Virus or something that keeps reappearing

[mjw282]

Hi, this is my first time here so I hope I can get down the necessary info, and thanks in advance for trying to help, I was stoked to find this forum.

I have some sort virus. I have a PC with Windows XP, IE8 and use AVG 8.5, Spyhunter 3.0 and after getting the virus I have used Malwarebytes Anti-Malware.

The original problem was AVG Resident Shield Alert telling me I had trojans and all sorts of junk coming onto my computer, trouble is I had no idea Resident Alert was a part of AVG and I have had fake Antispyware in the past so I ignored it and exited out.

Not long later I got Windows Antispyware Pro which I believe is the root of my problem. I was able to delete it from my Program Files and stop it from reappearing (I also cut off my internet connection as a preventitive measure). I then got on another computer and looked into how to delete it and they suggested Malwarebytes after stopping a process called svchast.exe (a fake of svchost.exe or something?) in my task manager's processes.

I got online and downloaded Malwarebytes and in the time that took Resident Shield caught more trojans coming in and sure enough Windows Antispyware Pro was back again. I repeated the intial steps to stop it and ran Malwarebytes which caught a ton of stuff (58 files I believe) and I deleted them and restarted my computer, nothing happened on start up but when I resumed my internet connection more trojans keep coming in and when left to their own devices they will bring back Windows Antivirus Pro.

I have rerun full scans of Malwarebytes, AVG, and Spyhunter as well as looked at numerous sites (which all say there are slightly different files to remove to get rid of Windows Antispyware Pro) for advice and my problem remains that after scanning with Malwarebytes my computer works fine on startup up until I connect to the internet. Then immediately I get alerts from Resident Shield and have new files in C:/...local settings/temp and temorary internet files/content.IE5, as well as sometimes in my registry (HKEY) and right in my C drive (ex. C:/wkdux.exe). The files always have different names that seem randomly generated but they always lead to Windows Antivirus Pro.

To me it seems obvious there is something hiding somewhere just waiting for me to get on the internet. I cannot update my definitions (although I think they are pretty current) without getting reinfected. I have tried combing my files for things that look out of place but I know little of what I am looking for. How can I root out this little bug?

P.S. All the sites saying how to remove Windows Antispyware Pro said different files were causing the problem but they all ended by saying use Malwarebytes to remove it. I get to that point and have Malwarebytes remove the files and they come right back when I get online, that is my basic problem.

Sorry if this is hard to follow, I'm wading in over my head here a little. Any help is hugely appreciated and I can try to get as much more info as I can.

[mjw282]

So I can get online for like 45 to 60 second periods before I find Resident Shield telling me about new trojans and things. I was able to update Malwarebytes and AVG and after full system scans it still didnt help (nothing new found). What options are there when scanners can't find anything? Again any help would be appreciated I really don't know what else I can do.

[Ried]

Hello mjw282 and welcome.

The other option is to come to us for help in removing this.

Use another computer if you have to for downloading the 2 tools we require scans from - Please follow the instructions in our sticky topic New Instructions - Read This Before Posting for Malware Removal Help and post the requested logs in your next reply.

[mjw282]

Here is my DDS and the .zip with Attach.txt and ark.txt. Some other important things to note:

1) When I used my jump drive to move from the infected computer to this current one I got an alert from McAfee that it caught the a trojan called Generic!atr. Was this really trying to jump from com to com and does this illuminate what my real problem may be (instead of this windows antivirus thing)?

2) I am noticing some repeat files as I continously delete them when I jump online to see if I've fixed the problem. I always get random #'ed files in my Temp folder and I seem to have a problem folder called O2LMHJCG in my content.IE5 folder in temporary internet files (ex. C:\...temporary internet files\content.IE5\O2LMHJCG\weird file name that Malwarebytes says is a trojan). Malwarebytes has deleted some things from this folder and yet when I look in the content.IE5 folder its always empty of any subfolders (so I feel like somethings hiding from me).

3) Another file xlhxx.exe is sitting right in my C:\ (literally C:\xlhxx.exe) where other files from this virus have been going but this one refused to be deleted (its busy, my computer says when I try to delete it). I dont feel like its been there the whole time I've had the virus, I think I have been able to delete it in the past, but now it wont go away.

