[SOLVED] Antivirus_Pro 2010 Infection

LooRoll · 10-22-2009, 02:30 AM

Sys Information:

HP Compaq dc5100 -
Pentium 2.80GHz -
1.49GB Ram -

Windows XP Pro SP3

AVG Free Anti Virus.

I received an email from the Belfast Housing Executive which I opened.
Ever since AVG has been giving alerts that the PC is infected with,

-"Antivirus_Pro 2010"

For the first few Hours I was getting warnings form the program "Antivirus_Pro 2010" saying my computer was at risk from infection and that i should download the full version. after AVG ran its daily scan these alerts stopped but every day AVG still tells me the computer is infected with

-"Antivirus_Pro 2010"
AVG warns of-
Trojan Horse Downloader.Generic8.CBMN

"c:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP878\A0066452.exe"

This is the listing in "msconfig - start up tab" :-
"c:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide"

I also had SB Search and destroy installed but have since removed it as the computer was running slow with the constant alerts to spyware it was giving me..

Attached in compressed format as requested are Attach.txt & ARK.txt

Below is the DDS log:-

DDS (Ver_09-10-13.01) - NTFSx86
Run by Mark at 16:22:09.35 on 20/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1063 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Mark\Desktop\New Folder\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Page_URL = hxxp://www.orange.co.uk/
uSearch Bar = hxxp://www.orange.co.uk/iesearch/
uInternet Settings,ProxyServer = http=hxxp://www-cache.orangehome.co.uk:8080;ftp=http://www-cache.orangehome.co.uk:8080
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LyraHD2TrayApp] "c:\program files\thomson\lyra jukebox\lyrahdtrayapp\LYRAHD2TrayApp.exe"
mRun: [Emowoz] rundll32.exe "c:\windows\aduwofeseduzuv.dll",Startup
mRun: [Antivirus Pro 2010] "c:\program files\antiviruspro_2010\AntivirusPro_2010.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147962769593
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {710449A8-DFA8-4BE8-B928-2B5E83B523FF} = 192.168.1.1,0.0.0.0
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli WMSVShap.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\ujdtr1nv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.orange.co.uk/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {A17A6CD4-2636-4694-ABD5-6F7B38100086} - c:\documents and settings\mark\local settings\application data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-22 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-22 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-22 297752]
R2 DS-Message Level Restore;DS-Message Level Restore;c:\program files\data storage\ds-recovery tools\dsmlr.exe [2009-3-5 1331200]
R2 MSSQL$MSDE_ARXCIS;MSSQL$MSDE_ARXCIS;c:\program files\microsoft sql server\mssql$msde_arxcis\binn\sqlservr.exe -smsde_arxcis --> c:\program files\microsoft sql server\mssql$msde_arxcis\binn\sqlservr.exe -sMSDE_ARXCIS [?]
S2 usbctl;Microsoft USB Bus Controller;c:\windows\system32\usbctl.exe --> c:\windows\system32\usbctl.exe [?]
S3 SQLAgent$MSDE_ARXCIS;SQLAgent$MSDE_ARXCIS;c:\program files\microsoft sql server\mssql$msde_arxcis\binn\sqlagent.exe -i msde_arxcis --> c:\program files\microsoft sql server\mssql$msde_arxcis\binn\sqlagent.EXE -i MSDE_ARXCIS [?]

=============== Created Last 30 ================

2009-10-14 10:09 197 a------- c:\windows\system32\MRT.INI
2009-10-07 16:11 37 a------- c:\windows\ipixActivex.ini
2009-10-06 14:22 <DIR> --d----- c:\docume~1\mark\applic~1\uTorrent
2009-10-06 10:19 19,042 a------- c:\docume~1\alluse~1\applic~1\ibulepiva.exe
2009-10-06 10:19 18,996 a------- c:\windows\system32\wiquhipyq.dll
2009-10-06 10:19 16,635 a------- c:\windows\orole.exe
2009-10-06 10:19 15,629 a------- c:\windows\asijiqy.vbs
2009-10-06 10:19 15,530 a------- c:\windows\ujemuq.com
2009-10-06 10:19 14,828 a------- c:\windows\system32\yfyqymuli.sys
2009-10-06 10:19 14,827 a------- c:\windows\wibuze.scr
2009-10-06 10:19 14,203 a------- c:\windows\system32\zugym.pif
2009-10-06 10:19 13,968 a------- c:\windows\xibyl.bin
2009-10-06 10:19 10,133 a------- c:\docume~1\alluse~1\applic~1\wotuf.dat
2009-10-06 10:17 157,808 a------- c:\docume~1\mark\applic~1\lizkavd.exe
2009-10-01 09:40 119 a------- c:\windows\wininit.ini
2009-09-30 08:45 0 a------- c:\windows\Djaqam.bin
2009-09-30 08:45 120 a------- c:\windows\Fquliyiyimevoc.dat
2009-09-30 08:42 19,635 a------- c:\windows\idudajew.inf
2009-09-30 08:42 19,528 a------- c:\windows\olizak.scr
2009-09-30 08:42 17,351 a------- c:\windows\system32\omiq.db
2009-09-30 08:42 15,647 a------- c:\windows\ybitac.sys
2009-09-30 08:42 14,456 a------- c:\windows\sepetovad.bat
2009-09-30 08:42 14,221 a------- c:\windows\system32\imytoxume.vbs
2009-09-30 08:42 13,658 a------- c:\program files\common files\pikupekoz.bin
2009-09-30 08:42 12,150 a------- c:\docume~1\alluse~1\applic~1\ococuve.sys
2009-09-30 08:42 11,219 a------- c:\windows\xevuj.dat
2009-09-30 08:42 10,658 a------- c:\windows\system32\ebisa.dl
2009-09-30 08:42 19,542 a------- c:\docume~1\mark\applic~1\ipyqag.bat
2009-09-30 08:42 17,186 a------- c:\windows\system32\orutimavox.com
2009-09-30 08:42 16,069 a------- c:\program files\common files\vokapu.bin
2009-09-30 08:42 15,743 a------- c:\windows\system32\wetyput.ban
2009-09-30 08:42 13,312 a------- c:\windows\igaceme.dat
2009-09-30 08:42 10,470 a------- c:\windows\umek.inf
2009-09-30 08:37 19,019 a------- c:\program files\common files\yhanyz.pif
2009-09-30 08:37 15,746 a------- c:\docume~1\mark\applic~1\yjoxir.vbs

==================== Find3M ====================

2009-09-30 08:37 19,967 a------- c:\windows\system32\pilenij.dat
2009-09-30 08:37 15,638 a------- c:\windows\system32\ytemumyd.sys
2009-09-30 08:37 12,721 a------- c:\windows\cujefarit.bin
2009-09-30 08:37 11,487 a------- c:\windows\odux.dat
2009-09-30 08:37 11,392 a------- c:\windows\orijejalo.vbs
2009-09-11 15:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 15:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 22:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 22:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 11:35 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 09:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 09:00 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2009-08-20 09:56 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 10:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 16:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 16:13 2,145,280 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 15:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 15:20 2,023,936 a------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 15:20 2,066,048 a------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2008-07-14 16:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071420080715\index.dat

============= FINISH: 16:23:02.67 ===============

Many thanks in advance

Liam

CatByte · 10-22-2009, 11:03 AM

Hi,

Please do the following:

Download ComboFix from either of these locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

LooRoll · 10-27-2009, 09:17 AM

Hi CatByte,

Thanks for getting back to me.. Sorry about the delay in my reply..

