malware help please: trojan.bat.regger.b

rschou · May 8, 2009

Kaspersky has detected this threat and cannot fix the problem. It comes back each reboot. I tried to fix it through reading other posts and found a program sdfix that was supposed to help. When i ran it, it froze and never finished so i still have the problem. I ran out of options and hope you guys can help me out. Internet is running a little slow. Not many symptoms but i don't feel good with the compromised security. please help my computer heal.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Russell at 23:47:35.93 on Thu 05/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1364 [GMT -4:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\WindUpdate.exe
C:\Program Files\Autorun Eater\billy.exe
C:\WINDOWS\system32\WindUpdate.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\DOCUME~1\Russell\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Russell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [AtiPTA] atiptaxx.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [Autorun Eater] c:\program files\autorun eater\oldmcdonald.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [Process Registry] WindUpdate.exe
mRun: [SDFix] c:\sdfix\RunThis.bat /second
mRunServices: [Process Registry] WindUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238381467634
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\russell\applic~1\mozilla\firefox\profiles\nm42bbkb.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-5-1 213520]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2009-4-28 12106]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-7-29 206088]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2009-4-28 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2009-4-28 78208]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2009-4-28 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2009-4-28 4010]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2009-3-29 1088896]
R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2009-4-28 4392]
S2 gupdate1c9b59778eb76da;Google Update Service (gupdate1c9b59778eb76da);c:\program files\google\update\GoogleUpdate.exe [2009-4-4 133104]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2009-4-19 68954]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-4-28 32512]

=============== Created Last 30 ================

==================== Find3M ====================

2009-05-01 14:03 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-04-01 11:12 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-30 05:57 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-29 23:33 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-29 22:05 472,576 a------- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2009-03-29 20:35 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-08 05:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 05:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 05:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 05:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 05:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 05:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 05:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 05:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 05:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 05:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys

============= FINISH: 23:48:19.50 ===============

rschou · May 12, 2009

bumpin

Ried · May 12, 2009

Hello rschou,

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT- Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

rschou · May 13, 2009

Thanks for the information. One thing that just happened a little over a day ago is the a.bat file in the C: drive disappeared. That's usually what the antivirus picks up as the problem. It's also no longer detecting any virus's I'm sure that the virus is still affecting me because of a beep that come on when i first start windows that was never there and the abnormally long boot-up time. I'll give this a go tonight and get back to you with any results. Thanks again

Ried · May 14, 2009

You're welcome. Looking forward to seeing the results.

rschou · May 18, 2009

So i downloaded combofix and ran the program.

first it gave me an error and wanted to note a specific file that we might need to refer to later. It had to stop running the program. c:\program file\common files\logitech\lvmvfm\lvprclnj.dll

It ran through the rest, rebooted the system, then appeared to be fixing maleware as it stated. After waiting about a 45 minutes to an hour (it said it would take at most 20 minutes) it still wasn't finishing. I decided to close down the program and try again. before i went on to try again i wanted to post what there was of the log, not much. Hopefully i'll have more success next try.

ComboFix 09-05-17.03 - Russell 05/17/2009 19:09:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1441 [GMT -4:00]
Running from: C:\Documents and Settings\Russell\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
The following files were disabled during the run:
C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll

rschou · May 18, 2009

the error that come out says:
" Parasite found !!
the following files were trying to attach to combofix. they shall be disabled
kindly note down on paper, the name of each file. we may need it later."

then it gives the path name written in the previous post. I hope this helps

rschou · May 18, 2009

when i try to re-run the program now it loads through the beginning then stays as a blue screen cursor blinking nothing happens after that.

Ried · May 18, 2009

Launch Task manager by pressing Ctrl Alt Del keys simultaneously. End process on lvprclnj.dll yourself before running Combofix.

