\Temp\win16.exe
O4 - HKCU\..\Run: [uPc+MV0NasaGuo] rundll32.exe C:\WINDOWS\system32\oh8qijo.dll, SystemServer
O4 - HKCU\..\Run: [HNUnOXRoMc] C:\DOCUME~1\User\LOCALS~1\Temp\gdi32.exe
O4 - HKCU\..\Run: [HNUnOXRnZ] C:\DOCUME~1\User\LOCALS~1\Temp\cmd.exe
O4 - HKCU\..\Run: [MKee] C:\WINDOWS\user.exe
O4 - HKCU\..\Run: [HNUnOXRrta] C:\DOCUME~1\User\LOCALS~1\Temp\services.exe
O4 - HKCU\..\Run: [MKbMc] C:\WINDOWS\gdi32.exe
O4 - HKCU\..\Run: [HNUnOXRre] C:\DOCUME~1\User\LOCALS~1\Temp\user.exe
O4 - HKCU\..\Run: [IJKUK66HMN] C:\WINDOWS\TEMP\Pm2.exe
O4 - HKCU\..\Run: [HNUnOXRoc_] C:\DOCUME~1\User\LOCALS~1\Temp\gm5dl54.exe
O4 - HKCU\..\Run: [HNUnOXRprc] C:\DOCUME~1\User\LOCALS~1\Temp\login.exe
O4 - HKCU\..\Run: [HNUnOXRrg] C:\DOCUME~1\User\LOCALS~1\Temp\smss.exe
O4 - HKCU\..\Run: [HNUnOXRpw+] C:\DOCUME~1\User\LOCALS~1\Temp\nvsvc32.exe
O4 - HKCU\..\Run: [HNUnOXRqDW] C:\DOCUME~1\User\LOCALS~1\Temp\q5t31ae.exe
O4 - HKCU\..\Run: [uPc+MV0NnffJsiv] rundll32.exe C:\WINDOWS\system32\hjpqq6gxr.dll, SystemServer
O4 - HKCU\..\Run: [HNUnOXRnsc] C:\DOCUME~1\User\LOCALS~1\Temp\drweb.exe
O4 - HKCU\..\Run: [HNUnOXRnoc] C:\DOCUME~1\User\LOCALS~1\Temp\debug.exe
O4 - HKCU\..\Run: [HNUnOXRpuc] C:\DOCUME~1\User\LOCALS~1\Temp\lsass.exe
O4 - HKCU\..\Run: [MKaoc] C:\WINDOWS\debug.exe
O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKCU\..\Run: [HNUnOXRmSc] C:\DOCUME~1\User\LOCALS~1\Temp\avp32.exe
O4 - HKCU\..\Run: [NtWqIVLZEWZU] C:\WINDOWS\TEMP\Pnd.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\!Internet\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [nwa569] C:\WINDOWS\TEMP\frggn0.exe
O4 - Startup: WinUpdate.lnk = C:\Documents and Settings\User\Application Data\Adobe\windllupl0\msftstp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\!Internet\AVG10\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\!Internet\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\!Internet\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\!Internet\AVG10\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 9653 bytes
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_09-09-29.01) - NTFSx86 MINIMAL
Run by Administrator at 15:41:48.20 on Wed 11/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.862 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\dds.com

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\!internet\avg10\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NWEReboot]
mRun: [<NO NAME>]
mRun: [HNUnOXRrcrc] c:\docume~1\user\locals~1\temp\s1ngkajtm.exe
mRun: [HNUnOXRsrqf] c:\docume~1\user\locals~1\temp\ybizhbxjer.exe
mRun: [HNUnOXRoc_] c:\docume~1\user\locals~1\temp\gm5dl54.exe
mRun: [HNUnOXRqDW] c:\docume~1\user\locals~1\temp\q5t31ae.exe
mRun: [Djofateb] rundll32.exe "c:\windows\iqibotax.dll",Startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG_TRAY] c:\program files\!internet\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mExplorerRun: [nwa569] c:\windows\temp\frggn0.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\!internet\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\!internet\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\!internet\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
S0 uhwkjbhbm;uhwkjbhbm; [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
S1 SASDIFSV;SASDIFSV;c:\program files\!internet\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\!internet\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\!internet\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
S2 avgwd;AVG WatchDog;c:\program files\!internet\avg10\avgwdsvc.exe [2010-9-10 265400]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

=============== Created Last 30 ================

2010-11-03 13:28 472,808 a------- c:\windows\system32\deployJava1.dll
2010-11-03 13:28 73,728 a------- c:\windows\system32\javacpl.cpl
2010-10-26 17:29 306,688 a------- c:\windows\IsUninst.exe
2010-10-26 08:39 <DIR> --d-h--- C:\$AVG
2010-10-26 08:23 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\Common Files
2010-10-26 08:22 <DIR> --d----- c:\windows\system32\drivers\AVG
2010-10-26 08:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG10
2010-10-26 07:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-24 23:18 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2010-10-24 22:43 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-10-24 22:43 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2010-10-24 22:43 <DIR> --d----- c:\documents and settings\Administrator
2010-10-24 22:32 664 a------- c:\windows\system32\d3d9caps.dat
2010-10-24 22:11 54,784 a--shr-- c:\windows\system32\mtxclus.dll
2010-10-24 22:10 120 a------- c:\windows\Kjuxeqaluxoc.dat
2010-10-24 22:10 0 a------- c:\windows\Qduwoxewofes.bin
2010-10-19 07:32 <DIR> --d----- c:\program files\NCH Software
2010-10-16 12:46 721,904 a------- c:\windows\system32\drivers\sptd.sys
2010-10-10 12:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2010-10-24 22:11 210,816 a------- c:\windows\system32\drivers\ndis.sys
2010-09-18 12:23 974,848 a------- c:\windows\system32\mfc42u.dll
2010-09-18 00:53 974,848 a------- c:\windows\system32\mfc42.dll
2010-09-18 00:53 954,368 a------- c:\windows\system32\mfc40.dll
2010-09-18 00:53 953,856 a------- c:\windows\system32\mfc40u.dll
2010-09-13 16:27 25,680 a------- c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-07 03:49 298,448 a------- c:\windows\system32\drivers\avgtdix.sys
2010-09-07 03:48 249,424 a------- c:\windows\system32\drivers\avgldx86.sys
2010-09-07 03:48 26,064 a------- c:\windows\system32\drivers\avgrkx86.sys
2010-09-01 05:51 285,824 a------- c:\windows\system32\atmfd.dll
2010-08-31 07:42 1,852,800 a------- c:\windows\system32\win32k.sys
2010-08-27 02:02 119,808 a------- c:\windows\system32\t2embed.dll
2010-08-26 19:04 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2010-08-26 07:37 21,640 a------- c:\windows\system32\emptyregdb.dat
2010-08-23 10:12 617,472 a------- c:\windows\system32\comctl32.dll
2010-08-17 07:17 58,880 a------- c:\windows\system32\spoolsv.exe

============= FINISH: 15:41:53.73 ===============
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-11-03 15:16:24
Windows 5.1.2600 Service Pack 3
Running: [GMER]741862uf.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kwriiuob.sys

---- System - GMER 1.0.15 ----

SSDT spvm.sys ZwCreateKey [0xF73DB0E0]
SSDT spvm.sys ZwEnumerateKey [0xF73F9CA4]
SSDT spvm.sys ZwEnumerateValueKey [0xF73FA032]
SSDT spvm.sys ZwOpenKey [0xF73DB0C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF4E6F6C0]
SSDT spvm.sys ZwQueryKey [0xF73FA10A]
SSDT spvm.sys ZwQueryValueKey [0xF73F9F8A]
SSDT spvm.sys ZwSetValueKey [0xF73FA19C]
SSDT \??\C:\Program Files\!Internet\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA6CA620]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF4E6F810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF4E6F8B0]