I downloaded & Ran combo fix following the instructions as requested with no issues. I have attached the log produced by combo fix.

Each time i start the computer it does give a message in windows Saying that there is a Fault with the "Capabiltymanager"

Error Sign - capabilitymanager.exe app ver 12.0.161
offset 3019340c0
(I have attached the error log produced by widows)
It is called "ed50_appcompat.txt"

Avg is no longer detecting "Antivirus_Pro 2010"
It is however failing to update.. I tried to uninstall AVG Free 8.5 to upgrade to the new version but I get a message saying there is an error creating a Reg Key for AVG and the unistall halts.

I tried also to install the new version on top of the old to see if it would remove it for me but again I get the same message stating that it cant create a reg key for it.

Hope this helps

Liam

ComboFix 09-10-22.01 - Mark 23/10/2009 12:14.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.989 [GMT 1:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ahupagice.ban
c:\documents and settings\All Users\Application Data\asuxe._dl
c:\documents and settings\All Users\Application Data\ibulepiva.exe
c:\documents and settings\All Users\Application Data\ococuve.sys
c:\documents and settings\All Users\Application Data\taqi.dl
c:\documents and settings\All Users\Documents\gine.pif
c:\documents and settings\All Users\Documents\miqam._sy
c:\documents and settings\All Users\Documents\ypetugozik.vbs
c:\documents and settings\All Users\Documents\ypyjyve.inf
c:\documents and settings\Mark\Application Data\acuku._dl
c:\documents and settings\Mark\Application Data\ahogujyl._dl
c:\documents and settings\Mark\Application Data\cedukypise._dl
c:\documents and settings\Mark\Application Data\hajalol.lib
c:\documents and settings\Mark\Application Data\ipyqag.bat
c:\documents and settings\Mark\Application Data\ixuqi.dl
c:\documents and settings\Mark\Application Data\lizkavd.exe
c:\documents and settings\Mark\Application Data\yjoxir.vbs
c:\documents and settings\Mark\Cookies\agyzac.dl
c:\documents and settings\Mark\Cookies\ilaqamil.vbs
c:\documents and settings\Mark\Cookies\lude.pif
c:\documents and settings\Mark\Cookies\muzycoqu.exe
c:\documents and settings\Mark\Cookies\zozalawy.db
c:\documents and settings\Mark\Local Settings\Application Data\kovetoki.dl
c:\documents and settings\Mark\Local Settings\Application Data\ymidyxuro.bin
c:\documents and settings\Mark\Local Settings\Application Data\zevefatof.inf
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\doxuruli.lib
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\gyly.inf
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\jiseladysu.dat
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\mikihun.sys
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\tenagudo.vbs
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\ugefimyh.exe
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\ugodolax.dll
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\uhifalajid.reg
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\wusaw.bin
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\xadinuciwa.ban
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\yfez.reg
c:\program files\Common Files\pikupekoz.bin
c:\program files\Common Files\vokapu.bin
c:\program files\Common Files\yhanyz.pif
c:\recycler\S-1-5-21-2195482598-3943315531-955737941-500
c:\windows\aduwofeseduzuv.dll
c:\windows\asijiqy.vbs
c:\windows\cujefarit.bin
c:\windows\edeciv.inf
c:\windows\idudajew.inf
c:\windows\lasutubyn._sy
c:\windows\olizak.scr
c:\windows\orijejalo.vbs
c:\windows\orole.exe
c:\windows\osilyh.dl
c:\windows\owim.dl
c:\windows\sepetovad.bat
c:\windows\system32\ebisa.dl
c:\windows\system32\ilycysafad.dl
c:\windows\system32\imytoxume.vbs
c:\windows\system32\ogeguwyq.dl
c:\windows\system32\wetyput.ban
c:\windows\system32\wiquhipyq.dll
c:\windows\system32\yfyqymuli.sys
c:\windows\system32\ytemumyd.sys
c:\windows\system32\zugym.pif
c:\windows\umek.inf
c:\windows\wibuze.scr
c:\windows\xibyl.bin
c:\windows\ybitac.sys

.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-15 08:03 . 2009-10-15 08:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-09 07:53 . 2009-10-09 07:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\program files\Common Files\Apple
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Apple
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-06 16:13 . 2009-10-06 16:13 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Apple Computer
2009-10-06 13:22 . 2009-10-13 13:44 -------- d-----w- c:\documents and settings\Mark\Application Data\uTorrent
2009-10-06 09:19 . 2009-10-06 09:19 18271 ----a-w- c:\documents and settings\Mark\Local Settings\Application Data\kasiki.dat
2009-10-06 09:19 . 2009-10-06 09:19 15530 ----a-w- c:\windows\ujemuq.com
2009-09-30 07:45 . 2009-10-23 10:15 0 ----a-w- c:\windows\Djaqam.bin
2009-09-30 07:45 . 2009-10-23 10:15 120 ----a-w- c:\windows\Fquliyiyimevoc.dat
2009-09-30 07:45 . 2009-09-30 07:45 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}
2009-09-30 07:42 . 2009-09-30 07:42 11219 ----a-w- c:\windows\xevuj.dat
2009-09-30 07:42 . 2009-09-30 07:42 17186 ----a-w- c:\windows\system32\orutimavox.com
2009-09-30 07:42 . 2009-09-30 07:42 13312 ----a-w- c:\windows\igaceme.dat
2009-09-30 07:37 . 2009-09-30 07:37 19967 ----a-w- c:\windows\system32\pilenij.dat
2009-09-30 07:37 . 2009-09-30 07:37 11487 ----a-w- c:\windows\odux.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 11:02 . 2009-05-22 17:19 -------- d-----w- c:\program files\AVG
2009-10-23 10:59 . 2009-05-22 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-13 13:49 . 2008-07-12 15:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-13 13:45 . 2008-07-12 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 16:15 . 2006-05-23 10:03 -------- d-----w- c:\program files\QuickTime
2009-10-06 09:19 . 2009-10-06 09:19 10133 ----a-w- c:\documents and settings\All Users\Application Data\wotuf.dat
2009-10-01 11:21 . 2008-08-14 10:25 -------- d-----w- c:\documents and settings\Mark\Application Data\U3
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 09:09 . 2008-07-14 15:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 08:56 . 2009-05-22 17:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 08:56 . 2009-05-22 17:20 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 08:56 . 2009-05-22 17:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 06:58 . 2006-06-01 08:28 64368 ----a-w- c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 18:24 . 2004-08-04 08:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 18:24 . 2004-08-04 08:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 18:24 . 2006-05-18 14:33 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 18:24 . 2004-08-04 08:00 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 18:24 . 2004-08-04 08:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 18:24 . 2004-08-04 08:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 18:23 . 2004-08-04 08:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 18:23 . 2007-12-17 09:00 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 18:23 . 2007-12-17 09:00 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 18:23 . 2004-08-04 08:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 18:52 . 2009-08-04 18:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2004-08-04 08:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 08:00 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-09-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-09-30 126976]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 08:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli WMSVShap.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Data Storage\\DS-Recovery Tools\\dsmlr.exe"=
"c:\\WINDOWS\\system32\\freecell.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/05/2009 18:20 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/05/2009 18:20 108552]
R2 DS-Message Level Restore;DS-Message Level Restore;c:\program files\Data Storage\DS-Recovery Tools\dsmlr.exe [05/03/2009 16:40 1331200]
R2 MSSQL$MSDE_ARXCIS;MSSQL$MSDE_ARXCIS;c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe -sMSDE_ARXCIS --> c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe -sMSDE_ARXCIS [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/05/2009 18:19 297752]
S2 usbctl;Microsoft USB Bus Controller;c:\windows\system32\usbctl.exe --> c:\windows\system32\usbctl.exe [?]
S3 SQLAgent$MSDE_ARXCIS;SQLAgent$MSDE_ARXCIS;c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlagent.EXE -i MSDE_ARXCIS --> c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlagent.EXE -i MSDE_ARXCIS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=hxxp://www-cache.orangehome.co.uk:8080;ftp=http://www-cache.orangehome.co.uk:8080
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {710449A8-DFA8-4BE8-B928-2B5E83B523FF} = 192.168.1.1,0.0.0.0
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\ujdtr1nv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.orange.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {A17A6CD4-2636-4694-ABD5-6F7B38100086} - c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-LyraHD2TrayApp - c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
HKLM-Run-Emowoz - c:\windows\aduwofeseduzuv.dll
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 12:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(804)
c:\windows\WMSVShap.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-10-23 12:23
ComboFix-quarantined-files.txt 2009-10-23 11:23