There are other files I have seen continously come back when I go on the internet but I don't know if they are of any use. Thanks again for the help.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Mike at 22:44:07.20 on Sat 08/01/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.454 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=dwbrdg.wa&login=0172aa310acd194f6d389f43f5b59eed/dwbrdg.wa:netzero.net/1147624544/30/sss.8.34547/&ts=44675c60&A=0&B=1134460800000&C=1134460800000&D=1141977600000&I=7.NH4&N=PLHS&O=A&UT=
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
mWinlogon: Taskman=c:\recycler\s-1-5-21-8613150334-8373142196-550387821-0063\wnzip32.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: X1IEHook Class: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\x1IEBHO.dll
BHO: DealioBHO Class: {6a87b991-a31f-4130-ae72-6d0c294bf082} - c:\program files\dealio\kb124\Dealio.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Dealio: {e67c74f4-a00a-4f2c-9fec-fd9dc004a67f} - c:\program files\dealio\kb124\Dealio.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
EB: Dealio: {5c4c24d0-28b6-4b6b-b70f-e09848367f10} - c:\program files\dealio\kb124\Dealio.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [WildTangent CDA] "c:\program files\wildtangent\apps\cda\gamedrvr.exe" /startup "c:\program files\wildtangent\apps\cda\cdaEngine0500.dll"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wincin~1.lnk - c:\program files\sandisk\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Compare Prices with &Dealio - c:\documents and settings\mike\application data\dealio\kb124\res\DealioSearch.html
IE: Display All Images with Full Quality - c:\program files\netzero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\netzero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {E908B145-C847-4e85-B315-07E2E70DECF8} - {9F038672-0425-4792-BC9C-36DE3308E8AA} - c:\program files\dealio\kb124\Dealio.dll
DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - hxxp://echospin.com/wizard/files/esWizard.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2006-10-28 15172]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-10 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-10 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-10 108552]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 574808]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-29 298776]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-11-27 1174152]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S2 Ias;Microsoft Security Services Management;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

=============== Created Last 30 ================

2009-07-31 22:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-07-31 19:40 0 a------- C:\xlhxx.exe
2009-07-31 14:26 273 a------- C:\hpqp.ini
2009-07-31 14:26 39 a------- C:\XP_TV.ini
2009-07-31 12:16 <DIR> --d----- c:\docume~1\mike\applic~1\Malwarebytes
2009-07-31 12:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-31 12:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-31 12:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-31 12:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-31 11:48 4 a------- c:\windows\system32\bincd32.dat
2009-07-31 11:16 <DIR> a-d----- c:\windows\system32\images
2009-07-31 11:16 8,550 a------- c:\windows\system32\wispex.html
2009-07-18 20:14 <DIR> --d----- c:\docume~1\mike\applic~1\My Games
2009-07-18 20:04 266,088 a------- c:\windows\system32\xactengine2_8.dll
2009-07-18 20:04 18,280 a------- c:\windows\system32\x3daudio1_2.dll
2009-07-18 20:04 1,124,720 a------- c:\windows\system32\D3DCompiler_34.dll
2009-07-18 20:04 443,752 a------- c:\windows\system32\d3dx10_34.dll
2009-07-18 20:04 3,497,832 a------- c:\windows\system32\d3dx9_34.dll
2009-07-18 18:50 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-07-15 21:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-07-15 21:59 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-07-15 21:59 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-07-15 21:52 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-07-15 21:52 <DIR> --d----- c:\docume~1\mike\applic~1\DAEMON Tools Lite
2009-07-15 21:39 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-07-15 21:33 197,120 a------- c:\windows\patchw32.dll
2009-07-15 21:33 <DIR> --d----- c:\program files\common files\PocketSoft
2009-07-15 21:27 <DIR> --d----- c:\program files\Atari
2009-07-15 21:23 <DIR> --d----- c:\docume~1\mike\applic~1\Atari

==================== Find3M ====================

2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 06:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-04 11:27 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 10:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 10:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 10:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 10:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 10:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 10:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 09:56 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-17 10:12 86,939 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-10 13:29 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-25 19:24 299,008 a------- c:\windows\system32\TubeFinder.exe
2009-05-11 22:11 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2008-11-22 00:16 1,890 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-10-20 23:12 88 ---shr-- c:\docume~1\alluse~1\applic~1\4784BAC703.sys
2008-02-23 22:20 73,416 a------- c:\docume~1\mike\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 22:44:56.56 ===============

[mjw282]

I also noticed that I wrote Windows Antispyware Pro in bold and the name of the program that popped up was actually Windows Antivirus Pro which is how I referred to it later on. Antivirus Pro is what keeps bugging my computer

[Ried]

Hi mjw282,

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.


