UAC Virus/infection

[kwong]

Hi,
I've tried AVG, Malwarebytes, Adaware, and others.. most find stuff, but never get it all. I had to rename many tools to get them to install, and rename the executables to get them to run.. and then sometimes only in safe mode. This computer has always been terribly slow as well... perhaps some HP bloatware?

Attached is 'attached.zip' w/ attach.txt and ark.txt
and dds.txt is pasted below.
Thanks,
bobt


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Bob at 20:57:08.90 on Wed 06/24/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1.#QNAN.1471 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Bob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/quicktime/download
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238454314531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bob\applic~1\mozilla\firefox\profiles\zz1yrgci.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-29 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-29 325896]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-29 27784]
S1 d034e143;d034e143;c:\windows\system32\drivers\d034e143.sys --> c:\windows\system32\drivers\d034e143.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-29 908568]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-29 298776]
S2 lich;lich;"c:\windows\system32\lich.exe" --> c:\windows\system32\lich.exe [?]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2009-6-23 200192]

=============== Created Last 30 ================

2009-06-24 20:02 <DIR> --d----- c:\program files\Trend Micro
2009-06-23 22:46 <DIR> --d----- c:\docume~1\bob\applic~1\Uniblue
2009-06-23 21:51 <DIR> --d----- c:\documents and settings\bob\.housecall6.6
2009-06-23 21:23 <DIR> --d----- c:\docume~1\bob\applic~1\Malwarebytes
2009-06-23 17:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-23 17:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-05 18:09 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-05 18:09 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-05 18:09 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2008-10-28 20:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat

============= FINISH: 20:58:33.09 ===============

[CatByte]

Hello and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.
To do this click Thread Tools, then click Subscribe to this Thread.
Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding.
Its important that you follow this through until I give you the all clear.

Please DO NOT Attach logs to your posts unless you are advised to do so.

=========


NOTE: It is very important that you temporarily disable AVG8 before running Combo-Fix.

Please allow the recovery console to install when requested.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt back into this thread.

[kwong]

Thank you for the fast reply. I sure appreciate your help CatByte. Combofix log pasted below and a attached.

ComboFix 09-06-25.01 - Bob 06/25/2009 17:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1604 [GMT -5:00]
Running from: c:\documents and settings\Bob\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\drivers\UACjwbpcbqevsiwemr.sys
c:\windows\system32\Install.txt
c:\windows\system32\UACdlllovrsgvxrpqm.dll
c:\windows\system32\UACfasfolwhostjett.dat
c:\windows\system32\UACfmurqbmonbmtbuy.dll
c:\windows\system32\UACfrqhioqvowyarri.db
c:\windows\system32\UACfwxmjftrcgmscny.dll
c:\windows\system32\UACgvyqdeepfdycujj.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACirxhvhpbfvkpdum.dll
c:\windows\system32\UACqmirxnxdbiggyyx.log
c:\windows\system32\UACrukprkddtmppxok.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACvxxownyxubangeq.dll
c:\windows\system32\UACymsrgeaxrqhobuj.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_6to4
-------\Legacy_dhcpsrv
-------\Legacy_isadisk
-------\Legacy_msncache
-------\Legacy_sopidkc
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-25 03:07 . 2009-06-25 03:10 -------- d-----w- c:\documents and settings\Bob\.SunDownloadManager
2009-06-25 03:00 . 2009-06-25 03:00 -------- d-----w- c:\documents and settings\Bob\Application Data\HP
2009-06-25 02:53 . 2009-06-25 02:53 -------- d-----w- C:\rsit
2009-06-25 02:03 . 2009-06-25 02:03 -------- d-----w- c:\program files\7-Zip
2009-06-25 01:02 . 2009-06-25 01:02 -------- d-----w- c:\program files\Trend Micro
2009-06-24 03:46 . 2009-06-24 03:46 -------- d-----w- c:\documents and settings\Bob\Application Data\Uniblue
2009-06-24 02:51 . 2009-06-25 00:07 -------- d-----w- c:\documents and settings\Bob\.housecall6.6
2009-06-24 02:23 . 2009-06-24 02:23 -------- d-----w- c:\documents and settings\Bob\Application Data\Malwarebytes
2009-06-23 22:17 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 22:17 . 2009-06-23 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 22:17 . 2009-06-23 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 22:17 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 00:24 . 2009-06-23 00:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-22 02:37 . 2009-06-22 04:57 -------- d-----w- c:\windows\DLL
2009-06-05 03:11 . 2009-06-05 03:11 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 22:45 . 2008-09-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-25 02:43 . 2005-08-26 09:40 -------- d-----w- c:\program files\Java
2009-06-24 04:05 . 2007-06-22 19:48 77504 ----a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-24 03:43 . 2005-08-26 10:07 -------- d-----w- c:\program files\Google
2009-06-09 01:22 . 2006-02-25 16:32 -------- d-----w- c:\program files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [6/23/2009 6:46 AM 200192]
S1 d034e143;d034e143;c:\windows\system32\drivers\d034e143.sys --> c:\windows\system32\drivers\d034e143.sys [?]
S2 lich;lich;"c:\windows\system32\lich.exe" --> c:\windows\system32\lich.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/quicktime/download
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 18:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?5?9?5??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-25 18:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 23:03