Or

Try running ComboFix from Safe Mode.

rschou · May 18, 2009

I couldn't find the file lvprclnj.dll running but did find lvprcsrv.exe, ended that process and tried running it again. It worked this time. log is below

ComboFix 09-05-17.03 - Russell 05/17/2009 22:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1494 [GMT -4:00]
Running from: c:\documents and settings\Russell\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\_000023_.tmp.dll
c:\windows\system32\_000024_.tmp.dll
c:\windows\system32\_000025_.tmp.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\mfc71.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
d:\recycler\S-1-5-21-1708537768-152049171-725345543-1004\INFO2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-09 00:24 . 2009-05-09 00:24 -------- d-----w c:\documents and settings\Russell\Application Data\Publish Providers
2009-05-09 00:24 . 2009-05-09 00:24 -------- d-----w c:\documents and settings\Russell\Application Data\Sony
2009-05-06 06:26 . 2009-05-06 06:36 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-06 06:26 . 2009-05-06 06:26 -------- d-----w c:\documents and settings\Administrator.BEATRICE.000\Local Settings\Application Data\Google
2009-05-06 04:37 . 2009-05-06 04:37 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-05-06 04:34 . 2009-05-06 04:35 -------- d-----w c:\windows\ERUNT
2009-05-06 04:33 . 2009-05-06 04:33 -------- d-sh--w c:\documents and settings\Administrator.BEATRICE.000\IETldCache
2009-05-04 03:48 . 2009-05-04 04:39 -------- d-----w c:\program files\EsetOnlineScanner
2009-05-04 03:14 . 2009-05-04 03:14 -------- d-----w c:\documents and settings\Administrator.BEATRICE\IETldCache
2009-05-04 03:14 . 2009-05-04 03:16 -------- d-----w c:\documents and settings\Administrator.BEATRICE\Local Settings\Application Data\Microsoft
2009-05-04 03:14 . 2009-05-04 03:16 -------- d-s---w c:\documents and settings\Administrator.BEATRICE
2009-05-04 02:55 . 2009-05-04 02:55 -------- d-----w c:\documents and settings\Administrator\IETldCache
2009-05-04 02:55 . 2009-05-04 03:25 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-05-04 02:55 . 2009-05-04 03:25 -------- d-s---w c:\documents and settings\Administrator
2009-05-04 02:44 . 2009-05-04 03:25 -------- d-----w c:\program files\Common Files\Nero
2009-05-04 02:44 . 2009-05-04 02:44 -------- d-----w c:\documents and settings\Russell\Application Data\Nero
2009-05-04 02:44 . 2009-05-04 03:25 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-05-04 02:42 . 2009-05-04 03:25 -------- d-----w c:\program files\Nero
2009-05-03 23:09 . 2009-05-03 23:09 -------- d-----w c:\documents and settings\Russell\Local Settings\Application Data\Sony
2009-05-03 23:07 . 2009-05-03 23:07 -------- d-----w c:\program files\Vstplugins
2009-05-03 23:07 . 2009-05-03 23:07 -------- d-----w c:\program files\Sony
2009-05-03 21:40 . 2009-05-03 21:40 -------- d-----w c:\documents and settings\Russell\Application Data\ZoomBrowser EX
2009-05-03 21:36 . 2009-05-04 03:25 -------- d-----w c:\program files\PhotomatixPro3
2009-05-03 21:21 . 2009-05-03 21:21 -------- d-----w c:\documents and settings\Russell\Application Data\CANON INC
2009-05-01 23:57 . 2009-05-01 23:57 -------- d-----w c:\program files\Alien Skin
2009-05-01 21:51 . 2009-05-01 21:51 -------- d-----w c:\program files\Bonjour
2009-05-01 21:44 . 2009-05-01 21:44 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-05-01 17:31 . 2009-05-01 18:03 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-05-01 17:31 . 2009-05-01 18:03 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-05-01 17:30 . 2009-05-18 02:31 3537440 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-01 17:30 . 2009-05-18 02:38 442400 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-01 17:30 . 2009-05-01 20:43 -------- d-----w c:\program files\Kaspersky Lab
2009-05-01 17:30 . 2009-05-18 02:34 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-05-01 17:05 . 2009-05-01 17:05 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-05-01 17:01 . 2009-05-01 17:01 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-28 11:39 . 2009-04-28 11:39 -------- d-----w c:\program files\uTorrent
