Trojan

[Clover56653]

Hi. my pc has been infected with Trojans/Viruses and i dont know how i can get rid of them. A program named "AntiVirus System Pro" has been installed on my machine without me knowing and its stopping me from running any programs by saying they are all infected, and directing me to random internet sites and giving me pop up alerts that my computer is under attack and that i need to "Upgrade" "AntiVirus System Pro" to get rid of them.



DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by David at 1914.79 on 08/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1198 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
svchost
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\documents and settings\david\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [LowRiskFileTypes] c:\windows\sysguard.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-4 108552]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-4 335752]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-4 27784]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-4 907032]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-4 298776]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-4 1684736]
S3 pnicml;pnicml;c:\docume~1\david\locals~1\temp\pnicml.sys [2004-9-3 29696]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-4-20 23096]

=============== Created Last 30 ================

2009-07-08 17:45 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-08 17:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-08 17:39 222,208 a------- c:\windows\syssvc.exe
2009-07-08 14:11 12,544 a------- c:\windows\system32\iehelper.dll
2009-07-08 14:01 275,712 a------- c:\windows\sysguard.exe
2009-07-03 19:30 <DIR> --d----- c:\program files\CONEXANT
2009-07-03 16:36 <DIR> --d----- c:\program files\AutoUnpack
2009-07-03 16:33 <DIR> --d----- c:\program files\Free RAR Extract Frog
2009-06-17 21:59 <DIR> --d----- c:\docume~1\david\applic~1\BitTorrent
2009-06-17 21:59 <DIR> --d----- c:\program files\BitTorrent
2009-06-17 21:59 <DIR> --d----- c:\program files\AskBarDis
2009-06-17 19:35 45,056 a------- c:\windows\system32\WNASPI32.DLL
2009-06-17 19:35 25,244 a------- c:\windows\system32\drivers\ASPI32.SYS
2009-06-17 19:35 5,600 a------- c:\windows\system\WINASPI.DLL
2009-06-17 19:35 4,672 a------- c:\windows\system\WOWPOST.EXE
2009-06-17 19:35 <DIR> --d----- c:\program files\EasyDVDRip
2009-06-17 19:19 <DIR> --d----- c:\program files\YouTube Downloader
2009-06-12 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-06-10 09:47 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 09:47 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll

==================== Find3M ====================

2009-07-02 08:36 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-18 17:11 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-18 17:11 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-05-17 10:00 22,328 a------- c:\docume~1\david\applic~1\PnkBstrK.sys
2009-05-17 10:00 682,280 a------- c:\windows\system32\pbsvc.exe
2009-05-17 10:00 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-02 09:17 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-29 22:20 41,808 a------- c:\windows\system32\xfcodec.dll
2009-04-20 20:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-14 12:13 43,520 a------- c:\windows\system32\CmdLineExt03.dll

============= FINISH: 1938.10 ===============

[mas_pogi]

hi.

Can you boot to normal mode? I can see you are in safe mode right now.

Let me know in your next reply.

Mark

[Clover56653]

Yes i can boot in normal mode, and i managed to disable Antivirus System PRO from starting when i boot my machine up.

[mas_pogi]

hi

Welcome to TSF

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

--------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

--------------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------

At Safemode with networking

-------------------------------------------------------------------------
While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy at START > ALL PROGRAMS > Spybot Search and Destroy
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

------------------------------------------------------

Download ResetTeaTimer

• and Save it to your Desktop.
• Double-click ResetTeaTimer.zip
• Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.
• A DOS window will open and close again, this is normal.

-------------------------------------------------------------------------

At Safemode with networking

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.
  
  AVG 8.5
  Please open the AVG 8.5 Control Center by going to START > ALL PROGRAMS > AVG 8.5
  • Click on Open AVG Interface.
  • Double click on Resident Shield
  • Deselect the option to "Enable Resident Shield."
  • Save changes, and exit the application.
  • To re-enable AVG 8.5 later, please select "Enable Resident Shield" again.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Very important*
When it reboots, please select Normal mode. And let Combofix fix finish the whole process.