Pre-Run: 42,477,158,400 bytes free
Post-Run: 42,435,473,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

132

[CatByte]

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/388822-uac-virus-infection.html#post2208349

Collect::
c:\windows\system32\lich.exe
c:\windows\system32\drivers\d034e143.sys

KillAll::

Driver::
d034e143
lich

DirLook::
c:\windows\DLL

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[kwong]

ComboFix 09-06-25.01 - Bob 06/25/2009 19:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1537 [GMT -5:00]
Running from: c:\documents and settings\Bob\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LICH
-------\Service_d034e143
-------\Service_lich


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-25 23:02 . 2009-06-25 23:02 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-25 03:07 . 2009-06-25 03:10 -------- d-----w- c:\documents and settings\Bob\.SunDownloadManager
2009-06-25 03:00 . 2009-06-25 03:00 -------- d-----w- c:\documents and settings\Bob\Application Data\HP
2009-06-25 02:53 . 2009-06-25 02:53 -------- d-----w- C:\rsit
2009-06-25 02:03 . 2009-06-25 02:03 -------- d-----w- c:\program files\7-Zip
2009-06-25 01:02 . 2009-06-25 01:02 -------- d-----w- c:\program files\Trend Micro
2009-06-24 03:46 . 2009-06-24 03:46 -------- d-----w- c:\documents and settings\Bob\Application Data\Uniblue
2009-06-24 02:51 . 2009-06-25 00:07 -------- d-----w- c:\documents and settings\Bob\.housecall6.6
2009-06-24 02:23 . 2009-06-24 02:23 -------- d-----w- c:\documents and settings\Bob\Application Data\Malwarebytes
2009-06-23 22:17 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 22:17 . 2009-06-23 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 22:17 . 2009-06-23 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 22:17 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 00:24 . 2009-06-23 00:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-22 02:37 . 2009-06-22 04:57 -------- d-----w- c:\windows\DLL
2009-06-05 03:11 . 2009-06-05 03:11 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 22:45 . 2008-09-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-25 02:43 . 2005-08-26 09:40 -------- d-----w- c:\program files\Java
2009-06-24 04:05 . 2007-06-22 19:48 77504 ----a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-24 03:43 . 2005-08-26 10:07 -------- d-----w- c:\program files\Google
2009-06-09 01:22 . 2006-02-25 16:32 -------- d-----w- c:\program files\Common Files\Adobe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\DLL ----



((((((((((((((((((((((((((((( SnapShot@2009-06-25_23.01.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-25 23:02 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-25 23:02 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-25 23:02 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-25 23:02 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-25 23:02 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-25 23:02 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-25 23:02 . 2008-12-20 23:15 826368 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-25 23:02 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-25 23:02 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-25 23:02 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-25 23:02 . 2008-04-14 00:12 108544 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-25 23:02 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-25 23:02 . 2008-04-14 00:11 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-25 23:02 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-25 23:02 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-25 23:02 . 2008-08-14 10:11 2189184 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-25 23:02 . 2008-08-14 09:33 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [6/23/2009 6:46 AM 200192]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/quicktime/download
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 19:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?5?9?5??P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-26 20:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-26 01:00
ComboFix2.txt 2009-06-25 23:03

Pre-Run: 42,348,892,160 bytes free
Post-Run: 42,411,462,656 bytes free

135

[CatByte]

Hi,

Please do the following:

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


NEXT


Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner



1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

NEXT

I would also like to see a list of installed programs, so please do this:

Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open.

Post the contents of that file in your next reply.