2009-04-28 11:39 . 2009-05-04 03:25 -------- d-----w c:\documents and settings\Russell\Application Data\uTorrent
2009-04-28 11:29 . 2009-05-04 03:04 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-28 08:57 . 2009-04-28 08:57 -------- d-----w c:\program files\Acer Inc
2009-04-28 07:06 . 2009-04-28 07:06 -------- d-----w c:\program files\WinPCap
2009-04-28 07:06 . 2005-04-22 20:57 4096 ----a-w c:\windows\system32\drivers\epm-psd.sys
2009-04-28 07:06 . 2005-04-22 20:57 78208 ----a-w c:\windows\system32\drivers\epm-shd.sys
2009-04-28 07:05 . 2009-04-28 07:05 21275 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-04-28 07:05 . 2009-04-28 07:05 -------- d-----w c:\documents and settings\All Users\Application Data\Intel
2009-04-28 07:04 . 2005-12-16 18:32 61440 ----a-w c:\windows\system32\acerGina.dll
2009-04-28 06:59 . 2009-04-28 06:59 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-28 06:58 . 2009-04-28 06:58 -------- d-----w c:\documents and settings\Russell\Application Data\Acer
2009-04-28 06:57 . 2009-04-28 06:57 -------- d-----w c:\documents and settings\All Users\Application Data\Acer
2009-04-28 06:57 . 2005-09-13 19:34 4392 ----a-w c:\windows\system32\drivers\NdisFilt.sys
2009-04-28 06:57 . 2005-10-15 22:20 12106 ----a-w c:\windows\system32\drivers\OsaFsLoc.sys
2009-04-28 06:57 . 2005-01-14 19:57 4010 ----a-w c:\windows\system32\drivers\osanbm.sys
2009-04-28 06:57 . 2005-06-30 20:58 7296 ----a-w c:\windows\system32\drivers\osaio.sys
2009-04-28 06:45 . 2009-04-28 06:45 13132 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-28 06:13 . 2009-04-28 06:14 -------- d-----w c:\program files\GetDiz
2009-04-28 05:54 . 2009-04-28 05:54 -------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-04-28 05:54 . 2009-04-28 05:56 -------- d-----w c:\program files\Canon
2009-04-28 05:52 . 2009-04-28 05:52 -------- d-----w c:\program files\Common Files\Canon
2009-04-28 05:50 . 2009-04-28 05:50 -------- d-----w c:\windows\system32\IOSUBSYS
2009-04-28 05:48 . 2001-08-18 02:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-28 05:48 . 2008-04-13 17:45 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-28 05:48 . 2008-04-13 17:45 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-28 05:48 . 2008-04-13 23:12 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-28 03:03 . 2009-04-28 03:03 -------- d-----w C:\Guitar Tabs
2009-04-28 02:20 . 2009-04-28 02:48 -------- d-----w C:\Stuff
2009-04-19 20:03 . 2009-02-09 12:10 617472 ----a-w c:\windows\system32\advapi32.dll
2009-04-19 20:03 . 2009-02-09 12:10 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-04-19 20:03 . 2009-02-09 12:10 714752 ----a-w c:\windows\system32\ntdll.dll
2009-04-19 20:03 . 2009-02-06 11:11 110592 ----a-w c:\windows\system32\services.exe
2009-04-19 20:03 . 2009-02-06 11:06 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-04-19 20:03 . 2009-02-06 10:32 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-04-19 19:58 . 2009-04-19 20:04 -------- d-----w c:\program files\Snap 'n Share
2009-04-19 19:58 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-19 19:58 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 02:38 . 2009-05-01 17:30 3640 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-18 02:34 . 2009-03-30 03:16 -------- d-----w c:\program files\Autorun Eater
2009-05-18 02:31 . 2009-05-01 17:30 29764 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-17 14:25 . 2009-03-30 03:52 -------- d-----w c:\program files\Google
2009-05-15 19:01 . 2009-04-05 02:37 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-15 19:00 . 2009-04-05 02:37 -------- d-----w c:\program files\Norton Security Scan
2009-05-01 21:51 . 2009-04-05 02:10 -------- d-----w c:\program files\Common Files\Adobe
2009-05-01 21:23 . 2009-04-05 02:11 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-01 18:03 . 2008-01-29 22:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-04-28 11:06 . 2009-03-30 04:45 13104 ----a-w c:\documents and settings\Russell\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 08:58 . 2009-03-30 02:05 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-28 07:05 . 2009-03-30 02:02 -------- d-----w c:\program files\Intel