INT 0x62 ? 867D9BF8
INT 0x63 ? 867D9BF8
INT 0x73 ? 867D9BF8
INT 0x82 ? 867D9BF8
INT 0xA4 ? 860FAF00
INT 0xB4 ? 8676FBF8

Code 8639B0E0 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? spvm.sys The system cannot find the file specified. !
.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x8636E200, 0x3252A, 0xE0000060]
.text USBPORT.SYS!DllUnload F22B68AC 5 Bytes JMP 860FA4E0
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF2189900]

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\System32\svchost.exe[3964] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[3972] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8676A1F8

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Fastfat \FatCdrom 860D4500
Device \Driver\NDIS \Device\Ndis [86375984] NDIS.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbohci \Device\USBPDO-0 86096500
Device \Driver\usbohci \Device\USBPDO-1 86096500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 867DA1F8
Device \Driver\dmio \Device\DmControl\DmConfig 867DA1F8
Device \Driver\dmio \Device\DmControl\DmPnP 867DA1F8
Device \Driver\dmio \Device\DmControl\DmInfo 867DA1F8
Device \Driver\usbehci \Device\USBPDO-2 861D11F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8676D1F8
Device \Driver\Cdrom \Device\CdRom0 860971F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8676D1F8
Device \Driver\Cdrom \Device\CdRom1 860971F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8676D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8676D1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{24068983-2B1F-4825-A8B1-2023502FB065} 8576C1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8576C1F8
Device \Driver\NetBT \Device\NetbiosSmb 8576C1F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbohci \Device\USBFDO-0 86096500
Device \Driver\usbohci \Device\USBFDO-1 86096500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 857691F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{D8812E02-A73D-4A25-A791-612F8CAE72BB} 8576C1F8
Device \Driver\usbehci \Device\USBFDO-2 861D11F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 857691F8
Device \Driver\Ftdisk \Device\FtControl 8676D1F8
Device \Driver\SI3112 \Device\Scsi\SI31121 8676B1F8
Device \FileSystem\Fastfat \Fat 860D4500

AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Cdfs \Cdfs 860C8500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04@ujdew 0x7D 0x77 0x3C 0x51 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp@ LLInterface WANARP
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp@ IpConfig Tcpip\Parameters\Interfaces\{3BFAABFD-2514-47B4-8AD6-7C0AC5AA0972}?Tcpip\Parameters\Interfaces\{8E587865-D26B-40E0-9B5E-17853AAF0FE6}?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp@ NumInterfaces 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{24068983-2B1F-4825-A8B1-2023502FB065}@LLInterface
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{24068983-2B1F-4825-A8B1-2023502FB065}@IpConfig Tcpip\Parameters\Interfaces\{24068983-2B1F-4825-A8B1-2023502FB065}?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{7A33945E-5784-4996-9A2E-3EB9D9128548}@LLInterface ARP1394
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{7A33945E-5784-4996-9A2E-3EB9D9128548}@IpConfig Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{D8812E02-A73D-4A25-A791-612F8CAE72BB}@LLInterface
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{D8812E02-A73D-4A25-A791-612F8CAE72BB}@IpConfig Tcpip\Parameters\Interfaces\{D8812E02-A73D-4A25-A791-612F8CAE72BB}?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3BFAABF D-2514-47B4-8AD6-7C0AC5AA0972}@UseZeroBroadcast 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3BFAABF D-2514-47B4-8AD6-7C0AC5AA0972}@EnableDHCP 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3BFAABF D-2514-47B4-8AD6-7C0AC5AA0972}@IPAddress 0.0.0.0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3BFAABF D-2514-47B4-8AD6-7C0AC5AA0972}@SubnetMask 0.0.0.0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3BFAABF D-2514-47B4-8AD6-7C0AC5AA0972}@DefaultGateway
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3BFAABF D-2514-47B4-8AD6-7C0AC5AA0972}@EnableDeadGWDetect 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3BFAABF D-2514-47B4-8AD6-7C0AC5AA0972}@DontAddDefaultGateway 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@UseZeroBroadcast 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@EnableDHCP 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@IPAddress 0.0.0.0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@SubnetMask 0.0.0.0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@DefaultGateway
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@DefaultGatewayMetric
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@NameServer
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@Domain
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@RegistrationEnabled 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@RegisterAdapterName 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@TCPAllowedPorts 0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@UDPAllowedPorts 0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A33945 E-5784-4996-9A2E-3EB9D9128548}@RawIPAllowedProtocols 0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8E58786 5-D26B-40E0-9B5E-17853AAF0FE6}@UseZeroBroadcast 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8E58786 5-D26B-40E0-9B5E-17853AAF0FE6}@EnableDHCP 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8E58786 5-D26B-40E0-9B5E-17853AAF0FE6}@IPAddress 0.0.0.0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8E58786 5-D26B-40E0-9B5E-17853AAF0FE6}@SubnetMask 0.0.0.0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8E58786 5-D26B-40E0-9B5E-17853AAF0FE6}@DefaultGateway
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8E58786 5-D26B-40E0-9B5E-17853AAF0FE6}@EnableDeadGWDetect 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8E58786 5-D26B-40E0-9B5E-17853AAF0FE6}@DontAddDefaultGateway 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4@ujdew 0x7D 0x77 0x3C 0x51 ...
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Adapters\NdisWanIp@LLIn terface WANARP
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Adapters\NdisWanIp@IpCo nfig Tcpip\Parameters\Interfaces\{3BFAABFD-2514-47B4-8AD6-7C0AC5AA0972}?Tcpip\Parameters\Interfaces\{8E587865-D26B-40E0-9B5E-17853AAF0FE6}?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Adapters\NdisWanIp@NumI nterfaces 2
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Adapters\{24068983-2B1F-4825-A8B1-2023502FB065}@LLInterface
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Adapters\{24068983-2B1F-4825-A8B1-2023502FB065}@IpConfig Tcpip\Parameters\Interfaces\{24068983-2B1F-4825-A8B1-2023502FB065}?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Adapters\{7A33945E-5784-4996-9A2E-3EB9D9128548}@LLInterface ARP1394
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Adapters\{7A33945E-5784-4996-9A2E-3EB9D9128548}@IpConfig Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Adapters\{D8812E02-A73D-4A25-A791-612F8CAE72BB}@LLInterface
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Adapters\{D8812E02-A73D-4A25-A791-612F8CAE72BB}@IpConfig Tcpip\Parameters\Interfaces\{D8812E02-A73D-4A25-A791-612F8CAE72BB}?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3BFAABFD-2514-47B4-8AD6-7C0AC5AA0972}@UseZeroBroadcast 0
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3BFAABFD-2514-47B4-8AD6-7C0AC5AA0972}@EnableDHCP 0
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3BFAABFD-2514-47B4-8AD6-7C0AC5AA0972}@IPAddress 0.0.0.0?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3BFAABFD-2514-47B4-8AD6-7C0AC5AA0972}@SubnetMask 0.0.0.0?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3BFAABFD-2514-47B4-8AD6-7C0AC5AA0972}@DefaultGateway
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3BFAABFD-2514-47B4-8AD6-7C0AC5AA0972}@EnableDeadGWDetect 1
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3BFAABFD-2514-47B4-8AD6-7C0AC5AA0972}@DontAddDefaultGateway 0
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@UseZeroBroadcast 0
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@EnableDHCP 1
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@IPAddress 0.0.0.0?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@SubnetMask 0.0.0.0?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@DefaultGateway
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@DefaultGatewayMetric
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@NameServer
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@Domain
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@RegistrationEnabled 1
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@RegisterAdapterName 0
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@TCPAllowedPorts 0?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@UDPAllowedPorts 0?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7A33945E-5784-4996-9A2E-3EB9D9128548}@RawIPAllowedProtocols 0?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8E587865-D26B-40E0-9B5E-17853AAF0FE6}@UseZeroBroadcast 0
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8E587865-D26B-40E0-9B5E-17853AAF0FE6}@EnableDHCP 0
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8E587865-D26B-40E0-9B5E-17853AAF0FE6}@IPAddress 0.0.0.0?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8E587865-D26B-40E0-9B5E-17853AAF0FE6}@SubnetMask 0.0.0.0?
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8E587865-D26B-40E0-9B5E-17853AAF0FE6}@DefaultGateway
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8E587865-D26B-40E0-9B5E-17853AAF0FE6}@EnableDeadGWDetect 1
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8E587865-D26B-40E0-9B5E-17853AAF0FE6}@DontAddDefaultGateway 0

---- EOF - GMER 1.0.15 ----

kevinf80 · 04-Nov-2010, 08:14 AM #2

Hello batook,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
If you are using Cracked or Illegal software your thread will be locked and all help will cease.