[kwong]

Hi, pasted below and attached: mban-log, kap.txt, and Add-remove..
--------------------
Malwarebytes' Anti-Malware 1.38
Database version: 2335
Windows 5.1.2600 Service Pack 3

6/25/2009 9:11:56 PM
mbam-log-2009-06-25 (21-11-56).txt

Scan type: Quick Scan
Objects scanned: 66171
Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, June 25, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, June 26, 2009 03:30:21
Records in database: 2389954
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 52981
Threat name: 7
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 01:27:14


File name / Threat name / Threats count
C:\Documents and Settings\KPT\Local Settings\Temp\UAC7835.tmp Infected: Trojan.Win32.Patched.ge 1
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACdlllovrsgvxrpqm.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfmurqbmonbmtbuy.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfwxmjftrcgmscny.dll.vir Infected: Trojan.Win32.TDSS.aekg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACirxhvhpbfvkpdum.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrukprkddtmppxok.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvxxownyxubangeq.dll.vir Infected: Trojan.Win32.TDSS.aegg 1
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000002.dll Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000003.dll Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000004.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000005.dll Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000006.dll Infected: Trojan.Win32.TDSS.aekg 1
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000007.dll Infected: Trojan.Win32.TDSS.aegg 1

The selected area was scanned.
-------------------------------------------
Qoobox\Add-Remove Programs.txt:

7-Zip 4.65
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Brother HL-5250DN
BufferChm
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
Conexant AC-Link Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
cp_PrintOnCDConfig
cp_UpdateProjectsConfig
CueTour
CustomerResearchQFolder
Data Fax SoftModem with SmartCP
DeLorme Street Atlas USA 2006
DeLorme Street Atlas USA 2006 Data
DeLorme Street Atlas USA 2008
DeviceManagementQFolder
eSupportQFolder
File Viewer Utility 1.2
FullDPAppQFolder
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Help and Support
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Premier Software 6.5
HP Software Update
HP Solution Center 7.0
HP Wireless Assistant 1.01 A2
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
InstantShareDevices
InstantShareDevicesMFC
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 2
LS_HSI
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
muvee autoProducer 4.0 - SE
Nikon Message Center
OLYMPUS CAMEDIA Master 4.1
OptionalContentQFolder
PanoStandAlone
PhotoGallery
PhotoStitch
PictureProject
PictureProject In Touch Downloader 1.0
Quick Launch Buttons 5.10 B2
QuickTime
RandMap
RemoteCapture 2.7.0
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SkinsHP1
SlideShow
SlideShowMusic
SolutionCenter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
Status
Street Atlas USA 2006
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21
Toolbox
TrayApp
Ultimate Puzzles 500
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
Zone Deluxe Games

[CatByte]

Hi,

I do not see an antivirus program installed.

Having an antivirus is essential.

Please do the following:

Install this FREE AntiVirus program, update the virus definitions, and run a full system scan.

Avira AntiVir Personal

There is an installation guide here

When the scan is complete, click on the Report button.
A log file will open. Please post that in your next reply.

NOTE: Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.


NEXT


Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.



NEXT

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 14. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

• Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window
    
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

NEXT

Visit ADOBEand download the latest version of Acrobat Reader (version 9.1)
Having the latest updates ensures there are no security vulnerabilities in your system.


Please describe how your computre is running now and if there are any out standing issues:

[kwong]

Thank you thank you!! I will have to do these things after work. I have a few questions though if you have time.

1) I had been running AVG-free, but could not figure out how to 'disable' it enough for Combofix to be happy, so I uninstalled it. Do you think Avira is better (Seems like it used to pester me for upgrade?).

2) I'd love to understand what the 4 commands you put in the combofix script did? Can you tell me or point me at where I can learn more about parsing Combofix logs and preparing scripts?

3) This laptop has always felt terribly slow. Can you recommend a reference to help me disable unneeded processes, if that could be the cause?

Thanks again, Bob

[CatByte]

Hi

1. Yes Avira asks you to upgrade once a day after it autodownloads the updated virus definitions, a simple click of the mouse closes the request screen. In my personal opinion it is the superior free antivirus out there, but there are others you can try that don't ask you to buy their upgrade.


2. Learning how to use ComboFix correctly and safely takes months and months of training under the guidance of experts. If you wish to learn more you should consider applying to the academy here at TSF.
It is a very worthwhile and enjoyable vocation, but it is not easy and takes a great deal of time and commitment to learn, so it is not for everyone.


3. Reading through the information HERE, may assist in tweaking the performance of your computer.

You might also want to try this program - AUSLOGICS and do a thorough disk defragmentation.