2009-04-19 19:59 . 2009-04-19 19:59 -------- d-----w c:\program files\MyDSC2
2009-04-19 19:59 . 2009-04-19 19:59 -------- d-----w c:\program files\Mars
2009-04-19 19:59 . 2009-04-19 19:59 -------- d-----w c:\program files\JL2005C
2009-04-08 00:56 . 2009-04-05 02:07 -------- d-----w c:\program files\NOS
2009-04-05 17:18 . 2009-04-05 17:18 -------- d-----w c:\program files\MSXML 4.0
2009-04-05 07:15 . 2009-04-01 13:47 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-05 04:05 . 2009-04-05 04:05 -------- d-----w c:\program files\VideoLAN
2009-04-05 02:13 . 2009-04-05 02:13 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-05 01:49 . 2009-04-05 01:49 -------- d-----w c:\program files\Common Files\Motorola Shared
2009-04-05 01:49 . 2009-04-05 01:49 -------- d-----w c:\program files\Motorola
2009-04-01 15:12 . 2009-03-30 09:58 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-03-30 09:57 . 2009-03-30 09:57 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-30 09:57 . 2009-03-30 09:57 -------- d-----w c:\program files\Java
2009-03-30 04:49 . 2009-03-30 04:49 0 ----a-w c:\windows\nsreg.dat
2009-03-30 04:32 . 2009-03-30 04:32 -------- d-----w c:\program files\MSBuild
2009-03-30 04:32 . 2009-03-30 04:32 -------- d-----w c:\program files\Reference Assemblies
2009-03-30 04:26 . 2009-03-30 04:26 -------- d-----w c:\program files\Windows Desktop Search
2009-03-30 04:25 . 2009-03-30 04:25 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-30 03:58 . 2009-03-30 03:58 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-30 02:41 . 2009-03-30 02:41 -------- d-----w c:\program files\DIFX
2009-03-30 02:27 . 2009-03-30 02:27 -------- d-----w c:\program files\CONEXANT
2009-03-30 02:25 . 2009-03-30 02:25 -------- d-----w c:\program files\Common Files\Logitech
2009-03-30 02:25 . 2009-03-30 02:25 -------- d-----w c:\program files\Common Files\Acer
2009-03-30 02:22 . 2009-03-30 02:22 -------- d-----w c:\program files\Synaptics
2009-03-30 02:20 . 2009-03-30 02:20 -------- d-----w c:\program files\Realtek
2009-03-30 02:19 . 2009-03-30 02:05 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-30 02:17 . 2009-03-30 02:17 -------- d-----w c:\program files\Launch Manager
2009-03-30 02:08 . 2009-03-30 02:08 -------- d-----w c:\program files\WIDCOMM
2009-03-30 02:05 . 2009-03-30 02:05 -------- d-----w c:\program files\MultiRes
2009-03-30 02:05 . 2009-03-30 02:05 472576 ----a-w c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2009-03-30 02:05 . 2009-03-30 02:05 -------- d-----w c:\program files\Radeon Omega Drivers
2009-03-30 00:38 . 2009-03-30 00:38 -------- d-----w c:\program files\microsoft frontpage
2009-03-30 00:35 . 2009-03-30 00:35 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-08 09:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2008-04-18 15:56 . 2008-04-18 15:56 118784 ----a-w c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-30 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2005-12-06 458752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-01 225280]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2005-12-15 344064]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-18 3079680]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-30 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 69632]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-05-01 206088]
"AtiPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2006-02-22 344064]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-12-09 18063872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-12-2 618557]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [3/29/2009 10:25 PM 1088896]
S2 gupdate1c9b59778eb76da;Google Update Service (gupdate1c9b59778eb76da);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2009 10:37 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-30 02:35]