Pre-Run: 15,990,366,208 bytes free
Post-Run: 16,328,945,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B28FED3CB176BA14ADB2118CC38106C2

CatByte · 10-27-2009, 12:01 PM

Hi,

Please do the following:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/424548-antivirus_pro-2010-infection.html#post2412646

Collect::
c:\windows\ujemuq.com
c:\windows\Djaqam.bin
c:\windows\Fquliyiyimevoc.dat
c:\windows\xevuj.dat
c:\windows\system32\orutimavox.com
c:\windows\igaceme.dat
c:\windows\system32\pilenij.dat
c:\windows\odux.dat
c:\windows\WMSVShap.dll
c:\documents and settings\Mark\Local Settings\Application Data\kasiki.dat
c:\documents and settings\All Users\Application Data\wotuf.dat

Folder::
c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}

Registry:: 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] 
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

FireFox::
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\ujdtr1nv.default\
FF - HiddenExtension: XULRunner: {A17A6CD4-2636-4694-ABD5-6F7B38100086} - c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so.

NEXT

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner:
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

LooRoll · 10-28-2009, 04:29 AM

Hi CatByte.

I followed the instructions your provided.
Here's what happened.
------------------------------------------------------------------------
Combo fix ran grand with the script. It restarted the machine beofre producing the log. Upon restart a DLL error was displayed "C:\windows\iqadobuv.dll" Module not found. Other than that no issues heres the new Combo fix log.

ComboFix 09-10-26.06 - Mark 27/10/2009 19:08.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1012 [GMT 0:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\documents and settings\All Users\Application Data\wotuf.dat
file zipped: c:\documents and settings\Mark\Local Settings\Application Data\kasiki.dat
file zipped: c:\windows\Djaqam.bin
file zipped: c:\windows\Fquliyiyimevoc.dat
file zipped: c:\windows\igaceme.dat
file zipped: c:\windows\odux.dat
file zipped: c:\windows\system32\orutimavox.com
file zipped: c:\windows\system32\pilenij.dat
file zipped: c:\windows\ujemuq.com
file zipped: c:\windows\WMSVShap.dll
file zipped: c:\windows\xevuj.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\wotuf.dat
c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}
c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}\chrome.manifest
c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}\chrome\content\_cfg.js
c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}\chrome\content\overlay.xul
c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}\install.rdf
c:\documents and settings\Mark\Local Settings\Application Data\kasiki.dat
c:\windows\Djaqam.bin
c:\windows\Fquliyiyimevoc.dat
c:\windows\igaceme.dat
c:\windows\iqadobuv.dll
c:\windows\odux.dat
c:\windows\system32\orutimavox.com
c:\windows\system32\pilenij.dat
c:\windows\ujemuq.com
c:\windows\WMSVShap.dll
c:\windows\xevuj.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-15 08:03 . 2009-10-15 08:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-09 07:53 . 2009-10-09 07:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\program files\Common Files\Apple
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Apple
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-06 16:13 . 2009-10-06 16:13 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Apple Computer
2009-10-06 13:22 . 2009-10-13 13:44 -------- d-----w- c:\documents and settings\Mark\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 15:03 . 2009-05-22 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-23 11:02 . 2009-05-22 17:19 -------- d-----w- c:\program files\AVG
2009-10-13 13:49 . 2008-07-12 15:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-13 13:45 . 2008-07-12 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 16:15 . 2006-05-23 10:03 -------- d-----w- c:\program files\QuickTime
2009-10-01 11:21 . 2008-08-14 10:25 -------- d-----w- c:\documents and settings\Mark\Application Data\U3
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 09:09 . 2008-07-14 15:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 08:56 . 2009-05-22 17:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 08:56 . 2009-05-22 17:20 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 08:56 . 2009-05-22 17:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 06:58 . 2006-06-01 08:28 64368 ----a-w- c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 18:24 . 2004-08-04 08:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 18:24 . 2004-08-04 08:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 18:24 . 2006-05-18 14:33 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 18:24 . 2004-08-04 08:00 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 18:24 . 2004-08-04 08:00 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 18:24 . 2004-08-04 08:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 18:23 . 2004-08-04 08:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 18:23 . 2007-12-17 09:00 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 18:23 . 2007-12-17 09:00 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 18:23 . 2004-08-04 08:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 18:52 . 2009-08-04 18:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2004-08-04 08:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 08:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-23_11.20.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-27 19:14 . 2009-10-27 19:14 16384 c:\windows\Temp\Perflib_Perfdata_164.dat
+ 2004-08-09 13:44 . 2009-10-27 15:03 79520 c:\windows\system32\perfc009.dat
- 2004-08-09 13:44 . 2009-10-23 11:09 79520 c:\windows\system32\perfc009.dat
+ 2006-05-18 10:45 . 2009-10-23 11:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-05-18 10:45 . 2009-10-23 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-05-18 10:45 . 2009-10-23 11:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-18 10:45 . 2009-10-23 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-09 07:53 . 2009-10-23 11:07 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-10-09 07:53 . 2009-10-23 11:23 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2006-05-18 10:45 . 2009-10-23 11:07 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-23 11:23 . 2009-10-23 11:23 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-09 13:44 . 2009-10-27 15:03 461858 c:\windows\system32\perfh009.dat
- 2004-08-09 13:44 . 2009-10-23 11:09 461858 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-09-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-09-30 126976]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"Emowoz"="c:\windows\iqadobuv.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 08:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Data Storage\\DS-Recovery Tools\\dsmlr.exe"=
"c:\\WINDOWS\\system32\\freecell.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/05/2009 17:20 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/05/2009 17:20 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/05/2009 17:19 297752]
R2 DS-Message Level Restore;DS-Message Level Restore;c:\program files\Data Storage\DS-Recovery Tools\dsmlr.exe [05/03/2009 15:40 1355776]
R2 MSSQL$MSDE_ARXCIS;MSSQL$MSDE_ARXCIS;c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe -sMSDE_ARXCIS --> c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe -sMSDE_ARXCIS [?]
S2 usbctl;Microsoft USB Bus Controller;c:\windows\system32\usbctl.exe --> c:\windows\system32\usbctl.exe [?]
S3 SQLAgent$MSDE_ARXCIS;SQLAgent$MSDE_ARXCIS;c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlagent.EXE -i MSDE_ARXCIS --> c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlagent.EXE -i MSDE_ARXCIS [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=hxxp://www-cache.orangehome.co.uk:8080;ftp=http://www-cache.orangehome.co.uk:8080
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {710449A8-DFA8-4BE8-B928-2B5E83B523FF} = 192.168.1.1,0.0.0.0
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\ujdtr1nv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.orange.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 19:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1716)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF32320.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-27 19:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-27 19:22
ComboFix2.txt 2009-10-23 11:23