Mark

[Clover56653]

ComboFix 09-07-08.A0 - David 09/07/2009 17:38.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1267 [GMT 1:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\WMEncoder.msi
c:\windows\sysguard.exe
c:\windows\syssvc.exe
c:\windows\system32\iehelper.dll
c:\windows\system32\wbem\proquota.exe
H:\Autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 16:42 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-09 10:20 . 2009-07-02 07:35 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-08 16:45 . 2009-07-09 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-08 16:45 . 2009-07-08 16:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-03 18:30 . 2009-07-03 18:30 -------- d-----w- c:\program files\CONEXANT
2009-07-03 15:36 . 2009-07-03 15:38 -------- d-----w- c:\program files\AutoUnpack
2009-07-03 15:33 . 2009-07-03 15:33 -------- d-----w- c:\program files\Free RAR Extract Frog
2009-07-02 07:36 . 2009-06-12 09:31 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-02 07:36 . 2009-06-19 09:14 906520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-02 07:36 . 2009-06-12 09:31 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-02 07:36 . 2009-06-12 09:31 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-02 07:35 . 2009-06-12 09:30 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-06-24 11:02 . 2009-06-24 11:02 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\CCP
2009-06-24 10:40 . 2009-06-24 10:41 -------- d-----w- c:\documents and settings\David\Application Data\SecondLife
2009-06-24 10:40 . 2009-06-24 10:46 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\SecondLife
2009-06-24 08:14 . 2009-07-02 07:36 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-22 06:24 . 2009-06-22 06:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-06-19 09:15 . 2009-06-19 09:13 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-19 09:15 . 2009-06-19 09:13 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-19 09:15 . 2009-06-12 09:31 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-19 09:13 . 2009-06-19 09:13 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-17 20:59 . 2009-06-25 21:46 -------- d-----w- c:\documents and settings\David\Application Data\BitTorrent
2009-06-17 20:59 . 2009-06-17 20:59 -------- d-----w- c:\program files\BitTorrent
2009-06-17 20:59 . 2009-06-17 21:05 -------- d-----w- c:\program files\AskBarDis
2009-06-17 18:35 . 2009-06-17 18:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-17 18:35 . 1999-09-10 11:06 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-06-17 18:35 . 1999-09-10 11:06 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-06-17 18:35 . 1999-09-10 11:06 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-06-17 18:35 . 1999-09-10 11:06 25244 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-06-17 18:35 . 2009-06-17 18:35 -------- d-----w- c:\program files\EasyDVDRip
2009-06-17 18:19 . 2009-06-17 18:19 -------- d-----w- c:\program files\YouTube Downloader
2009-06-12 09:59 . 2009-06-02 12:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 09:32 . 2009-06-12 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-12 09:32 . 2009-06-12 09:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-10 08:47 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 08:47 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 17:27 . 2009-04-21 19:24 -------- d-----w- c:\documents and settings\David\Application Data\DNA
2009-07-08 16:35 . 2009-04-21 19:24 -------- d-----w- c:\program files\DNA
2009-07-08 12:52 . 2009-05-17 10:05 -------- d-----w- c:\program files\Steam
2009-07-04 17:09 . 2009-04-05 08:08 -------- d-----w- c:\documents and settings\David\Application Data\TeraCopy
2009-07-02 07:36 . 2009-04-04 12:44 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 17:25 . 2009-04-04 14:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-01 12:02 . 2009-05-24 11:05 -------- d-----w- c:\documents and settings\David\Application Data\Xfire
2009-06-28 21:24 . 2009-06-06 10:48 -------- d-----w- c:\program files\Windows Live
2009-06-24 14:30 . 2009-05-12 07:59 -------- d-----w- c:\program files\World of Warcraft
2009-06-19 09:14 . 2009-04-04 12:44 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-17 18:51 . 2009-04-24 17:03 -------- d-----w- c:\documents and settings\David\Application Data\LimeWire
2009-06-10 19:19 . 2009-04-04 12:44 -------- d-----w- c:\documents and settings\David\Application Data\AVGTOOLBAR
2009-06-06 10:50 . 2009-04-02 23:27 81560 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 10:49 . 2009-06-06 10:49 -------- d-----w- c:\program files\Microsoft