Please proceed as follows :-

Step 1

Please re-open HiJackThis and scan only.**Check the boxes next to all the entries listed below. <---- Make sure you only select listed items

O4 - HKLM\..\Run: [HNUnOXRrcrc] C:\DOCUME~1\User\LOCALS~1\Temp\s1ngkajtm.exe
O4 - HKLM\..\Run: [HNUnOXRsrqf] C:\DOCUME~1\User\LOCALS~1\Temp\ybizhbxjer.exe
O4 - HKLM\..\Run: [HNUnOXRoc_] C:\DOCUME~1\User\LOCALS~1\Temp\gm5dl54.exe
O4 - HKLM\..\Run: [HNUnOXRqDW] C:\DOCUME~1\User\LOCALS~1\Temp\q5t31ae.exe
O4 - HKLM\..\Run: [Djofateb] rundll32.exe "C:\WINDOWS\iqibotax.dll",Startup
O4 - HKCU\..\Run: [uPc+MV0NlxAaXms] rundll32.exe C:\WINDOWS\system32\vcaezkz66f.dll, SystemServer
O4 - HKCU\..\Run: [uPc+MV0NMdaXms] rundll32.exe C:\WINDOWS\system32\g58ifw.dll, SystemServer
O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
O4 - HKCU\..\Run: [HNUnOXRspe] C:\DOCUME~1\User\LOCALS~1\Temp\winamp.exe
O4 - HKCU\..\Run: [HNUnOXRota] C:\DOCUME~1\User\LOCALS~1\Temp\install.exe
O4 - HKCU\..\Run: [MKeta] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [HNUnOXRrxe] C:\DOCUME~1\User\LOCALS~1\Temp\system.exe
O4 - HKCU\..\Run: [MKeuf] C:\WINDOWS\spoolsv.exe
O4 - HKCU\..\Run: [MKayc] C:\WINDOWS\csrss.exe
O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe
O4 - HKCU\..\Run: [MKcuc] C:\WINDOWS\lsass.exe
O4 - HKCU\..\Run: [HNUnOXRrcrc] C:\DOCUME~1\User\LOCALS~1\Temp\s1ngkajtm.exe
O4 - HKCU\..\Run: [HNUnOXRsa] C:\DOCUME~1\User\LOCALS~1\Temp\win.exe
O4 - HKCU\..\Run: [MKeg] C:\WINDOWS\smss.exe
O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [HNUnOXRruf] C:\DOCUME~1\User\LOCALS~1\Temp\spoolsv.exe
O4 - HKCU\..\Run: [uPc+MV0NadjaXms] rundll32.exe C:\WINDOWS\system32\zb3uia6zyl.dll, SystemServer
O4 - HKCU\..\Run: [HNUnOXRsrqf] C:\DOCUME~1\User\LOCALS~1\Temp\ybizhbxjer.exe
O4 - HKCU\..\Run: [HNUnOXRsPc] C:\DOCUME~1\User\LOCALS~1\Temp\win16.exe
O4 - HKCU\..\Run: [uPc+MV0NasaGuo] rundll32.exe C:\WINDOWS\system32\oh8qijo.dll, SystemServer
O4 - HKCU\..\Run: [HNUnOXRoMc] C:\DOCUME~1\User\LOCALS~1\Temp\gdi32.exe
O4 - HKCU\..\Run: [HNUnOXRnZ] C:\DOCUME~1\User\LOCALS~1\Temp\cmd.exe
O4 - HKCU\..\Run: [MKee] C:\WINDOWS\user.exe
O4 - HKCU\..\Run: [HNUnOXRrta] C:\DOCUME~1\User\LOCALS~1\Temp\services.exe
O4 - HKCU\..\Run: [MKbMc] C:\WINDOWS\gdi32.exe
O4 - HKCU\..\Run: [HNUnOXRre] C:\DOCUME~1\User\LOCALS~1\Temp\user.exe
O4 - HKCU\..\Run: [IJKUK66HMN] C:\WINDOWS\TEMP\Pm2.exe
O4 - HKCU\..\Run: [HNUnOXRoc_] C:\DOCUME~1\User\LOCALS~1\Temp\gm5dl54.exe
O4 - HKCU\..\Run: [HNUnOXRprc] C:\DOCUME~1\User\LOCALS~1\Temp\login.exe
O4 - HKCU\..\Run: [HNUnOXRrg] C:\DOCUME~1\User\LOCALS~1\Temp\smss.exe
O4 - HKCU\..\Run: [HNUnOXRpw+] C:\DOCUME~1\User\LOCALS~1\Temp\nvsvc32.exe
O4 - HKCU\..\Run: [HNUnOXRqDW] C:\DOCUME~1\User\LOCALS~1\Temp\q5t31ae.exe
O4 - HKCU\..\Run: [uPc+MV0NnffJsiv] rundll32.exe C:\WINDOWS\system32\hjpqq6gxr.dll, SystemServer
O4 - HKCU\..\Run: [HNUnOXRnsc] C:\DOCUME~1\User\LOCALS~1\Temp\drweb.exe
O4 - HKCU\..\Run: [HNUnOXRnoc] C:\DOCUME~1\User\LOCALS~1\Temp\debug.exe
O4 - HKCU\..\Run: [HNUnOXRpuc] C:\DOCUME~1\User\LOCALS~1\Temp\lsass.exe
O4 - HKCU\..\Run: [MKaoc] C:\WINDOWS\debug.exe
O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKCU\..\Run: [HNUnOXRmSc] C:\DOCUME~1\User\LOCALS~1\Temp\avp32.exe
O4 - HKCU\..\Run: [NtWqIVLZEWZU] C:\WINDOWS\TEMP\Pnd.exe
O4 - HKLM\..\Policies\Explorer\Run: [nwa569] C:\WINDOWS\TEMP\frggn0.exe

Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into Safe Mode with Networking.

Re-boot PC and continuously tap the F8 key until you see the Windows Advanced Menu screen. From the available options, choose - Safe Mode with Networking

When you have a stable Desktop proceed as follows :-

Step 1

Please download OTM by OldTimer.
Alternative Mirror
Save it to your desktop.
Double click OTM.exe to start the tool.

Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

-------------------------------------------------------------------

:Files
ipconfig /flushdns /c
C:\WINDOWS\iqibotax.dll
C:\WINDOWS\system32\vcaezkz66f.dll
C:\WINDOWS\system32\g58ifw.dll
C:\WINDOWS\avp.exe
C:\WINDOWS\taskmgr.exe
C:\WINDOWS\services.exe
C:\WINDOWS\spoolsv.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\login.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\win32.exe
C:\WINDOWS\system32\zb3uia6zyl.dll
C:\WINDOWS\system32\oh8qijo.dll
C:\WINDOWS\user.exe
C:\WINDOWS\gdi32.exe
C:\WINDOWS\debug.exe
C:\WINDOWS\setup.exe
:Services
uhwkjbhbm
:Commands
[EmptyFlash]
[EmptyTemp]
[Purity]
[ResetHosts]

---------------------------------------------------------------------
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Let PC re-boot to normal mode.

Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step 3

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop. <--Very important

Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*

If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

What i`d like to see in your reply :-

Log frrom OTM
Log from Malwarebytes
Log from Combofix

Kevin

batook · 04-Nov-2010, 11:06 AM #3

Hi Kevin. Thanks for your help and the quick reply; I really appreciate it.

HiJackThis fixed the checked items fine, and OTM ran your script OK (it needed a reboot but the log was saved where you said it would be). However, after running OTM, I now get a new "Error loading C:\WINDOWS\iqibotax.dll The specified module could not be found." message (since OTM moved that file out of the windows directory). I installed and updated MBAM, but after the update I got an error message from "regsvr32.exe": "Windows cannot access the specific device, path or file. You may not have the appropriate permissions to access the item." MBAM opened fine though after that and I ran the quick scan and saved the log.

Combofix didn't work. I made sure to disable windows firewall, AVG resident protection, and SUPERAntiSpyware first. When running Combofix, I got several error messages. The first was "32788R22FWJFW\iexplore.exe: Windows cannot access the specific device, path or file..." I clicked "OK" and this popped up about 4 more times after repeatedly clicking OK. Then I got the same error from "32788R22FWJFW\n.pif" and "32788R22FWJFW\hidec.exe", and it would alternate between them after clicking "OK" for about 5 times each. Then I got a "Windows cannot open this file" error for "nircmd.cfxxe" and it asked which program I wanted to use to open it. I tried to point windows to C:\32788R22FWJFW\NirCmd.cfxxe" and it opened NirCmd, but then asked for its location again 2 more times. Then it finished and the system was idle. No log was created in C:\

Thanks for your help thus far. Here are the OTM and MBAM logs:
--------------------------------------------------------------------------------------------------------------------------------------------
All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\User\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\User\Desktop\cmd.txt deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\iqibotax.dll
C:\WINDOWS\iqibotax.dll moved successfully.
File/Folder C:\WINDOWS\system32\vcaezkz66f.dll not found.
File/Folder C:\WINDOWS\system32\g58ifw.dll not found.
File/Folder C:\WINDOWS\avp.exe not found.
File/Folder C:\WINDOWS\taskmgr.exe not found.
File/Folder C:\WINDOWS\services.exe not found.
File/Folder C:\WINDOWS\spoolsv.exe not found.
File/Folder C:\WINDOWS\csrss.exe not found.
File/Folder C:\WINDOWS\login.exe not found.
File/Folder C:\WINDOWS\lsass.exe not found.
File/Folder C:\WINDOWS\smss.exe not found.
File/Folder C:\WINDOWS\win32.exe not found.
File/Folder C:\WINDOWS\system32\zb3uia6zyl.dll not found.
File/Folder C:\WINDOWS\system32\oh8qijo.dll not found.
File/Folder C:\WINDOWS\user.exe not found.
File/Folder C:\WINDOWS\gdi32.exe not found.
File/Folder C:\WINDOWS\debug.exe not found.
File/Folder C:\WINDOWS\setup.exe not found.
========== SERVICES/DRIVERS ==========
Service uhwkjbhbm stopped successfully!
Service uhwkjbhbm deleted successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 204227 bytes
->Temporary Internet Files folder emptied: 222534 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 36425 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: User
->Temp folder emptied: 383582 bytes
->Temporary Internet Files folder emptied: 72999423 bytes
->Java cache emptied: 128094 bytes
->Flash cache emptied: 19516 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 255 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 66299914 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 136.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTM by OldTimer - Version 3.1.17.2 log created on 11042010_075103

--------------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5043

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/4/2010 8:02:56 AM
mbam-log-2010-11-04 (08-02-56).txt

Scan type: Quick scan
Objects scanned: 138945
Time elapsed: 2 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b6ba 40c1-a501-59bd-f413-03b03a2c8952} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MSoftware (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IJKUK66HMN (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\{d8812e02-a73d-4a25-a791-612f8cae72bb}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.242,93.188.160.242 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Startup\WinUpdate.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------------------------------------------------------------------

kevinf80 · 04-Nov-2010, 01:01 PM #4

Hiya batook,

Proceed as follows please :-

Step 1

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.

Step2

Delete Combofix from your Desktop and download a fresh copy from either of the following links:

Link 1
Link 2

This time before saving to your Desktop rename it to Gotcha.exe, as below:

How to use Combofix

Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*

If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Kevin

batook · 04-Nov-2010, 01:39 PM #5

Hi Kevin,

No dice. rkill ran and terminated some processes, but none of them appear to be malware. I saved the new copy of ComboFix.exe as Gotcha.exe and ran it after disabling all resident protection and firewalls, but I had the same series of error messages I posted above. By the way, the first link to rkill.pif appears to be dead, so I ran the rkill.scr version. After that failed to work, I subsequently tried the .com and .exe versions, but they behaved the same as the .scr. Here's the rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as User on 11/04/2010 at 11:24:39.

Services Stopped:

Processes terminated by Rkill or while it was running:

C:\PROGRA~1\!INTER~1\AVG10\avgchsvx.exe
C:\PROGRA~1\!INTER~1\AVG10\avgrsx.exe
C:\Program Files\!Internet\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\!Internet\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\!Internet\AVG10\avgnsx.exe
C:\Documents and Settings\User\Desktop\rkill.scr

Rkill completed on 11/04/2010 at 11:24:43.

kevinf80 · 04-Nov-2010, 02:02 PM #6

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Then try running CF again if successful......

batook · 04-Nov-2010, 02:14 PM #7

Ran exeHelper.com and then tried downloading ComboFix.exe again and this time named it CF.exe, but I still have the same errors when I try to run it.

exeHelper by Raktor
Build 20100414
Run at 12:10:40 on 11/04/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

kevinf80 · 04-Nov-2010, 07:28 PM #8

Hiya batook,

Please proceed as follows :-

Step 1

Download

TFC to your desktop, from either of the following links
Link 1
Link 2

Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Step 2

Download

OTL from any of the following links and save to your Desktop:

Link 1
Link 2
Link 3

Double click on the icon to run it. Vista and Windows 7 users right click and select Run as Administrator. Make sure all other windows are closed and to let it run uninterrupted.
In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".

Under the Custom Scan box paste this in

Code:

      netsvcs
      drivers32
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\System32\config\*.sav
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply

Copy and paste OTL Txt and ExtrasTxt in your reply.

Kevin

batook · 04-Nov-2010, 08:40 PM #9

Thank you Kevin. Both TFC and OTL ran smoothly. Here are the OTL logs:

OTL logfile created on: 11/4/2010 6:08:37 PM - Run 1
OTL by OldTimer - Version 3.2.17.2 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 614.00 Mb Available Physical Memory | 60.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 5120 5120 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 59.61 Gb Total Space | 32.88 Gb Free Space | 55.16% Space Free | Partition Type: NTFS
Drive D: | 698.64 Gb Total Space | 494.09 Gb Free Space | 70.72% Space Free | Partition Type: NTFS
Drive X: | 931.51 Gb Total Space | 351.52 Gb Free Space | 37.74% Space Free | Partition Type: NTFS
Drive Z: | 931.51 Gb Total Space | 422.05 Gb Free Space | 45.31% Space Free | Partition Type: NTFS

