JohanF

It doesn't seem as if there is any activity. I have to go now - will leave it running and check back in about 2 hours. If there's anything else I should try, let me know. Thanks!

The blue AutoScan screen of ComboFix is now open for almost an hour with the message "Scanning for infected files... This typically doesn't take more than 10 minutes however, scan times for badly infected machines may easily double" and a blinking cursor. Is it still busy scanning or has the process halted for some reason?

No, I do not work through a proxy server. When I started working with this PC, that proxy settings prevented me from getting access to the internet. After running MBAM the problem was solved. Let me run combofix...

OK, I decided to re-boot so as to see if my original problem with the dds scanner was also related to the RAM and indeed it was. Here is the log: . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by J. Fourie at 10:49:54 on 2012-07-20 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.117 [GMT 2:00] . AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Parental Control\ParentalControl.Exe C:\Program Files\Autorun Eater\oldmcdonald.exe svchost.exe C:\Program Files\AVG\AVG2012\avgwdsvc.exe C:\WINDOWS\system32\ChgService.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\AVG\AVG2012\avgtray.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Autorun Eater\billy.exe C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe C:\Program Files\AVG\AVG2012\avgrsx.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\AVG\AVG2012\avgcsrvx.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyServer = localhost:3128 mWinlogon: Userinit=c:\windows\system32\userinit.exe,System, BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Google Update] "c:\documents and settings\t.h. ngcobo\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe mRun: [ParentalControl] c:\program files\parental control\ParentalControl.Exe /SERVICE mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u mRun: [Autorun Eater] c:\program files\autorun eater\oldmcdonald.exe mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe" dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\802.11 wireless lan\802.11g wireless cardbus & pci adapter hw.51 v1.00\WlanCU.exe uPolicies-explorer: NoMultiIE = 0 (0x0) uPolicies-explorer: LWA = 0 (0x0) uPolicies-explorer: LWB = 0 (0x0) uPolicies-explorer: LWC = 0 (0x0) uPolicies-explorer: LWD = 0 (0x0) uPolicies-explorer: LWE = 0 (0x0) uPolicies-explorer: LWF = 0 (0x0) uPolicies-explorer: LWG = 0 (0x0) uPolicies-explorer: LWH = 0 (0x0) uPolicies-explorer: LWI = 0 (0x0) uPolicies-explorer: LWJ = 0 (0x0) uPolicies-explorer: LWK = 0 (0x0) uPolicies-explorer: LWL = 0 (0x0) uPolicies-explorer: LWM = 0 (0x0) uPolicies-explorer: LWN = 0 (0x0) uPolicies-explorer: LWO = 0 (0x0) uPolicies-explorer: LWP = 0 (0x0) uPolicies-explorer: LWQ = 0 (0x0) uPolicies-explorer: LWR = 0 (0x0) uPolicies-explorer: LWS = 0 (0x0) uPolicies-explorer: LWT = 0 (0x0) uPolicies-explorer: LWU = 0 (0x0) uPolicies-explorer: LWV = 0 (0x0) uPolicies-explorer: LWW = 0 (0x0) uPolicies-explorer: LWX = 0 (0x0) uPolicies-explorer: LWY = 0 (0x0) uPolicies-explorer: LWZ = 0 (0x0) uPolicies-system: DisableClock = 0 (0x0) IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342541062625 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab TCP: Interfaces\{F040A7DC-1F30-4821-B9D4-DCDECB54CFB5} : NameServer = 196.43.1.11,196.25.1.11 Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll Notify: igfxcui - igfxsrvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ============= SERVICES / DRIVERS =============== . R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 31952] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 235216] R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 41040] R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288] R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2011-10-17 135168] S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [2011-10-17 103424] . =============== Created Last 30 ================ . 2012-07-20 06:42:04 -------- d-sha-r- C:\cmdcons 2012-07-20 06:35:08 98816 ----a-w- c:\windows\sed.exe 2012-07-20 06:35:08 518144 ----a-w- c:\windows\SWREG.exe 2012-07-20 06:35:08 256000 ----a-w- c:\windows\PEV.exe 2012-07-20 06:35:08 208896 ----a-w- c:\windows\MBR.exe 2012-07-20 06:34:56 -------- d-s---w- C:\Iexplorer 2012-07-19 12:21:10 -------- d-----w- c:\program files\ESET 2012-07-19 06:28:36 -------- d-----w- C:\53982c37fb4e5f4cb42dd1e3 2012-07-19 06:08:04 -------- d-sh--w- c:\documents and settings\t.h. ngcobo\IECompatCache 2012-07-19 06:06:24 -------- d-sh--w- c:\documents and settings\t.h. ngcobo\PrivacIE 2012-07-19 06:01:49 -------- d-sh--w- c:\documents and settings\t.h. ngcobo\IETldCache 2012-07-18 06:57:00 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2012-07-18 06:52:53 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll 2012-07-18 06:51:44 -------- d-----w- c:\windows\ie8updates 2012-07-18 06:50:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2012-07-18 06:50:53 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2012-07-18 06:50:50 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2012-07-18 06:46:17 -------- dc-h--w- c:\windows\ie8 2012-07-17 16:34:51 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys 2012-07-17 16:31:48 