Pre-Run: 16,868,765,696 bytes free
Post-Run: 16,848,703,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 13852B54A2622E866C75FE5DB7BF0AD0

----------------------------------------------------------------------------------------------------------------------

I then downloaded the Malwarebytes' Anti-Malware software, during the install a message was displayed "Setup detected current SA password is set to blank please use SP_password to set a strong SA password setup will now quit" when i hit ok setup continued as did the update for the program.
The same message was displayed a few more times but set up never quit it just continued with the installation.
I ran the scan and here is the log it produced.

Malwarebytes' Anti-Malware 1.41
Database version: 3043
Windows 5.1.2600 Service Pack 3

27/10/2009 19:33:05
mbam-log-2009-10-27 (19-33-05).txt

Scan type: Quick Scan
Objects scanned: 104571
Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\usbctl (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\lizkavd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\nod_x32.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\sos_x32.txt (Backdoor.Bot) -> Quarantined and deleted successfully.

-----------------------

Lastly I ran the Kaspersky Online Scanner. No issues here. downloaded all updates & ran the scan here is the report it produced.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, October 28, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, October 27, 2009 19:29:52
Records in database: 3090303
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 84214
Threats found: 7
Infected objects found: 8
Suspicious objects found: 2
Scan duration: 01:36:36

File name / Threat / Threats count
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail (mo 883\Inbox\7BAE0155-000001E9.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail (mo 883\Sent items\0E6D352F-00000073.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\lizkavd.exe.vir Infected: Trojan-Dropper.Win32.FrauDrop.age 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-27_19.08.21.zip Infected: Trojan-Downloader.Win32.Mufanom.dly 1
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP830\A0062055.exe Infected: Trojan-Downloader.Win32.Lipler.fhm 1
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP864\A0065086.dll Infected: Trojan.Win32.FraudPack.uof 1
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP864\A0065087.dll Infected: Packed.Win32.Krap.ad 1
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP868\A0065766.exe Infected: Net-Worm.Win32.Aspxor.fs 1
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP888\A0066740.exe Infected: Trojan-Dropper.Win32.FrauDrop.age 1
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP892\A0067153.dll Infected: Trojan-Downloader.Win32.Mufanom.dly 1

Selected area has been scanned.

Thanks Again for the help

Liam

CatByte · 10-28-2009, 05:28 AM

Hi,

Please do the following:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/424548-antivirus_pro-2010-infection.html#post2414191

Collect::
c:\windows\iqadobuv.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Emowoz"=-

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT

Code:

"Setup detected current SA password is set to blank please use SP_password to set a strong SA password setup will now quit" when i hit ok setup continued as did the update for the program.

http://support.microsoft.com/kb/904652

That Microsoft article adresses that issue, give it a read and see if it applies to you, but don't change anything untill we have finished completely cleaning this machine, just a couple of things to do, then we will be done.

NEXT:

Kaspersky found a couple of items in your hotmail inbox, unfortunately it cannot identify which particular masseag it is, so delete anything from anyone you don't know, or messages with attachments or anything remotely suspicious, you will have to use your best judgement.

The rest of the items are in quarantine or old restore points which we will be cleaning up shortly.

NEXT:

The items I had scripted to submit for analysis didn't send automatically, so I need you to upload it manually.

please do the following:

Please open this link HERE in a new window.

In the box marked Link to topic where this file was requested: please paste in the following text

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/424548-antivirus_pro-2010-infection.html#post2414191

Click the Browse button and navigate to C:\Qoobox\Quarantine

There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip ( the * denotes Date and Time stamp - yours will be close to this:27/10/2009 19:08 )
Select this file and click Open
In the Largest box please put

Code:

File Requested By CatByte 
Failed Submit::

Finally click SendFile

Please return here and let me know when that file has been uploaded.

NEXT

Please run the following command

Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open.

Post the contents of that file in your next reply.

LooRoll · 10-28-2009, 05:57 AM

Hi CatByte,

When were done as suggested I will look into the article on MS RE SQL.

Followed the last set of instructions with no issues.

I uploaded the file successfully to bleeping computer.

ComboFix ran with the script. Here is the new ComboFix Log.