***************************************************

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Insert your flash drive so it may be involved in the scanning process as well.
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[mjw282]

So now there's a real mess. For some reason I listened to those instructions too carefully and took off all my security programs and let combofix get online to download Windows Recovery Console, this of course let the virus jump in further than its ever gotten before and now I cannot open Malwarebytes to get rid of it. To make matters worse supposedly I cut my connection too soon and I still don't have Windows Recovery Console.

1) Is there anyway to download Windows Recovery Console on this computer and use a flashdrive to move it over (I have googled it and searched download.microsoft.com to no avail). Also how risky is it to run Combofix without Recovery?

2) How do I start using my computer again? Combofix seemed to work but now all programs seem to be impaired, before the only trouble came from internet access.

3)Combofix asks to keep your flash drive in for the scan. Does this mean my flashdrive is infected (I think it may already have been with the Generic!atr I mentioned early) after being online without any protection and the virus taking over? This is my parents computer and its using McAfee. Is it safe to continue moving programs between the infected computer and this one with a flash drive?

Let me know what you think my next action should be.

[Ried]

Quote:

Combofix seemed to work but now all programs seem to be impaired,

Did it complete the scan? If so, post the C:\ComboFix.txt

Yes, we can install the Recovery Console another way, but first I need to see the results of the ComboFix.txt or tell me if it did not complete.

[mjw282]

The scan did not complete. I didn't let it start because I didn't have Recovery. I just mean that when I clicked it again it reloaded and reminded me that AVG was going. Every other program has an error message or something that I can't use it, I just assume it will get through the scan its not for sure. How can I get Recovery so I can safely do the scan (or is it not as big a deal as they make it seem?) Also do you think my flash drive is dangerous to use in my computer, I will have to use it to get the results of Combofix when I do the scan?

[Ried]

Good, I am glad you stopped it from running.


Download the XP Home SP2 package from Microsoft => http://www.microsoft.com/downloads/d...displaylang=en (it will work for SP3)


Download the file & save it as it's originally named.

---------------------------------------------------------------------

Transfer the you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications as it will interfere with our tools and the removal.

Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.

• Click on Open AVG Interface.
• Double click on Resident Shield
• Deselect the option to "Enable Resident Shield."
• Save changes, and exit the application.
• To re-enable AVG 8.5, please select "Enable Resident Shield" again.

**If you are unable to access the Control Center, then click your way through ComboFix when alerted

===================================

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

[mjw282]

When I run ComboFix it seems to work fine until it gets to "Rebooting Windows...Please Wait". The computer seems to quite doing anything and I let it sit for as long as 15-20 minutes on three different occasions. I have to use the start menu to reboot at that point and there is nothing called ComboFix.txt in my C:. All that comes up is a "catchme.txt" on my desktop at reboot that says C:\combofix\netlogon.dll successful or something like that. What should I do?

[Ried]

Quote:

This is my parents computer and its using McAfee.

I do not see McAfee running or installed. I see AVG 8.5. Were you able to completely disable AVG as described?

[mjw282]

Sorry, I am talking about the computer I am using to get on these forums. The infected computer is my laptop that uses AVG. I was mentioning this computer with McAfee because I have been worried the virus on my laptop can get onto this (my parents computer) while I am using my flashdrive to get the necessary files from here to my infected computer (combofix, etc.).

I was able to stop AVG with the method you showed. Again everything went fine with Combofix until it got hung up when it tried to restart windows. I get no messages about needing to turn off any security or anything like I did when I first used it, so it seems to be working properly. I've tried four times, no luck. What should I do now?

[Ried]

I'd like to see where we stand at this point.

Download RootRepeal

• Extract RootRepeal.exe from the zip archive.
• Open on your desktop.
• Click the tab.
• Click the button.
• Check all boxes
• Click Ok
• Check the box for your main system drive (Usually C:), and click Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

=====================

Also, run a new scan with dds.scr and post the dds.txt

We can check to see if your parents machine has been compromised. Run both of the tools I just mentioned, on your parents computer. Begin a new thread so we can keep the machines straight. Entitle it PC2 or Parent's PC or something similar to that so it is not mistaken as a duplicate thread by others. Once you've begun that new thread for that machine, give me the link so I can grab it up.

[mjw282]

I'm pretty sure the virus just stopped the rootrepeal scan. The scan was going and it highlighted two files C:\hiberfil.sys and C:\windows\system32\netlogon.dll and said both were "Locked to the Windows API!" When I tried to rerun Rootrepeal it gave the same error that stopped MalwareBytes from working. In the rootrepeal folder there also was a a new file called settings (a DAT file of 0KB).