2009-06-06 10:49 . 2009-06-06 10:49 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-06 10:47 . 2009-06-06 10:46 -------- d-----w- c:\program files\MessengerPlus! 3
2009-05-30 11:39 . 2009-05-30 11:38 -------- d-----w- c:\documents and settings\David\Application Data\Crayon Physics Deluxe
2009-05-24 11:14 . 2009-05-24 11:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2009-05-24 11:07 . 2009-05-24 11:05 -------- d-----w- c:\program files\Xfire
2009-05-24 11:05 . 2009-05-24 11:05 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-05-18 16:11 . 2009-05-17 09:00 138464 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-18 16:11 . 2009-05-17 09:00 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-05-17 09:00 . 2009-05-17 09:00 22328 ----a-w- c:\documents and settings\David\Application Data\PnkBstrK.sys
2009-05-17 09:00 . 2009-05-17 09:00 22328 ----a-w- c:\documents and settings\David\Application Data\PnkBstrK.sys
2009-05-17 09:00 . 2009-05-17 09:00 682280 ----a-w- c:\windows\system32\pbsvc.exe
2009-05-17 09:00 . 2009-05-17 09:00 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-05-13 17:47 . 2009-05-13 17:47 -------- d-----w- c:\program files\Curse
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 14:47 . 2009-04-06 17:18 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-05-11 10:37 . 2009-05-11 10:37 -------- d-----w- c:\program files\CCP
2009-05-11 10:37 . 2009-05-11 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 14:55 . 2009-05-03 14:46 527 ----a-w- c:\windows\eReg.dat
2009-05-02 09:41 . 2009-05-02 09:41 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-05-02 08:17 . 2009-04-04 12:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-02 08:17 . 2009-04-04 12:44 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 21:20 . 2009-04-29 21:20 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-04-22 17:04 . 2009-04-22 17:04 34 ---ha-w- c:\windows\system32\Converter_sysquict.dat
2009-04-20 19:17 . 2009-04-20 19:18 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-20 19:17 . 2009-04-20 19:17 152576 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 12:27 . 2009-04-16 12:27 16 ----a-w- c:\windows\popcinfot.dat
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 11:13 . 2009-04-07 17:26 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-04-12 16:58 . 2009-04-12 16:58 223128 ----a-w- c:\windows\system32\drivers\vaxscsi.sys
2009-04-12 15:38 . 2009-04-12 15:38 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 16:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 12:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 08:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\David\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enGB-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"H:2\\STEAM\\steamapps\\common\\call of duty world at war\\CoDWaW.exe"=
"H:2\\STEAM\\steamapps\\common\\call of duty world at war\\CoDWaWmp.exe"=
"H:2\\STEAM\\steamapps\\clover56653\\team fortress 2\\hl2.exe"=
"H:4\\STEAM\\steamapps\\clover56653\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaW.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaWmp.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\clover56653\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\crayon physics deluxe demo\\launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"j:\\Games\\Eve Online\\bin\\ExeFile.exe"=
"j:\\Games\\BattleForge\\Bootstrapper.exe"=
"j:\\Games\\BattleForge\\BattleForge.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [04/04/2009 13:44 108552]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [04/04/2009 13:44 335752]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [04/04/2009 13:44 907032]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/04/2009 13:44 298776]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [04/04/2009 15:09 1684736]
S3 pnicml;pnicml;\??\c:\docume~1\David\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\David\LOCALS~1\Temp\pnicml.sys [?]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [20/04/2009 18:14 23096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-861567501-725345543-1004Core.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-03 09:10]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-861567501-725345543-1004UA.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-03 09:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 17:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-09 17:45
ComboFix-quarantined-files.txt 2009-07-09 16:44