ComboFix 09-10-27.07 - Mark 28/10/2009 11:44.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.982 [GMT 0:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\stage 3\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-27 19:40 . 2009-10-27 19:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-27 19:40 . 2009-10-27 19:40 -------- d-----w- c:\program files\Java
2009-10-27 19:26 . 2009-10-27 19:26 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes
2009-10-27 19:24 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 19:24 . 2009-10-27 19:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 19:24 . 2009-10-27 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-27 19:24 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-15 08:03 . 2009-10-15 08:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-09 07:53 . 2009-10-09 07:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\program files\Common Files\Apple
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Apple
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-06 16:13 . 2009-10-06 16:13 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Apple Computer
2009-10-06 13:22 . 2009-10-13 13:44 -------- d-----w- c:\documents and settings\Mark\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 15:03 . 2009-05-22 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-23 11:02 . 2009-05-22 17:19 -------- d-----w- c:\program files\AVG
2009-10-13 13:49 . 2008-07-12 15:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-13 13:45 . 2008-07-12 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 16:15 . 2006-05-23 10:03 -------- d-----w- c:\program files\QuickTime
2009-10-01 11:21 . 2008-08-14 10:25 -------- d-----w- c:\documents and settings\Mark\Application Data\U3
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 09:09 . 2008-07-14 15:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 08:56 . 2009-05-22 17:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 08:56 . 2009-05-22 17:20 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 08:56 . 2009-05-22 17:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 06:58 . 2006-06-01 08:28 64368 ----a-w- c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 18:24 . 2004-08-04 08:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 18:24 . 2004-08-04 08:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 18:24 . 2006-05-18 14:33 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 18:24 . 2004-08-04 08:00 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 18:24 . 2004-08-04 08:00 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 18:24 . 2004-08-04 08:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 18:23 . 2004-08-04 08:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 18:23 . 2007-12-17 09:00 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 18:23 . 2007-12-17 09:00 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 18:23 . 2004-08-04 08:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 18:52 . 2009-08-04 18:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2004-08-04 08:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 08:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-23_11.20.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-28 10:12 . 2009-10-28 10:12 16384 c:\windows\Temp\Perflib_Perfdata_1c0.dat
+ 2004-08-09 13:44 . 2009-10-28 10:16 79520 c:\windows\system32\perfc009.dat
- 2004-08-09 13:44 . 2009-10-23 11:09 79520 c:\windows\system32\perfc009.dat
+ 2006-05-18 10:45 . 2009-10-23 11:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-05-18 10:45 . 2009-10-23 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-05-18 10:45 . 2009-10-23 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-05-18 10:45 . 2009-10-23 11:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-09 07:53 . 2009-10-23 11:07 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-10-09 07:53 . 2009-10-23 11:23 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2004-08-09 13:44 . 2009-10-28 10:16 461858 c:\windows\system32\perfh009.dat
- 2004-08-09 13:44 . 2009-10-23 11:09 461858 c:\windows\system32\perfh009.dat
+ 2009-10-27 19:40 . 2009-10-27 19:40 149280 c:\windows\system32\javaws.exe
+ 2009-10-27 19:40 . 2009-10-27 19:40 145184 c:\windows\system32\javaw.exe
+ 2009-10-27 19:40 . 2009-10-27 19:40 145184 c:\windows\system32\java.exe
+ 2009-10-27 19:40 . 2009-10-27 19:40 537600 c:\windows\Installer\538ee.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-09-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-09-30 126976]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 08:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Data Storage\\DS-Recovery Tools\\dsmlr.exe"=
"c:\\WINDOWS\\system32\\freecell.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/05/2009 17:20 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/05/2009 17:20 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/05/2009 17:19 297752]
R2 DS-Message Level Restore;DS-Message Level Restore;c:\program files\Data Storage\DS-Recovery Tools\dsmlr.exe [05/03/2009 15:40 1355776]
R2 MSSQL$MSDE_ARXCIS;MSSQL$MSDE_ARXCIS;c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe -sMSDE_ARXCIS --> c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe -sMSDE_ARXCIS [?]
S3 SQLAgent$MSDE_ARXCIS;SQLAgent$MSDE_ARXCIS;c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlagent.EXE -i MSDE_ARXCIS --> c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlagent.EXE -i MSDE_ARXCIS [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=hxxp://www-cache.orangehome.co.uk:8080;ftp=http://www-cache.orangehome.co.uk:8080
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {710449A8-DFA8-4BE8-B928-2B5E83B523FF} = 192.168.1.1,0.0.0.0
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\ujdtr1nv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.orange.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3912)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-28 11:51
ComboFix-quarantined-files.txt 2009-10-28 11:50
ComboFix2.txt 2009-10-27 19:22
ComboFix3.txt 2009-10-23 11:23

Pre-Run: 16,567,566,336 bytes free
Post-Run: 16,628,445,184 bytes free

- - End Of File - - 0FB823376E9E8134FD2B1ABB9BB1B4E6

Here is the Last Log requested from Add-Remove Programs.txt

Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Apple Application Support
Apple Software Update
AVG Free 8.5
Broadcom Management Programs
Critical Update for Windows Media Player 11 (KB959772)
DS-Recovery Tools 9.0
EPSON Printer Software
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Help and Support
HP Safety and Comfort Guide
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 16
MailObjects
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (MSDE_ARXCIS)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero Suite
OGA Notifier 2.0.0048.0
QuickTime
RealPlayer
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Software Setup
Sony Ericsson Device Data
Sony Ericsson Drivers
Sony Ericsson PC Suite
SoundMAX
TOSHIBA e-STUDIO Series Fax
TOSHIBA e-STUDIO451c Series Client
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live installer
Windows Live Mail
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

Regards
Liam

CatByte · 10-28-2009, 07:34 AM

Please do the following.

Visit ADOBEand download the latest version of Acrobat Reader (version 9.2)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Follow these steps to uninstall Combofix

Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

NEXT

Now to remove the rest of the tools that we have used in fixing your machine:

Make sure you have an Internet Connection.
Download OTC to your desktop and run it
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

If any logs remain after using this tool > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them
Then consider a password keeper, to keep all your passwords safe.
Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
- Green to go
- Yellow for caution
- Red to stop
WOT has an addon available for both Firefox and IE
For Firefox, I highly recommend this add-on to keep your PC even more secure.
- NoScript - for blocking ads and other potential website attacks
Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
Think Prevention.
PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

10-22-2009, 11:03 AM	#2 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,204 OS: XP sp3	Re: Antivirus_Pro 2010 Infection Hi, Please do the following: Download ComboFix from either of these locations: Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions. Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now** __________________ ASAP & UNITE Member

10-27-2009, 12:01 PM	#4 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,204 OS: XP sp3	Re: Antivirus_Pro 2010 Infection Hi, Please do the following: Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Copy/paste the text inside the Codebox below into notepad: Here's how to do that: Click Start > Run type Notepad click OK. This will open an empty notepad file: Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy') Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/424548-antivirus_pro-2010-infection.html#post2412646 Collect:: c:\windows\ujemuq.com c:\windows\Djaqam.bin c:\windows\Fquliyiyimevoc.dat c:\windows\xevuj.dat c:\windows\system32\orutimavox.com c:\windows\igaceme.dat c:\windows\system32\pilenij.dat c:\windows\odux.dat c:\windows\WMSVShap.dll c:\documents and settings\Mark\Local Settings\Application Data\kasiki.dat c:\documents and settings\All Users\Application Data\wotuf.dat Folder:: c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086} Registry:: [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 FireFox:: FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\ujdtr1nv.default\ FF - HiddenExtension: XULRunner: {A17A6CD4-2636-4694-ABD5-6F7B38100086} - c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086} Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste') Save this file to your desktop, Save this as "CFScript" Here's how to do that: 1.Click File; 2.Click Save As... Change the directory to your desktop; 3.Change the Save as type to "All Files"; 4.Type in the file name: CFScript 5.Click Save ... Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. NEXT Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so. NEXT Using Internet Explorer or Firefox, visit Kaspersky Online Scanner: 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan 3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply __________________ ASAP & UNITE Member