The one wierd thing was that after running combofix the one thing that does happen is a file is created called catchme.txt after I've restarted the computer and inside it simply says C:\combofix\MT_netlogon.dll.tmp added successfully. I just mention it because this netlogon.dll file has reappeared.

As for running DDS, I open the file and it just sits there, it doesnt start to scan.

[Ried]

Try these tools.

Download rsit.exe and save it to your desktop.

• Double click on RSIT.exe to run it.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

If you do not see the info.txt you can find it in the C:\rsit folder. Please attach that .txt

==========================

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
• In the Write to log box select SSDT and Hidden Files.
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive only. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[mjw282]

So RSIT didn't work. It opened and started doing somethings but after about 5 seconds it disappeared and when I tried to run it again I got the usual error, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

SysProt on the other hand worked fine. Hooray! Here's the log it made:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateEvent
Address: F768B5AD
Driver Base: F7682000
Driver End: F7691000
Driver Name: \SystemRoot\System32\drivers\7df39e62.sys

Function Name: ZwCreateKey
Address: F7689685
Driver Base: F7682000
Driver End: F7691000
Driver Name: \SystemRoot\System32\drivers\7df39e62.sys

Function Name: ZwEnumerateKey
Address: F72AFCA4
Driver Base: F7290000
Driver End: F7391000
Driver Name: sphq.sys

Function Name: ZwEnumerateValueKey
Address: F72B0032
Driver Base: F7290000
Driver End: F7391000
Driver Name: sphq.sys

Function Name: ZwOpenKey
Address: F7689745
Driver Base: F7682000
Driver End: F7691000
Driver Name: \SystemRoot\System32\drivers\7df39e62.sys

Function Name: ZwQueryKey
Address: F72B010A
Driver Base: F7290000
Driver End: F7391000
Driver Name: sphq.sys

Function Name: ZwQueryValueKey
Address: F72AFF8A
Driver Base: F7290000
Driver End: F7391000
Driver Name: sphq.sys

Function Name: ZwSetValueKey
Address: F72B019C
Driver Base: F7290000
Driver End: F7391000
Driver Name: sphq.sys

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Mike\Local Settings\Temp\WPDNSE\A.W.K.
Status: Hidden

Object: C:\Documents and Settings\Mike\Local Settings\Temp\WPDNSE\Misc.
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}
Status: Access denied

[Ried]

Will this machine boot into Safe Mode? If so, try to run rsit from there

[mjw282]

So maybe RSIT did work originally, it opened and only lasted for about 5 to 10 seconds but when I looked there was a logfile under C:\rsit. There was no info file that I could find however. Is it worth trying to run combofix or rootrepeal in safe mode?