Computer Name: HAIR-DRYER | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/04 17:59:57 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2010/10/11 12:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\!Internet\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/10/11 12:58:12 | 000,725,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\!Internet\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2010/10/06 17:24:38 | 000,652,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\!Internet\AVG10\avgrsx.exe
PRC - [2010/10/06 17:24:36 | 001,065,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\!Internet\AVG10\avgnsx.exe
PRC - [2010/10/06 17:24:08 | 000,647,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\!Internet\AVG10\avgchsvx.exe
PRC - [2010/09/15 05:29:10 | 002,745,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\!Internet\AVG10\avgtray.exe
PRC - [2010/09/10 01:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\!Internet\AVG10\avgwdsvc.exe
PRC - [2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/11/04 17:59:57 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/10/11 12:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\!Internet\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/09/10 01:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\!Internet\AVG10\avgwdsvc.exe -- (avgwd)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | On_Demand | Stopped] -- G:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - [2010/10/24 22:11:18 | 000,210,816 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\ndis.sys -- (NDIS)
DRV - [2010/10/16 12:46:58 | 000,721,904 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/09/13 16:27:24 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 03:49:00 | 000,298,448 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/07 03:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 03:48:54 | 000,249,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/09/07 03:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/08/19 21:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/08/19 21:42:36 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 21:42:34 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/05/10 12:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\!Internet\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 12:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\!Internet\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/01 11:20:34 | 000,026,024 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2008/04/13 14:04:16 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/01/25 23:55:32 | 000,017,328 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys -- (SiFilter)
DRV - [2007/01/25 23:55:26 | 000,012,464 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiRemFil.sys -- (SiRemFil)
DRV - [2007/01/25 23:55:08 | 000,069,168 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SI3112.sys -- (SI3112)
DRV - [2004/06/21 02:53:20 | 000,626,204 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/06/02 20:40:46 | 000,079,360 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2004/05/17 00:00:54 | 000,012,928 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2004/05/17 00:00:52 | 000,033,280 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2004/04/13 06:14:12 | 000,070,144 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/02/23 21:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/11/06 22:00:00 | 000,035,328 | R--- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2003/10/28 23:02:00 | 000,021,120 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{D7059923-9107-433B-9EED-EDFE7C5AACE3}: C:\Documents and Settings\User\Local Settings\Application Data\{D7059923-9107-433B-9EED-EDFE7C5AACE3} [2010/10/24 22:10:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\!Internet\AVG10\Firefox\ [2010/10/26 08:22:39 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/11/04 07:51:27 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\!Internet\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\!Internet\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Djofateb] C:\WINDOWS\iqibotax.DLL File not found
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\!Internet\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\!Internet\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\!Internet\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\!Internet\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/08/26 07:39:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{7d93e175-b0e3-11df-aaee-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{7d93e175-b0e3-11df-aaee-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7d93e175-b0e3-11df-aaee-806d6172696f}\Shell\AutoRun\command - "" = G:\Setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (autocheck C:\PROGRA~1\!INTER~1\AVG10\avgchsvx.exe /sync) - File not found
O34 - HKLM BootExecute: (autocheck C:\PROGRA~1\!INTER~1\AVG10\avgrsx.exe /sync /restart) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.ffds - C:\WINDOWS\System32\ffdshow.ax ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010/11/04 18:00:32 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/11/04 18:00:32 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\TFC.exe
[2010/11/04 14:14:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\malware logs - 3rd round
[2010/11/04 12:11:41 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/11/04 11:19:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\rkill
[2010/11/04 08:40:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\malware logs - 2nd round
[2010/11/04 07:57:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2010/11/04 07:57:11 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/04 07:57:11 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/04 07:57:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/11/04 07:51:03 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/11/04 07:22:42 | 000,519,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTM.exe
[2010/11/03 20:41:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\malware logs - 1st round
[2010/11/03 13:29:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/11/03 13:29:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/11/03 13:29:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/11/03 13:28:58 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/11/03 13:28:58 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/11/03 13:28:58 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/11/03 13:28:58 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/11/03 13:28:58 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/11/03 13:28:52 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/11/03 13:26:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Sun
[2010/10/26 17:29:55 | 000,306,688 | ---- | C] (InstallShield Software Corporation) -- C:\WINDOWS\IsUninst.exe
[2010/10/26 08:39:52 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/10/26 08:30:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\AVG10
[2010/10/26 08:23:02 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/10/26 08:22:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/10/26 08:22:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
[2010/10/26 07:55:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/10/26 07:12:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/10/24 23:23:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/10/24 23:13:03 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/10/24 22:10:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\{D7059923-9107-433B-9EED-EDFE7C5AACE3}
[2010/10/10 12:36:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
[2010/10/10 12:36:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2004/11/24 12:25:52 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll

========== Files - Modified Within 30 Days ==========

[2010/11/04 18:05:55 | 000,000,298 | -HS- | M] () -- C:\WINDOWS\tasks\Rbitd.job
[2010/11/04 18:05:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/04 18:05:51 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/04 17:59:57 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/11/04 17:58:55 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\TFC.exe
[2010/11/04 16:34:24 | 098,428,925 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2010/11/04 14:16:06 | 000,002,729 | ---- | M] () -- C:\Documents and Settings\User\Desktop\HiJackThis.lnk
[2010/11/04 12:10:17 | 000,294,400 | ---- | M] () -- C:\Documents and Settings\User\Desktop\exeHelper.com
[2010/11/04 11:26:36 | 003,902,849 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Gotcha.exe
[2010/11/04 11:24:23 | 000,364,032 | ---- | M] () -- C:\Documents and Settings\User\Desktop\rkill.scr
[2010/11/04 07:57:14 | 000,000,948 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/04 07:00:06 | 000,519,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTM.exe
[2010/11/04 06:25:05 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Kjuxeqaluxoc.dat
[2010/11/04 06:25:05 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Qduwoxewofes.bin
[2010/11/03 13:39:28 | 000,294,912 | ---- | M] () -- C:\Documents and Settings\User\Desktop\[GMER]741862uf.exe
[2010/11/03 13:28:53 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/11/03 13:28:53 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/11/03 13:28:53 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/11/03 13:28:53 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/11/03 13:28:53 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/11/03 12:41:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/01 21:11:19 | 000,000,426 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2010/10/28 18:12:45 | 000,000,726 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
[2010/10/26 09:50:54 | 000,094,272 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/26 09:06:55 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/10/24 22:32:30 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/24 22:11:28 | 000,054,784 | RHS- | M] () -- C:\WINDOWS\System32\mtxclus.dll
[2010/10/24 22:11:18 | 000,210,816 | ---- | M] () -- C:\WINDOWS\System32\drivers\ndis.sys
[2010/10/24 22:11:18 | 000,210,816 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ndis.sys
[2010/10/16 12:46:58 | 000,721,904 | ---- | M] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/10/10 12:36:22 | 000,001,814 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

========== Files Created - No Company Name ==========

[2010/11/04 16:34:24 | 098,428,925 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2010/11/04 12:10:16 | 000,294,400 | ---- | C] () -- C:\Documents and Settings\User\Desktop\exeHelper.com
[2010/11/04 11:26:36 | 003,902,849 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Gotcha.exe
[2010/11/04 11:24:23 | 000,364,032 | ---- | C] () -- C:\Documents and Settings\User\Desktop\rkill.scr
[2010/11/04 07:57:14 | 000,000,948 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/04 07:54:30 | 1073,270,784 | -HS- | C] () -- C:\hiberfil.sys
[2010/11/03 20:51:44 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\ac3filter.acm
[2010/11/03 14:28:03 | 000,294,912 | ---- | C] () -- C:\Documents and Settings\User\Desktop\[GMER]741862uf.exe
[2010/11/03 14:05:45 | 000,002,729 | ---- | C] () -- C:\Documents and Settings\User\Desktop\HiJackThis.lnk
[2010/10/26 08:22:58 | 000,000,726 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
[2010/10/24 22:32:30 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/24 22:11:30 | 000,000,298 | -HS- | C] () -- C:\WINDOWS\tasks\Rbitd.job
[2010/10/24 22:11:28 | 000,054,784 | RHS- | C] () -- C:\WINDOWS\System32\mtxclus.dll
[2010/10/24 22:10:53 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Kjuxeqaluxoc.dat
[2010/10/24 22:10:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qduwoxewofes.bin
[2010/10/16 12:46:58 | 000,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/10/10 12:36:22 | 000,001,814 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/08/28 18:00:28 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2010/08/26 08:01:56 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2010/08/26 01:33:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/12/19 08:15:58 | 004,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/17 10:41:18 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/17 10:22:58 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/17 10:22:48 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/17 10:17:34 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/17 09:59:54 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/04/14 06:00:00 | 000,210,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\ndis.sys
[2004/10/03 10:50:54 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll

========== LOP Check ==========

[2010/10/28 12:45:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/10/26 08:23:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/09/19 09:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FlashFXP
[2010/10/26 08:22:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/10/18 21:48:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/02 13:01:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/10/26 08:30:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\AVG10
[2010/11/04 18:05:55 | 000,000,298 | -HS- | M] () -- C:\WINDOWS\Tasks\Rbitd.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/08/26 07:39:12 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/08/26 07:36:00 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/11/04 18:05:51 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/26 07:39:12 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/08/26 07:39:12 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 06:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/11/04 18:05:51 | 1073,741,823 | -HS- | M] () -- C:\pagefile.sys
[2010/11/04 12:10:27 | 000,000,597 | ---- | M] () -- C:\rkill.log

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2010/08/26 01:31:30 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/08/26 01:31:30 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/08/26 01:31:30 | 000,917,504 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install\\LastSuccessTime: 2010-10-26 15:06:59

========== Alternate Data Streams ==========

@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C8B8CEBD

< End of report >
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
OTL Extras logfile created on: 11/4/2010 6:08:37 PM - Run 1
OTL by OldTimer - Version 3.2.17.2 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 614.00 Mb Available Physical Memory | 60.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 5120 5120 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 59.61 Gb Total Space | 32.88 Gb Free Space | 55.16% Space Free | Partition Type: NTFS
Drive D: | 698.64 Gb Total Space | 494.09 Gb Free Space | 70.72% Space Free | Partition Type: NTFS
Drive X: | 931.51 Gb Total Space | 351.52 Gb Free Space | 37.74% Space Free | Partition Type: NTFS
Drive Z: | 931.51 Gb Total Space | 422.05 Gb Free Space | 45.31% Space Free | Partition Type: NTFS

Computer Name: HAIR-DRYER | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\!Audio\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\!Audio\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\!Audio\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet

isabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet

isabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\!Internet\FlashFXP\FlashFXP.exe" = C:\Program Files\!Internet\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3 -- (IniCom Networks, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\!Internet\FlashFXP\FlashFXP.exe" = C:\Program Files\!Internet\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3 -- (IniCom Networks, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0323CB96-221A-4042-84A3-93EDE47099FC}" = AVG 2011
"{1A258E63-8DF5-4ADB-9832-38A0121D65EB}" = AVG 2011
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 22
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{96E3AED5-3D0B-4BB0-84C2-1EDADB204487}" = FlashFXP v3
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AVG" = AVG 2011
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NVIDIA Drivers" = NVIDIA Drivers
"Winamp" = Winamp
"XP Codec Pack" = XP Codec Pack

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/25/2010 12:42:06 AM | Computer Name = HAIR-DRYER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 10/25/2010 1:04:17 AM | Computer Name = HAIR-DRYER | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module w4zeo8ra9a.dll, version 0.0.0.0, fault address 0x00001bbe.

Error - 10/25/2010 3:09:48 AM | Computer Name = HAIR-DRYER | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BF from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 10/25/2010 3:09:48 AM | Computer Name = HAIR-DRYER | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 10/26/2010 12:22:43 PM | Computer Name = HAIR-DRYER | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070005 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 11/4/2010 1:30:18 PM | Computer Name = HAIR-DRYER | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 11/4/2010 1:30:18 PM | Computer Name = HAIR-DRYER | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

[ System Events ]
Error - 11/3/2010 2:50:21 PM | Computer Name = HAIR-DRYER | Source = Service Control Manager | ID = 7034
Description = The WebClient service terminated unexpectedly. It has done this 1
time(s).

Error - 11/3/2010 2:50:29 PM | Computer Name = HAIR-DRYER | Source = Service Control Manager | ID = 7034
Description = The Windows Image Acquisition (WIA) service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/3/2010 2:50:57 PM | Computer Name = HAIR-DRYER | Source = Service Control Manager | ID = 7034
Description = The TCP/IP NetBIOS Helper service terminated unexpectedly. It has
done this 1 time(s).

Error - 11/3/2010 2:50:57 PM | Computer Name = HAIR-DRYER | Source = Service Control Manager | ID = 7031
Description = The Remote Registry service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

Error - 11/3/2010 2:50:57 PM | Computer Name = HAIR-DRYER | Source = Service Control Manager | ID = 7034
Description = The SSDP Discovery Service service terminated unexpectedly. It has
done this 1 time(s).

Error - 11/3/2010 2:51:14 PM | Computer Name = HAIR-DRYER | Source = Service Control Manager | ID = 7031
Description = The Remote Registry service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

Error - 11/3/2010 2:53:08 PM | Computer Name = HAIR-DRYER | Source = Service Control Manager | ID = 7031
Description = The Remote Registry service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

Error - 11/3/2010 2:53:44 PM | Computer Name = HAIR-DRYER | Source = Service Control Manager | ID = 7034
Description = The DNS Client service terminated unexpectedly. It has done this
1 time(s).

Error - 11/3/2010 2:53:48 PM | Computer Name = HAIR-DRYER | Source = Service Control Manager | ID = 7031
Description = The Remote Registry service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

< End of report >

kevinf80 · 05-Nov-2010, 04:36 AM **#10**

Hiya batook,

Combofix will not run because of AVG, this is OK for now. Let us see how we progress. As follows please :-

Step 1

Re-Run OTL by double left click, Vista and Widows 7 users right click and select Run as Administrator.

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Djofateb] C:\WINDOWS\iqibotax.DLL File not found
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NWEReboot] File not found

:Services

:Reg

:Files
C:\WINDOWS\Kjuxeqaluxoc.dat
C:\WINDOWS\Qduwoxewofes.bin
:Commands
[emptytemp]
[CREATERESTOREPOINT]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post the log it produces in your next reply.

Step 2

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

You can refer to this animation by neomage if needed.

Frequently asked questions available Here Please read them before running the scan.

Step 3

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

What i`d like in your reply :-

Log from OTL Fix
Log from ESET
Log from Security Checks

Kevin

batook · 11:31 AM

Thanks Kevin. OTL and Eset went OK, but I get the following error when trying to run SecurityCheck.exe:
"Windows cannot find '"SecurityCheck\SecurityCheck.bat."' Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

FWIW, I have no problem uninstalling AVG to run some tools that it's blocking (like ComboFix) and then reinstalling AVG. Here are the logs from OTL and the Eset scan:

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Djofateb deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFau ltCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NWEReboot deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\Kjuxeqaluxoc.dat moved successfully.
C:\WINDOWS\Qduwoxewofes.bin moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: User
->Temp folder emptied: 359128 bytes
->Temporary Internet Files folder emptied: 632609 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 255 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1.00 mb

Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

OTL by OldTimer - Version 3.2.17.2 log created on 11052010_061441

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

--------------------------------------------------------------------------------------------------------------------------------------
Eset Scan Results:
--------------------------------------------------------------------------------------------------------------------------------------
C:\_OTM\MovedFiles\11042010_075103\C_WINDOWS\iqibotax.dll a variant of Win32/Cimag.DV trojan cleaned by deleting - quarantined

kevinf80 · 05-Nov-2010, 12:53 PM **#12**

Hiya batook,

How is your system responding, what specific issues do you have? Run the following scan please and post both logs.

We need to see some additional information about what is happening in your machine.*
Please perform the following scan:

Download DDS by sUBs from one of the following links.* Save it to your desktop.
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool.* *
When done, DDS will open two (2) logs
* * * * *1. DDS.txt
* * * * *2. Attach.txt
Save both reports to your desktop.
The instructions here ask you to attach the Attach.txt.

*
Instead of attaching, please copy/past both logs into your next reply.
Close the program window, and delete the program from your desktop.

Please note:* You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.*
Information on A/V control HERE

What i`d like in your reply :-

Both logs from DDS
How your system is responding, any specific issues

Kevin

batook · 05-Nov-2010, 10:47 PM **#13**

Hi Kevin. There are still lots of problems. Let me try to summarize.