10-28-2009, 04:29 AM	#5 (permalink)
LooRoll Registered User Join Date: Aug 2007 Location: N, Ireland Posts: 25 OS: Win Xp Pro	Re: Antivirus_Pro 2010 Infection Hi CatByte. I followed the instructions your provided. Here's what happened. ------------------------------------------------------------------------ Combo fix ran grand with the script. It restarted the machine beofre producing the log. Upon restart a DLL error was displayed "C:\windows\iqadobuv.dll" Module not found. Other than that no issues heres the new Combo fix log. ComboFix 09-10-26.06 - Mark 27/10/2009 19:08.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1012 [GMT 0:00] Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} file zipped: c:\documents and settings\All Users\Application Data\wotuf.dat file zipped: c:\documents and settings\Mark\Local Settings\Application Data\kasiki.dat file zipped: c:\windows\Djaqam.bin file zipped: c:\windows\Fquliyiyimevoc.dat file zipped: c:\windows\igaceme.dat file zipped: c:\windows\odux.dat file zipped: c:\windows\system32\orutimavox.com file zipped: c:\windows\system32\pilenij.dat file zipped: c:\windows\ujemuq.com file zipped: c:\windows\WMSVShap.dll file zipped: c:\windows\xevuj.dat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\wotuf.dat c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086} c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}\chrome.manifest c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}\chrome\content\_cfg.js c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}\chrome\content\overlay.xul c:\documents and settings\Mark\Local Settings\Application Data\{A17A6CD4-2636-4694-ABD5-6F7B38100086}\install.rdf c:\documents and settings\Mark\Local Settings\Application Data\kasiki.dat c:\windows\Djaqam.bin c:\windows\Fquliyiyimevoc.dat c:\windows\igaceme.dat c:\windows\iqadobuv.dll c:\windows\odux.dat c:\windows\system32\orutimavox.com c:\windows\system32\pilenij.dat c:\windows\ujemuq.com c:\windows\WMSVShap.dll c:\windows\xevuj.dat . ((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 ))))))))))))))))))))))))))))))) . 2009-10-15 08:03 . 2009-10-15 08:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple 2009-10-09 07:53 . 2009-10-09 07:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\program files\Common Files\Apple 2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Apple 2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\program files\Apple Software Update 2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-10-06 16:13 . 2009-10-06 16:13 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Apple Computer 2009-10-06 13:22 . 2009-10-13 13:44 -------- d-----w- c:\documents and settings\Mark\Application Data\uTorrent . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-27 15:03 . 2009-05-22 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-10-23 11:02 . 2009-05-22 17:19 -------- d-----w- c:\program files\AVG 2009-10-13 13:49 . 2008-07-12 15:56 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-10-13 13:45 . 2008-07-12 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-06 16:15 . 2006-05-23 10:03 -------- d-----w- c:\program files\QuickTime 2009-10-01 11:21 . 2008-08-14 10:25 -------- d-----w- c:\documents and settings\Mark\Application Data\U3 2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 09:09 . 2008-07-14 15:26 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-20 08:56 . 2009-05-22 17:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-20 08:56 . 2009-05-22 17:20 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-20 08:56 . 2009-05-22 17:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-10 06:58 . 2006-06-01 08:28 64368 ----a-w- c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-06 18:24 . 2004-08-04 08:00 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-06 18:24 . 2004-08-04 08:00 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-06 18:24 . 2006-05-18 14:33 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-06 18:24 . 2004-08-04 08:00 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-06 18:24 . 2004-08-04 08:00 53472 ------w- c:\windows\system32\wuauclt.exe 2009-08-06 18:24 . 2004-08-04 08:00 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-06 18:23 . 2004-08-04 08:00 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-06 18:23 . 2007-12-17 09:00 215920 ----a-w- c:\windows\system32\muweb.dll 2009-08-06 18:23 . 2007-12-17 09:00 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-08-06 18:23 . 2004-08-04 08:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 18:52 . 2009-08-04 18:52 1193832 ----a-w- c:\windows\system32\FM20.DLL 2009-08-04 15:13 . 2004-08-04 08:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20 . 2004-08-04 08:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe 2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll 2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll 2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe . ((((((((((((((((((((((((((((( SnapShot@2009-10-23_11.20.50 ))))))))))))))))))))))))))))))))))))))))) . + 2009-10-27 19:14 . 2009-10-27 19:14 16384 c:\windows\Temp\Perflib_Perfdata_164.dat + 2004-08-09 13:44 . 2009-10-27 15:03 79520 c:\windows\system32\perfc009.dat - 2004-08-09 13:44 . 2009-10-23 11:09 79520 c:\windows\system32\perfc009.dat + 2006-05-18 10:45 . 2009-10-23 11:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2006-05-18 10:45 . 2009-10-23 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2006-05-18 10:45 . 2009-10-23 11:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2006-05-18 10:45 . 2009-10-23 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-10-09 07:53 . 2009-10-23 11:07 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2009-10-09 07:53 . 2009-10-23 11:23 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat - 2006-05-18 10:45 . 2009-10-23 11:07 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-10-23 11:23 . 2009-10-23 11:23 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2004-08-09 13:44 . 2009-10-27 15:03 461858 c:\windows\system32\perfh009.dat - 2004-08-09 13:44 . 2009-10-23 11:09 461858 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-09-30 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-09-30 126976] "SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752] "Emowoz"="c:\windows\iqadobuv.dll" [BU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-20 08:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "BITS"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Data Storage\\DS-Recovery Tools\\dsmlr.exe"= "c:\\WINDOWS\\system32\\freecell.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/05/2009 17:20 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/05/2009 17:20 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/05/2009 17:19 297752] R2 DS-Message Level Restore;DS-Message Level Restore;c:\program files\Data Storage\DS-Recovery Tools\dsmlr.exe [05/03/2009 15:40 1355776] R2 MSSQL$MSDE_ARXCIS;MSSQL$MSDE_ARXCIS;c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe -sMSDE_ARXCIS --> c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe -sMSDE_ARXCIS [?] S2 usbctl;Microsoft USB Bus Controller;c:\windows\system32\usbctl.exe --> c:\windows\system32\usbctl.exe [?] S3 SQLAgent$MSDE_ARXCIS;SQLAgent$MSDE_ARXCIS;c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlagent.EXE -i MSDE_ARXCIS --> c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlagent.EXE -i MSDE_ARXCIS [?] --- Other Services/Drivers In Memory --- Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.orange.co.uk/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=hxxp://www-cache.orangehome.co.uk:8080;ftp=http://www-cache.orangehome.co.uk:8080 uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {710449A8-DFA8-4BE8-B928-2B5E83B523FF} = 192.168.1.1,0.0.0.0 FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\ujdtr1nv.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.orange.co.uk/ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-27 19:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1716) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\wscntfy.exe c:\combofix\CF32320.exe c:\combofix\PEV.cfxxe . ************************************************************************ . Completion time: 2009-10-27 19:22 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-27 19:22 ComboFix2.txt 2009-10-23 11:23 Pre-Run: 16,868,765,696 bytes free Post-Run: 16,848,703,488 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 13852B54A2622E866C75FE5DB7BF0AD0 ---------------------------------------------------------------------------------------------------------------------- I then downloaded the Malwarebytes' Anti-Malware software, during the install a message was displayed "Setup detected current SA password is set to blank please use SP_password to set a strong SA password setup will now quit" when i hit ok setup continued as did the update for the program. The same message was displayed a few more times but set up never quit it just continued with the installation. I ran the scan and here is the log it produced. Malwarebytes' Anti-Malware 1.41 Database version: 3043 Windows 5.1.2600 Service Pack 3 27/10/2009 19:33:05 mbam-log-2009-10-27 (19-33-05).txt Scan type: Quick Scan Objects scanned: 104571 Time elapsed: 4 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\usbctl (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\lizkavd (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\nod_x32.txt (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\sos_x32.txt (Backdoor.Bot) -> Quarantined and deleted successfully. ----------------------- Lastly I ran the Kaspersky Online Scanner. No issues here. downloaded all updates & ran the scan here is the report it produced. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Wednesday, October 28, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Tuesday, October 27, 2009 19:29:52 Records in database: 3090303 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Objects scanned: 84214 Threats found: 7 Infected objects found: 8 Suspicious objects found: 2 Scan duration: 01:36:36 File name / Threat / Threats count C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail (mo 883\Inbox\7BAE0155-000001E9.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1 C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail (mo 883\Sent items\0E6D352F-00000073.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1 C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\lizkavd.exe.vir Infected: Trojan-Dropper.Win32.FrauDrop.age 1 C:\Qoobox\Quarantine\[4]-Submit_2009-10-27_19.08.21.zip Infected: Trojan-Downloader.Win32.Mufanom.dly 1 C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP830\A0062055.exe Infected: Trojan-Downloader.Win32.Lipler.fhm 1 C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP864\A0065086.dll Infected: Trojan.Win32.FraudPack.uof 1 C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP864\A0065087.dll Infected: Packed.Win32.Krap.ad 1 C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP868\A0065766.exe Infected: Net-Worm.Win32.Aspxor.fs 1 C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP888\A0066740.exe Infected: Trojan-Dropper.Win32.FrauDrop.age 1 C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP892\A0067153.dll Infected: Trojan-Downloader.Win32.Mufanom.dly 1 Selected area has been scanned. Thanks Again for the help Liam