Pre-Run: 4,849,090,560 bytes free
Post-Run: 6,240,804,864 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

223 --- E O F --- 2009-06-24 03:23

[mas_pogi]

hi.

Reboot your computer in Normal mode.


Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitTorrent and LimeWire 5.1.2 ). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

Please uninstall them via add/remove program at the CONTROL PANEL:
BitTorrent
LimeWire 5.1.2
DNA <--part of Bittorent

--------------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

DRIVER::
pnicml

FILE::
c:\docume~1\David\LOCALS~1\Temp\pnicml.sys

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

------------------------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 11 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

-------------------------------------------------------------------------

Kaspersky scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

--------------------------------------------------------------------------

How's your computer now?


In your reply, please post

C:\combofix.txt
Kaspersky scan result
Answer to my questions

Mark

[Clover56653]

Here are the two report you asked for.
And in awnser to your question my PC seems a lot faster now.

[mas_pogi]

hi.

You last log was good. Though kaspersky found some malware. The one in Qoobox are inactive malwares that was quarantined by our tools. They are inactive now. We will also flush your system restore, instruction will be included in combofix uninstallation.

The rest will be deleted, Please follow the instructions below;

Open Notepad and copy/paste the contents in the code box below, into Notepad.

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in ( 
"J:\Documents and Settings\Lawra and the pie\Local Settings\Temporary Internet Files\Content.IE5\6X8ZEDE5\popup[2].htm"
"J:\Documents and Settings\Lawra and the pie\Local Settings\Temporary Internet Files\Content.IE5\8LIVKTAZ\popup[1].htm"
"J:\Documents and Settings\Lawra and the pie\Local Settings\Temporary Internet Files\Content.IE5\D1Z42CM2\popup[1].htm"
"J:\Documents and Settings\Lawra and the pie\Local Settings\Temporary Internet Files\Content.IE5\KXORC78F\popup[1].htm"
"J:\Documents and Settings\Lawra and the pie\Local Settings\Temporary Internet Files\Content.IE5\MPX2F2XG\popup[1].htm"
"J:\Old documents\Documents and Settings\Administrator\My Documents\My Music\Incomplete\Preview-T-328472-~~ southpark movie-la resistance 29.wma"
"J:\Old documents\Documents and Settings\Administrator\My Documents\My Music\Incomplete\Preview-T-384247-released southpark-la resistance 12.wma"
) do (
del /a/f/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

if exist "%temp%\log.txt" (start notepad "%temp%\log.txt"
) else echo.Deleted Successfully! 
echo. 
pause 
del %0

Save this as ariel.bat Choose to "Save type as - All Files"

It should look like this:

Double click clover.bat to launch it.

Tell me what it says in your next reply.

-------------------------------------------------------------------------

Congratulations! You now appear clean!

We Need to Clean Up Our Mess

1. Uninstall ComboFix
   Remove Combofix now that we're done with it.
   • Click on your Start Menu, then Run....
   • Now copy and paste this one in the runbox. Then HIT enter.
     
     
     Code:

     ComboFix /u

     
     
     
   Uninstalling ComboFix will do the following:
   1. Delete ComboFix and its components from your computer.
   2. Delete other tools commonly used during the malware removal process.
   3. Resets clock settings to standard format.
   4. Re-hides file extensions and hidden/system files.
   5. Clears System Restore cache and creates new restore point.
   
   
2. Please also delete the DDS.scr located at your desktop.
3. Please also delete the clover.bat located at your desktop.

-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.

1. Install Spyware Blaster and update it regularly
   If you wish, the commercial version provides automatic updating.
   
   
2. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
   
   
3. Install an Anti-Spyware program, and update it regularly
   Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
   SUPERAntiSpyware is another good scanner with high detection and removal rates.
   Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
   
   
4. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   
   Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
   
   
5. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
   
   
6. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Please respond to this thread one more time so we can mark this thread as resolved.

Maraming salamat.

Mark

[Clover56653]

Ok. i've done everything on the list and everything seems to be running fine, Thanks a lot for helping me, i appreciate it. = ]

[mas_pogi]

hi.

Quote:

Double click clover.bat to launch it.

Tell me what it says in your next reply.

What was the result?

Mark

[Clover56653]

Deleted Successfully

[mas_pogi]

hi.

You are good to go.

Surf safely

mak

[mas_pogi]

Since the problem appears to be resolved, it will now be archived.