1) As per my OP, AVG is still detecting 2 instances of svchost.exe as "Trojan horse SpamTool.FYS" and one instance of services.exe as "Trojan horse Generic17.BKCS" running in memory, but reports "object is inaccessible" when removal is attempted.

2) Today my ISP cut off my internet access and redirected me to their Virus Help page. The page reported that my connection had been flagged for sending spam, and required that I confirm that I had removed the virus before they would restore my internet access. This might be related to the "Trojan horse SpamTool.FYS" that AVG is seeing. I confirmed that I had removed the virus in order to restore my service. I disconnected the infected computer we are working on and I am using a different computer now.

3) The System Restore tab is not showing up under the "System Properties" window. I didn't have system restore turned on, so I have no restore points, but I would like to enable it once we successfully clean my computer so I can hopefully avoid all of this work again in case of a future attack and just roll back to an old restore point. I'm kicking myself for disabling it in the first place.

4) Running services.msc gives the following error when it opens on the "Extended" tab:
"One or more ActiveX controls could not be displayed because either: 1) Your current security settings prohibit running ActiveX controls on this page, or 2) You have blocked a publisher of one of the controls. As a result, the page might not display correctly."
No services are shown under the "Extended" tab after I click "OK". If I then switch to the "Standard" tab, I get no error, and the services are displayed. System Restore is set to Automatic, but is not started. When I try to start it, I get the following error message:
"Could not start the System Restore Service on Local Computer. Error 2: The system cannot find the file specified."

5) It takes about 2-3 minutes to shut down the computer, much longer than it should.

That's all I can think of at the moment, but there are probably other things going on that I havn't discovered yet. Thanks again for helping me out with this. Here are the logs from running dds:

DDS (Ver_10-11-05.01) - NTFSx86
Run by User at 20:08:46.37 on Fri 11/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.568 [GMT -6:00]

============== Running Processes ===============

C:\PROGRA~1\!INTER~1\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\!Internet\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\!Internet\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\!Internet\AVG10\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\!Internet\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\!Internet\AVG10\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\!INTER~1\AVG10\avgrsx.exe
C:\Program Files\!Internet\AVG10\avgcsrvx.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\!internet\avg10\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG_TRAY] c:\program files\!internet\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\!internet\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\!internet\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\!internet\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
R1 SASDIFSV;SASDIFSV;c:\program files\!internet\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\!internet\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\!internet\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
R2 avgwd;AVG WatchDog;c:\program files\!internet\avg10\avgwdsvc.exe [2010-9-10 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

=============== Created Last 30 ================

2010-11-05 12:14:41 -------- d-----w- C:\_OTL
2010-11-04 13:57:23 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-11-04 13:57:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-04 13:57:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-04 13:57:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-04 13:51:03 -------- d-----w- C:\_OTM
2010-11-04 02:51:44 421888 ----a-w- c:\windows\system32\ac3filter.acm
2010-11-03 20:05:45 388096 ----a-r- c:\docume~1\user\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-03 19:28:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-03 19:28:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-26 23:29:55 306688 ----a-w- c:\windows\IsUninst.exe
2010-10-26 14:39:52 -------- d--h--w- C:\$AVG
2010-10-26 14:30:05 -------- d-----w- c:\docume~1\user\applic~1\AVG10
2010-10-26 14:23:02 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-10-26 14:22:36 -------- d-----w- c:\windows\system32\drivers\AVG
2010-10-26 14:22:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-10-26 13:55:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-25 04:11:28 54784 --sha-r- c:\windows\system32\mtxclus.dll
2010-10-25 04:10:43 -------- d-----w- c:\docume~1\user\locals~1\applic~1\{D7059923-9107-433B-9EED-EDFE7C5AACE3}
2010-10-16 18:46:58 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-10-10 18:36:25 -------- d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-10-10 18:36:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2010-09-18 18:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

============= FINISH: 20:09:05.12 ===============

----------------------------------------------------------------------------------------------------------------------------------
Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-05.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/26/2010 7:40:57 AM
System Uptime: 11/5/2010 7:34:26 PM (1 hours ago)

Motherboard: | | MS-7025
Processor: AMD Athlon(tm) 64 Processor 3500+ | Socket 939 | 2210/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 60 GiB total, 40.267 GiB free.
D: is FIXED (NTFS) - 699 GiB total, 496.232 GiB free.
E: is CDROM ()
F: is CDROM ()
X: is FIXED (NTFS) - 932 GiB total, 351.517 GiB free.
Z: is FIXED (NTFS) - 932 GiB total, 413.436 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8169&SUBSYS_025C1462&REV_10\4&3191A3E6&0&6870
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8169&SUBSYS_025C1462&REV_10\4&3191A3E6&0&6870
Service: RTL8023xp

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Terminal Server Keyboard Driver
Device ID: ROOT\RDP_KBD\0000
Manufacturer: (Standard system devices)
Name: Terminal Server Keyboard Driver
PNP Device ID: ROOT\RDP_KBD\0000
Service: TermDD

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Terminal Server Mouse Driver
Device ID: ROOT\RDP_MOU\0000
Manufacturer: (Standard system devices)
Name: Terminal Server Mouse Driver
PNP Device ID: ROOT\RDP_MOU\0000
Service: TermDD

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
AVG 2011
FlashFXP v3
GTK+ Runtime 2.14.7 rev a (remove only)
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB981793)
Java Auto Updater
Java(TM) 6 Update 22
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
NVIDIA Drivers
Realtek AC'97 Audio
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982664)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
WebFldrs XP
Winamp
Windows Internet Explorer 8
WinRAR archiver
XP Codec Pack

==== Event Viewer Messages From Past Week ========

11/4/2010 8:08:07 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi PCIIde
11/4/2010 7:42:14 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Avgldx86 Avgmfx86 ElbyCDIO Fips SASDIFSV SASKUTIL
11/4/2010 7:41:13 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/4/2010 6:08:45 PM, error: SRService [104] - The System Restore initialization process failed.
11/4/2010 6:08:45 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
11/4/2010 11:29:12 AM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
11/4/2010 11:29:12 AM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
11/3/2010 8:36:46 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
11/3/2010 5:02:02 PM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
11/3/2010 3:42:25 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Avgldx86 Avgmfx86 Avgtdix ElbyCDIO Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
11/3/2010 3:42:25 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/3/2010 3:42:25 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/3/2010 3:42:25 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/3/2010 3:42:25 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/3/2010 3:42:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/3/2010 12:53:48 PM, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
11/3/2010 12:53:44 PM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
11/3/2010 12:50:57 PM, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
11/3/2010 12:50:57 PM, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
11/3/2010 12:50:21 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

kevinf80 · 06-Nov-2010, 06:51 AM **#14**

Hello batook,

Please proceed as follows :-

Step 1

Download the installer for Microsoft Security Essentials from Here Save it to your Desktop.

Step 2

Download AppRemover from Here and save it to your Desktop.

Instructions for running the tool are available Here Please read them before running the tool.

Stop AVG from running through the tray icon, Next run AppRemover and remove AVG, follow prompts.

Step 3

Delete Combofix from your Desktop and download a fresh copy from either of the following links :-

Link 1
Link 2

Rename to EXPLORER before saving to your Desktop, then run as per instructions below

Combofix

Don`t forget Combofix must be saved to your desktop. <--Very important

Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*

If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log from Combofix in your reply please, if you have any difficulty running CF boot into safemode and try from there. Be aware if you run from safemode and CF re-boots for a fix you must force back to safemode again to generate a log.

Install MSSE when finished for protection, do not re-install AVG.

Kevin

batook · 06-Nov-2010, 11:04 AM **#15**

Thanks Kevin -- we are making some progress! Here's what happened:

AppRemover failed to run. It said "Windows cannot find 'AppRemoverCore.exe'. Make sure you type the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

I went ahead and uninstalled AVG via the regular Add/Remove programs option, which worked fine.