10-28-2009, 05:28 AM	#6 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,204 OS: XP sp3	Re: Antivirus_Pro 2010 Infection Hi, Please do the following: Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Copy/paste the text inside the Codebox below into notepad: Here's how to do that: Click Start > Run type Notepad click OK. This will open an empty notepad file: Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy') Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/424548-antivirus_pro-2010-infection.html#post2414191 Collect:: c:\windows\iqadobuv.dll Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Emowoz"=- Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste') Save this file to your desktop, Save this as "CFScript" Here's how to do that: 1.Click File; 2.Click Save As... Change the directory to your desktop; 3.Change the Save as type to "All Files"; 4.Type in the file name: CFScript 5.Click Save ... Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. NEXT Code: "Setup detected current SA password is set to blank please use SP_password to set a strong SA password setup will now quit" when i hit ok setup continued as did the update for the program. http://support.microsoft.com/kb/904652 That Microsoft article adresses that issue, give it a read and see if it applies to you, but don't change anything untill we have finished completely cleaning this machine, just a couple of things to do, then we will be done. NEXT: Kaspersky found a couple of items in your hotmail inbox, unfortunately it cannot identify which particular masseag it is, so delete anything from anyone you don't know, or messages with attachments or anything remotely suspicious, you will have to use your best judgement. The rest of the items are in quarantine or old restore points which we will be cleaning up shortly. NEXT: The items I had scripted to submit for analysis didn't send automatically, so I need you to upload it manually. please do the following: Please open this link HERE in a new window. In the box marked Link to topic where this file was requested: please paste in the following text Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/424548-antivirus_pro-2010-infection.html#post2414191 Click the Browse button and navigate to C:\Qoobox\Quarantine There should be a zip file there called [4]-Submit_--_...zip** ( the * denotes Date and Time stamp - yours will be close to this:27/10/2009 19:08 ) Select this file and click Open In the Largest box please put Code: File Requested By CatByte Failed Submit:: Finally click SendFile Please return here and let me know when that file has been uploaded. NEXT Please run the following command Click Start > Run then copy/paste the following single-line command into the Run box and click OK: C:\Qoobox\Add-Remove Programs.txt A text file should open. Post the contents of that file in your next reply. __________________ ASAP & UNITE Member