Regards

CB

[kwong]

Hi,
I'm currently doing all the other things you suggested, but here is the Avira log:


Avira AntiVir Personal
Report file date: Friday, June 26, 2009 17:58

Scanning for 1429418 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : KELLY

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 15:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 22:46:31
ANTIVIR2.VDF : 7.1.4.133 2048 Bytes 6/24/2009 22:46:32
ANTIVIR3.VDF : 7.1.4.144 82944 Bytes 6/26/2009 22:46:34
Engineversion : 8.2.0.199
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 17:52:04
AESCRIPT.DLL : 8.1.2.10 418171 Bytes 6/26/2009 22:47:39
AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 17:02:01
AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 00:24:41
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 22:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/26/2009 22:47:33
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 6/26/2009 22:47:28
AEHELP.DLL : 8.1.3.6 205174 Bytes 6/26/2009 22:46:49
AEGEN.DLL : 8.1.1.46 348533 Bytes 6/26/2009 22:46:42
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 20:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 22:07:20
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, June 26, 2009 17:58

Starting search for hidden objects.
'32251' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ScanningProcess.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
34 processes with 34 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '55' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACdlllovrsgvxrpqm.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4a88569a.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfmurqbmonbmtbuy.dll.vir
[DETECTION] Is the TR/TDss.adzx.1 Trojan
[NOTE] The file was moved to '4be08853.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfwxmjftrcgmscny.dll.vir
[DETECTION] Is the TR/TDss.aebu Trojan
[NOTE] The file was moved to '4a88569b.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACirxhvhpbfvkpdum.dll.vir
[DETECTION] Is the TR/PCK.Tdss.M.246 Trojan
[NOTE] The file was moved to '4be08854.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrukprkddtmppxok.dll.vir
[DETECTION] Is the TR/TDss.adzz Trojan
[NOTE] The file was moved to '4a88569d.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\uactmp.db.vir
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4aa856bb.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvxxownyxubangeq.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4be08856.qua'!
C:\RECYCLER\S-1-5-21-1927322460-2688159580-2584884165-1007\Dc1.tmp
[DETECTION] Is the TR/Patched.GE Trojan
[NOTE] The file was moved to '4a7656bd.qua'!
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000002.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4a7557d1.qua'!
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000003.dll
[DETECTION] Is the TR/PCK.Tdss.M.246 Trojan
[NOTE] The file was moved to '4a7557d2.qua'!
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000004.dll
[DETECTION] Is the TR/TDss.adzx.1 Trojan
[NOTE] The file was moved to '4b1cb143.qua'!
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000005.dll
[DETECTION] Is the TR/TDss.adzz Trojan
[NOTE] The file was moved to '4a7557d4.qua'!
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000006.dll
[DETECTION] Is the TR/TDss.aebu Trojan
[NOTE] The file was moved to '4b1cb145.qua'!
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP0\A0000007.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4a7557d6.qua'!


End of the scan: Friday, June 26, 2009 18:27
Used time: 29:50 Minute(s)

The scan has been done completely.

4952 Scanned directories
351003 Files were scanned
13 Viruses and/or unwanted programs were found
1 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
14 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
350987 Files not concerned
7505 Archives were scanned
2 Warnings
16 Notes
32251 Objects were scanned with rootkit scan
0 Hidden objects were found

[CatByte]

Hi,

Good, everything found was either in quarantine or old system restore points which we will clean up now.

Please do the following:

You can delete the DDS and GMER folders from your desktop.

NEXT

Follow these steps to uninstall Combofix

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an addon available for both Firefox and IE
  
  
• For Firefox, I highly recommend this add-on to keep your PC even more secure.
  • NoScript - for blocking ads and other potential website attacks
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
• In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
  Think Prevention.
  PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

[kwong]

Hi, you are my hero, thanks so much for your help and doing what you are doing. One question though, about your comment:

"SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict."

I'm not sure which programs are providing 'real time scanning'. Does SuperAntiSpyware do realtime? If so, Is spywareguard better?


Thanks!!!!
-bob

[CatByte]

Hi,

Only the Pro version has the real time scanning.

Try the different programs out - see what works best with your system's configuration.

They are easily uninstalled if you don't like them.

You are more than welcome.

stay safe

CB

[kwong]

T h a n k s !

[amateur]

Since this issue appears resolved, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html

Surf Safely, and Think Prevention!