I then downloaded a fresh copy of ComboFix, renamed to explorer.exe, and this time it worked with no errors. Before it ran, it noted that the MS Recovery Console was not installed on my computer, which it needed for complete removal of malware, so I let it download and install the MS Recovery Console. ComboFix then ran fine and did not reboot. The log is pasted below.

Prior to running ComboFix, I had downloaded a tool called "Emsa Port Blocker" to try to detect and block the outgoing connections related to the Spambot. It showed several connections being rapidly created and torn down to remote ports 25, 25616, 34526, and 33745. I manually blocked these remote ports and then my network traffic was idle and quiet. After running ComboFix, I removed the blocked ports from the list and my network traffic remained idle, so ComboFix appeared to have fixed this issue. While ComboFix was running, it detected a problem with ndis.sys, the MS network drivers, and attempted to repair it. It looks like this virus embedded itself in the Windows ndis.sys network driver in order to take full control of TCP packet transfers required for the spambot.

Nasty.

I then downloaded and installed MSSE and let it update and run a scan. It found an instance of "VirTool:WinNT/Cutwail.L" on my system in ndis.sys, which I cleaned and removed:

Items:
file:C:\WINDOWS\system32\dllcache\ndis.sys

It then had me reboot the system, and when it came back up, the resident protection detected more issues with Cutwail.L and ndis, which I let it clean and remove as well:

Items:
driver:NDIS
file:C:\WINDOWS\system32\drivers\NDIS.sys
regkey:HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
safeboot:HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
service:NDIS

After the requisite reboot, it appears MSSE has wiped out my networking by completely removing ndis.sys. When I right-click on "My Network Places" and select "Properties" to view the "Network Connections" window, nothing is displayed in the window whatsoever. I obviously have no connection to the Internet or my network as well (I'm posting this on a different computer; I copied the CF log over on a flash drive).

I am inclined to either copy ndis.sys from a known clean computer (that I'm working on ATM), or attempt to repair the Windows installation using my Windows XP Setup CD. Which would you recommend?

PROBLEMS FIXED SINCE MY LAST POST:
The "System Restore" tab has been restored to the "System Properties" window, and is now running and active in services.msc

REMAINING PROBLEMS:
1) I still get the ActiveX error I described above when running services.msc and it opens on the default "Extended" tab.

2) That "SecurityCheck.exe" program you gave me to run a few posts back still gives the error: "Windows cannot find '"SecurityCheck\SecurityCheck.bat."' Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

3) As stated above, I am also getting the "Windows cannot find 'AppRemoverCore.exe'. when trying to run AppRemover.

Not sure if any or all of these are related to remaining malware or a corrupted Windows installation at this point but in any event this is not the behavior of a clean and fully functional system.

BTW, in your last post you say to not reinstall AVG but use MSSE instead. In your opinion is MSSE a better antivirus application than AVG? (I'm assuming so based on your instructions). I hadn't heard of MSSE before, or that MS was providing their own free AntiVirus scanner with resident protection (it's about time!!)

Just wondering if you would also recommend that I remove AVG from my other computers and replace it with MSSE for better protection on those systems? Thank you SO MUCH for helping me with this severe infection that exceeded the limits of my knowledge and abilities!

ComboFix log:
---------------------------------------------------------------------------------------------------------------------------
ComboFix 10-11-05.06 - User 11/06/2010 7:34.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.764 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\User\Local Settings\Application Data\{D7059923-9107-433B-9EED-EDFE7C5AACE3}
c:\documents and settings\User\Local Settings\Application Data\{D7059923-9107-433B-9EED-EDFE7C5AACE3}\chrome.manifest
c:\documents and settings\User\Local Settings\Application Data\{D7059923-9107-433B-9EED-EDFE7C5AACE3}\chrome\content\_cfg.js
c:\documents and settings\User\Local Settings\Application Data\{D7059923-9107-433B-9EED-EDFE7C5AACE3}\chrome\content\overlay.xul
c:\documents and settings\User\Local Settings\Application Data\{D7059923-9107-433B-9EED-EDFE7C5AACE3}\install.rdf

----- BITS: Possible infected sites -----

hxxp://dnusax.com
c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 )))))))))))))))))))))))))))))))
.

2010-11-05 12:14 . 2010-11-05 12:14 -------- d-----w- C:\_OTL
2010-11-04 13:57 . 2010-11-04 13:57 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-11-04 13:57 . 2010-11-04 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-04 13:57 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-04 13:57 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-04 13:51 . 2010-11-04 13:51 -------- d-----w- C:\_OTM
2010-11-04 02:51 . 2008-07-09 08:05 421888 ----a-w- c:\windows\system32\ac3filter.acm
2010-11-03 20:05 . 2010-11-03 20:05 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-03 19:29 . 2010-11-03 19:29 -------- d-----w- c:\windows\Sun
2010-11-03 19:29 . 2010-11-03 19:29 -------- d-----w- c:\program files\Common Files\Java
2010-11-03 19:28 . 2010-11-03 19:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-03 19:28 . 2010-11-03 19:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-03 19:28 . 2010-11-03 19:28 -------- d-----w- c:\program files\Java
2010-10-26 23:29 . 1998-10-29 22:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-10-26 14:30 . 2010-10-26 14:30 -------- d-----w- c:\documents and settings\User\Application Data\AVG10
2010-10-26 14:23 . 2010-10-26 14:23 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-26 14:22 . 2010-11-06 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-26 13:55 . 2010-10-26 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-26 13:12 . 2010-10-26 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-10-25 04:43 . 2010-10-25 05:18 -------- d-----w- c:\documents and settings\Administrator
2010-10-25 04:11 . 2010-10-25 04:11 54784 --sha-r- c:\windows\system32\mtxclus.dll
2010-10-16 18:46 . 2010-10-16 18:46 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-10-10 18:36 . 2010-10-10 18:36 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-10-10 18:36 . 2010-10-10 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-25 04:11 . 2008-04-14 12:00 210816 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-09-18 18:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-01 11:51 . 2008-04-14 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2009-09-08 19:22 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2009-09-08 19:22 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-23 16:12 . 2008-04-14 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
.

------- Sigcheck -------

[-] 2010-10-25 04:11 . A90E4B414FC11F2E219151BBEE11185E . 210816 . . [------] . . c:\windows\system32\dllcache\ndis.sys
[-] 2010-10-25 04:11 . A90E4B414FC11F2E219151BBEE11185E . 210816 . . [------] . . c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\!Internet\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\!Internet\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\!Internet\\FlashFXP\\FlashFXP.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/16/2010 12:46 PM 721904]
R1 SASDIFSV;SASDIFSV;c:\program files\!Internet\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\!Internet\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-06 07:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_Ac tiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\program files\!Internet\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-11-06 07:37:06
ComboFix-quarantined-files.txt 2010-11-06 13:37

Pre-Run: 40,331,743,232 bytes free
Post-Run: 41,525,583,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 90E3F06A75DD8E0BA93B4374D7589202

Similar Threads
Title	Thread Starter	Forum	Replies	Last Post
Blue Screen Of Death with ftdisk.sys error	VirtualNewbee	Windows XP	7	15-Apr-2010 12:38 PM
Blue Screen of Death at Shutdown	noobboob	Virus & Other Malware Removal	0	11-Feb-2010 09:10 AM
Blue Screen, smiling at me... nothing but Blue Screen, do I see	MKJag	Windows XP	3	09-Jul-2009 10:34 AM
Solved: Blue screen problem?	Gorilla546	Windows Vista	7	07-Jun-2009 10:06 AM
Solved: Blue screen of death with stop code(?): 0x000000F4, what's the problem with t	kusama	Windows XP	41	19-Apr-2009 12:56 AM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Severe Virus Attack, was blue-screening, fixed that but problems remain

Find the solution to your computer problem!

Find the solution to your
computer problem!