10-28-2009, 05:57 AM	#7 (permalink)
LooRoll Registered User Join Date: Aug 2007 Location: N, Ireland Posts: 25 OS: Win Xp Pro	Re: Antivirus_Pro 2010 Infection Hi CatByte, When were done as suggested I will look into the article on MS RE SQL. Followed the last set of instructions with no issues. I uploaded the file successfully to bleeping computer. ComboFix ran with the script. Here is the new ComboFix Log. ComboFix 09-10-27.07 - Mark 28/10/2009 11:44.3.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.982 [GMT 0:00] Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Mark\Desktop\stage 3\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 ))))))))))))))))))))))))))))))) . 2009-10-27 19:40 . 2009-10-27 19:40 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-27 19:40 . 2009-10-27 19:40 -------- d-----w- c:\program files\Java 2009-10-27 19:26 . 2009-10-27 19:26 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes 2009-10-27 19:24 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-27 19:24 . 2009-10-27 19:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-27 19:24 . 2009-10-27 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-27 19:24 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-15 08:03 . 2009-10-15 08:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple 2009-10-09 07:53 . 2009-10-09 07:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\program files\Common Files\Apple 2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Apple 2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\program files\Apple Software Update 2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-10-06 16:13 . 2009-10-06 16:13 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Apple Computer 2009-10-06 13:22 . 2009-10-13 13:44 -------- d-----w- c:\documents and settings\Mark\Application Data\uTorrent . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-27 15:03 . 2009-05-22 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-10-23 11:02 . 2009-05-22 17:19 -------- d-----w- c:\program files\AVG 2009-10-13 13:49 . 2008-07-12 15:56 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-10-13 13:45 . 2008-07-12 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-06 16:15 . 2006-05-23 10:03 -------- d-----w- c:\program files\QuickTime 2009-10-01 11:21 . 2008-08-14 10:25 -------- d-----w- c:\documents and settings\Mark\Application Data\U3 2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 09:09 . 2008-07-14 15:26 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-20 08:56 . 2009-05-22 17:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-20 08:56 . 2009-05-22 17:20 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-20 08:56 . 2009-05-22 17:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-10 06:58 . 2006-06-01 08:28 64368 ----a-w- c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-06 18:24 . 2004-08-04 08:00 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-06 18:24 . 2004-08-04 08:00 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-06 18:24 . 2006-05-18 14:33 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-06 18:24 . 2004-08-04 08:00 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-06 18:24 . 2004-08-04 08:00 53472 ------w- c:\windows\system32\wuauclt.exe 2009-08-06 18:24 . 2004-08-04 08:00 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-06 18:23 . 2004-08-04 08:00 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-06 18:23 . 2007-12-17 09:00 215920 ----a-w- c:\windows\system32\muweb.dll 2009-08-06 18:23 . 2007-12-17 09:00 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-08-06 18:23 . 2004-08-04 08:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 18:52 . 2009-08-04 18:52 1193832 ----a-w- c:\windows\system32\FM20.DLL 2009-08-04 15:13 . 2004-08-04 08:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20 . 2004-08-04 08:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe 2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll 2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll 2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe . ((((((((((((((((((((((((((((( SnapShot@2009-10-23_11.20.50 ))))))))))))))))))))))))))))))))))))))))) . + 2009-10-28 10:12 . 2009-10-28 10:12 16384 c:\windows\Temp\Perflib_Perfdata_1c0.dat + 2004-08-09 13:44 . 2009-10-28 10:16 79520 c:\windows\system32\perfc009.dat - 2004-08-09 13:44 . 2009-10-23 11:09 79520 c:\windows\system32\perfc009.dat + 2006-05-18 10:45 . 2009-10-23 11:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2006-05-18 10:45 . 2009-10-23 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2006-05-18 10:45 . 2009-10-23 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2006-05-18 10:45 . 2009-10-23 11:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-10-09 07:53 . 2009-10-23 11:07 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2009-10-09 07:53 . 2009-10-23 11:23 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2004-08-09 13:44 . 2009-10-28 10:16 461858 c:\windows\system32\perfh009.dat - 2004-08-09 13:44 . 2009-10-23 11:09 461858 c:\windows\system32\perfh009.dat + 2009-10-27 19:40 . 2009-10-27 19:40 149280 c:\windows\system32\javaws.exe + 2009-10-27 19:40 . 2009-10-27 19:40 145184 c:\windows\system32\javaw.exe + 2009-10-27 19:40 . 2009-10-27 19:40 145184 c:\windows\system32\java.exe + 2009-10-27 19:40 . 2009-10-27 19:40 537600 c:\windows\Installer\538ee.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-09-30 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-09-30 126976] "SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-20 08:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "BITS"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Data Storage\\DS-Recovery Tools\\dsmlr.exe"= "c:\\WINDOWS\\system32\\freecell.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/05/2009 17:20 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/05/2009 17:20 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/05/2009 17:19 297752] R2 DS-Message Level Restore;DS-Message Level Restore;c:\program files\Data Storage\DS-Recovery Tools\dsmlr.exe [05/03/2009 15:40 1355776] R2 MSSQL$MSDE_ARXCIS;MSSQL$MSDE_ARXCIS;c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe -sMSDE_ARXCIS --> c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlservr.exe -sMSDE_ARXCIS [?] S3 SQLAgent$MSDE_ARXCIS;SQLAgent$MSDE_ARXCIS;c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlagent.EXE -i MSDE_ARXCIS --> c:\program files\Microsoft SQL Server\MSSQL$MSDE_ARXCIS\Binn\sqlagent.EXE -i MSDE_ARXCIS [?] --- Other Services/Drivers In Memory --- Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.orange.co.uk/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=hxxp://www-cache.orangehome.co.uk:8080;ftp=http://www-cache.orangehome.co.uk:8080 uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {710449A8-DFA8-4BE8-B928-2B5E83B523FF} = 192.168.1.1,0.0.0.0 FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\ujdtr1nv.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.orange.co.uk/ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************ scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3912) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-10-28 11:51 ComboFix-quarantined-files.txt 2009-10-28 11:50 ComboFix2.txt 2009-10-27 19:22 ComboFix3.txt 2009-10-23 11:23 Pre-Run: 16,567,566,336 bytes free Post-Run: 16,628,445,184 bytes free - - End Of File - - 0FB823376E9E8134FD2B1ABB9BB1B4E6 Here is the Last Log requested from Add-Remove Programs.txt Adobe Flash Player 10 Plugin Adobe Flash Player ActiveX Adobe Reader 7.0.9 Apple Application Support Apple Software Update AVG Free 8.5 Broadcom Management Programs Critical Update for Windows Media Player 11 (KB959772) DS-Recovery Tools 9.0 EPSON Printer Software Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) HP Help and Support HP Safety and Comfort Guide Intel(R) Graphics Media Accelerator Driver Java(TM) 6 Update 16 MailObjects Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Professional Edition 2003 Microsoft Silverlight Microsoft SQL Server Desktop Engine (MSDE_ARXCIS) Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Mozilla Firefox (3.0.14) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) Nero Suite OGA Notifier 2.0.0048.0 QuickTime RealPlayer Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB911565) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows XP (KB913433) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Software Setup Sony Ericsson Device Data Sony Ericsson Drivers Sony Ericsson PC Suite SoundMAX TOSHIBA e-STUDIO Series Fax TOSHIBA e-STUDIO451c Series Client Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB969497) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Live installer Windows Live Mail Windows Live Sign-in Assistant Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 Regards Liam

10-28-2009, 07:34 AM	#8 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,204 OS: XP sp3	Re: Antivirus_Pro 2010 Infection Please do the following. Visit ADOBEand download the latest version of Acrobat Reader (version 9.2) Having the latest updates ensures there are no security vulnerabilities in your system. NEXT Follow these steps to uninstall Combofix Click START then RUN Now type Combofix /uninstall in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there. NEXT Now to remove the rest of the tools that we have used in fixing your machine: Make sure you have an Internet Connection. Download OTC to your desktop and run it A list of tool components used in the Cleanup of malware will be downloaded. If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so. Click Yes to begin the Cleanup process and remove these components, including this application. You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes. If any logs remain after using this tool > right click and delete them. NEXT Below I have included a number of recommendations for how to protect your computer against malware infections. It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. Keep Windows updated by regularly checking their website at : http://windowsupdate.microsoft.com/ This will ensure your computer has always the latest security updates available installed on your computer. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict. Make Internet Explorer more secure Click Start > Run Type Inetcpl.cpl & click OK Click on the Security tab Click Reset all zones to default level Make sure the Internet Zone is selected & Click Custom level In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable". Next Click OK, then Apply button and then OK to exit the Internet Properties page. ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future. WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites: Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE For Firefox, I highly recommend this add-on to keep your PC even more secure. NoScript - for blocking ads and other potential website attacks Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: Think Prevention. PC Safety and Security--What Do I Need?. **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Thank you for your patience, and performing all of the procedures requested. Please respond one last time so we can consider the thread resolved and close it, thank-you. __________________ ASAP & UNITE Member