2009-05-18 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 02:37]

2009-05-17 c:\windows\Tasks\Norton Security Scan for Russell.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 00:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-SDFix - c:\sdfix\RunThis.bat

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Russell\Application Data\Mozilla\Firefox\Profiles\nm42bbkb.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 22:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1436)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1572)
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\MSVCR71.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-18 22:42
ComboFix-quarantined-files.txt 2009-05-18 02:41

Pre-Run: 114,859,274,240 bytes free
Post-Run: 114,845,945,856 bytes free

271 --- E O F --- 2009-05-18 02:31

Ried · May 18, 2009

Nice work.

I'd like to double check something I see in this report. Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please attach that log in your next reply.

rschou · May 18, 2009

here's what i got 2009-05-18 02:41:11 . 2009-05-18 02:41:11 122 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SDFix.reg.dat
2009-05-18 02:41:07 . 2009-05-18 02:41:07 171 ----a-w C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}.reg.dat
2009-05-17 23:11:39 . 2009-05-17 23:11:39 984 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2009-05-17 23:11:29 . 2009-05-18 02:40:18 10,817 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-05-17 22:52:50 . 2009-05-18 02:38:03 255 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-04-28 07:06:02 . 2005-08-03 09:08:08 61,440 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\WanPacket.dll.vir
2009-04-28 07:06:02 . 2005-08-03 09:08:10 81,920 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
2009-04-28 07:06:02 . 2005-08-03 09:24:02 53,299 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir
2009-04-28 07:06:02 . 2005-08-03 09:18:46 233,472 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2009-04-28 07:06:02 . 2005-08-03 09:10:14 32,512 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir
2004-08-04 12:00:00 . 2008-04-14 00:12:34 108,544 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_000023_.tmp.dll.vir
2004-08-04 12:00:00 . 2008-04-14 00:11:24 706,048 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_000024_.tmp.dll.vir
2004-08-04 12:00:00 . 2008-04-14 00:11:56 728,064 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_000025_.tmp.dll.vir
2003-03-19 01:20:00 . 2003-03-19 01:20:00 1,060,864 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\mfc71.dll.vir

Ried · May 18, 2009

Hi rschou,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Open notepad and copy/paste the text in the code box below into it:

File::
DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\system32\mfc71.dll.vir

Quit::

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************

Refering to the picture above, drag CFScript into ComboFix.exe. Be sure to allow ComboFix to update when prompt appears.

When finished, it shall produce a log for you at C:\ComboFix.txt

--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

rschou · May 20, 2009

i ran combofix as you specified and the resulting output was not combofix.txt but DeQuarantine.txt containing:

C:\Qoobox\Quarantine\C\WINDOWS\system32\mfc71.dll.vir -> C:\WINDOWS\system32\mfc71.dll ( 1060864 bytes )

that was it. I'm running the online scan now. and will post the results, but this wasn't what i was expecting

rschou · May 20, 2009

when i tried running the scan i got this error:

"Program has failed to start. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.

[ERROR: java.lang.RuntimeException: You cannot run Kaspersky Online Scanner 7.0 because you already have Kaspersky Internet Security 8.0 (9.0) installed on the computer.]"

it was disabled too. should i run some other online scan, like microtrend or something?

Ried · May 20, 2009

The output from the CFScript is correct. My apologies for not editing in the proper name of the log it would produce.

Please use this onlie scanner:

Perform an online scan with Panda ActiveScan

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please attach the contents of that log in your next reply.

rschou · May 20, 2009

so here's what it came up with.

Again thank you for this help. It says there are two infections that are latent, but the file path says restore, are these old restore points?

Ried · May 20, 2009

Indeed they are, and we shall take care of that momentarily.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

malware help please: trojan.bat.regger.b

rschou

Attachments

rschou

Ried

rschou

Ried

rschou

rschou

rschou

Ried

rschou

Ried

rschou

Ried

rschou

rschou

Ried

rschou

Attachments

Ried

Top Contributors this Month