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-08-03 13:31:21
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 17 GB (24%) free of 69 GB
Total RAM: 894 MB (78% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bd56a320-23f2-42ad-f4e4-00aac39caa53}]
C:\WINDOWS\system32\hs7f3uhduhfukde.dll - C:\WINDOWS\system32\hs7f3uhduhfukde.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - Dealio - C:\Program Files\Dealio\kb124\Dealio.dll [2007-10-09 2663264]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-14 259696]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-06-26 1008896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-11-10 344064]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-06-19 729178]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2005-12-12 94208]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2005-12-07 409600]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-08-01 233534]
"RecGuard"=C:\Windows\SMINST\RecGuard.exe [2005-10-11 1187840]
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-12-13 507904]
"WildTangent CDA"=C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe /startup C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll []
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-03-12 517768]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-01-31 385024]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-02-19 267048]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-06-29 1948440]
"CloneCDTray"=C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2009-01-29 57344]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"=C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe [2005-10-28 10752]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\15362814]
C:\Documents and Settings\All Users\Application Data\15362814\15362814.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\95372806]
C:\Documents and Settings\All Users\Application Data\95372806\95372806.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
C:\Program Files\Dealio\DealioAU.exe [2007-10-09 492896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe [2005-01-12 2953216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2009-01-29 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
C:\Program Files\NetZero\exec.exe regrun []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
C:\Program Files\NZSearch\nzspc.exe -w []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTTray.exe [2005-07-07 577597]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe [2005-09-24 73728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
WinCinema Manager.lnk - C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-11-10 47616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-06-29 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
LKMSFOIVAMFOMSFVIOSVJASIUENFJNDJV - {BD56A320-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\hs7f3uhduhfukde.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\utorrent\utorrent.exe"="C:\Program Files\utorrent\utorrent.exe:*:Enabled:µTorrent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Documents and Settings\Mike\Desktop\utorrent.exe"="C:\Documents and Settings\Mike\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Cyberlink\PowerDirector\PDR.exe"="C:\Program Files\Cyberlink\PowerDirector\PDR.exe:*:Enabled:CyberLink PowerDirector"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\WINDOWS\system32\bndmss.exe"="C:\WINDOWS\system32\bndmss.exe:*:Enabled:BNDMSS"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-08-03 13:27:16 ----ASH---- C:\Documents and Settings\Administrator\Application Data\desktop.ini
2009-08-03 13:26:53 ----D---- C:\Documents and Settings\Administrator\Application Data\Intuit
2009-08-03 13:26:53 ----D---- C:\Documents and Settings\Administrator\Application Data\Identities
2009-08-03 13:26:52 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2009-08-03 13:25:19 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-03 12:56:35 ----D---- C:\rsit
2009-08-03 12:56:35 ----D---- C:\Program Files\trend micro
2009-08-03 11:10:49 ----D---- C:\WINDOWS\temp
2009-08-03 11:04:31 ----SD---- C:\ComboFix
2009-08-03 11:04:30 ----A---- C:\WINDOWS\system32\CF15105.exe
2009-08-02 19:23:35 ----A---- C:\WINDOWS\system32\CF27354.exe
2009-08-02 19:05:26 ----A---- C:\WINDOWS\system32\CF23801.exe
2009-08-02 18:37:17 ----A---- C:\WINDOWS\system32\CF18273.exe
2009-08-02 17:41:24 ----A---- C:\XP_TV.ini
2009-08-02 17:36:37 ----ASH---- C:\hpqp.ini
2009-08-02 13:00:16 ----A---- C:\WINDOWS\system32\CF17736.exe
2009-08-02 12:43:36 ----D---- C:\cmdcons
2009-08-02 12:40:40 ----A---- C:\WINDOWS\zip.exe
2009-08-02 12:40:40 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-02 12:40:40 ----A---- C:\WINDOWS\SWSC.exe
2009-08-02 12:40:40 ----A---- C:\WINDOWS\SWREG.exe
2009-08-02 12:40:40 ----A---- C:\WINDOWS\sed.exe
2009-08-02 12:40:40 ----A---- C:\WINDOWS\PEV.exe
2009-08-02 12:40:40 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-02 12:40:40 ----A---- C:\WINDOWS\grep.exe
2009-08-02 12:39:56 ----D---- C:\WINDOWS\ERDNT
2009-08-02 12:39:54 ----A---- C:\WINDOWS\system32\CF12802.exe
2009-08-02 12:39:53 ----A---- C:\WINDOWS\system32\swsc.exe
2009-08-02 12:34:50 ----D---- C:\Qoobox
2009-07-31 22:01:02 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-07-31 12:16:15 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-31 12:16:15 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-31 11:16:40 ----AD---- C:\WINDOWS\system32\images
2009-07-18 20:04:26 ----A---- C:\WINDOWS\system32\xactengine2_8.dll
2009-07-18 20:04:26 ----A---- C:\WINDOWS\system32\x3daudio1_2.dll
2009-07-18 20:04:24 ----A---- C:\WINDOWS\system32\d3dx10_34.dll
2009-07-18 20:04:24 ----A---- C:\WINDOWS\system32\D3DCompiler_34.dll
2009-07-18 20:04:22 ----A---- C:\WINDOWS\system32\d3dx9_34.dll
2009-07-18 19:20:57 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2009-07-18 19:20:54 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2009-07-18 19:20:48 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2009-07-18 19:20:48 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2009-07-18 19:20:44 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2009-07-18 19:20:42 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2009-07-18 19:20:41 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2009-07-18 19:20:39 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2009-07-18 19:20:37 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2009-07-18 19:20:37 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2009-07-18 19:20:35 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2009-07-18 19:20:34 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2009-07-18 19:20:33 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2009-07-18 19:20:32 ----A---- C:\WINDOWS\system32\xactengine2_2

[Ried]

Yes, make sure AVG is still set to not start upon reboot. Run ComboFix again and post the C:\Combofix.txt

Try to be patient with the reboot. Understand that removals etc, are being performed during that time and this system has some real nasties on it. Give it time to reboot - 20 minutes. If it still gives you trouble upon reboot, navigate to C:\Qoobox and see if there is a ComboFix-quarantined-files.txt. If so, attach that in your next reply.