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll 2012-07-17 16:31:48 3072 ------w- c:\windows\system32\iacenc.dll 2012-07-17 16:28:12 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys 2012-07-17 16:28:07 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys 2012-07-17 16:27:28 105472 -c----w- c:\windows\system32\dllcache\mup.sys 2012-07-17 16:24:29 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys 2012-07-17 16:24:13 45568 -c----w- c:\windows\system32\dllcache\wab.exe 2012-07-17 16:24:08 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll 2012-07-17 16:23:50 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll 2012-07-17 16:23:50 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll 2012-07-17 16:23:13 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll 2012-07-17 16:22:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe 2012-07-17 16:21:59 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe 2012-07-17 16:19:41 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll 2012-07-17 16:19:41 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll 2012-07-17 16:17:36 153088 -c----w- c:\windows\system32\dllcache\triedit.dll 2012-07-17 16:13:49 331776 -c----w- c:\windows\system32\dllcache\msadce.dll 2012-07-17 16:12:52 272128 -c----w- c:\windows\system32\dllcache\bthport.sys 2012-07-17 16:12:46 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys 2012-07-17 16:06:01 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-07-17 15:45:18 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll 2012-07-17 15:45:18 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll 2012-07-17 15:44:42 9728 ------w- c:\windows\system32\rwnh.dll 2012-07-17 15:44:41 10752 ------w- c:\windows\system32\smtpapi.dll 2012-07-17 15:42:51 11053008 ------w- c:\program files\msn\msncorefiles\install\msn9components\msncli.exe 2012-07-17 15:42:46 -------- d-----w- c:\windows\l2schemas 2012-07-17 15:42:45 229376 ------w- c:\program files\msn\msncorefiles\oobe\obelog.dll 2012-07-17 15:42:44 966656 ------w- c:\program files\msn\msncorefiles\oobe\obemetal.dll 2012-07-17 15:42:44 86016 ------w- c:\program files\msn\msncorefiles\oobe\obepopc.dll 2012-07-17 15:42:44 77824 ------w- c:\program files\msn\msncorefiles\oobe\obemtllc.dll 2012-07-17 15:42:44 -------- d-----w- c:\windows\system32\en 2012-07-17 15:28:49 19569 ----a-w- c:\windows\007493_.tmp 2012-07-17 14:38:59 19968 ----a-w- c:\windows\system32\SET2E8.tmp 2012-07-17 14:37:59 18944 ----a-w- c:\windows\system32\SET1A4.tmp 2012-07-17 14:35:52 19569 ----a-w- c:\windows\006137_.tmp 2012-07-09 08:32:25 -------- d-----w- c:\documents and settings\t.h. ngcobo\local settings\application data\Google 2012-07-09 08:31:17 -------- d-----w- c:\documents and settings\t.h. ngcobo\local settings\application data\Deployment 2012-07-06 06:54:20 -------- d-----w- C:\TDSSKiller_Quarantine 2012-07-04 14:08:59 -------- d-----w- c:\documents and settings\t.h. ngcobo\application data\Malwarebytes 2012-07-04 14:08:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2012-07-02 09:27:04 6400 -c--a-w- c:\windows\system32\dllcache\enum1394.sys 2012-07-02 09:27:04 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys 2012-07-02 09:27:02 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys 2012-07-02 09:27:02 53376 ----a-w- c:\windows\system32\drivers\1394bus.sys . ==================== Find3M ==================== . 2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys 2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll 2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll 2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 13:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 13:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 13:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 13:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll 2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll 2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll 2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec 2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-23 14:46:47 78336 ------w- c:\windows\system32\ieencode.dll . ============= FINISH: 10:51:23.01 =============== I will now wait for further instruction from you (I still have ComboFix on the desktop under the name Iexplorer.com but will not run it unless you tell me to)

PROGRESS!! I don't know why I never thought of ripping some RAM from an old un-used PC earlier! I'm up to 496MB and everything works much better now. Here is the rkill log now: This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Rkill was run on 2012/07/20 at 10:27:48. Operating System: Microsoft Windows XP Processes terminated by Rkill or while it was running: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe --- ATTENTION --- Windows was configured to use a proxy! Proxy settings have been removed. The Proxy Server that was configured is: localhost:3128 If this was a valid setting, please double-click on the rk-proxy.reg file on your desktop and allow the data to be merged to restore your proxy settings. Rkill completed on 2012/07/20 at 10:27:54.

Halfway through the scan (about 10 minutes), I get a windows warning stating that System is low on virtual memory. Windows is increasing... And then a little while later, ComboFix stopped with the message: grep: memory exhausted. I checked the My Computer properties and saw that there is only 240MB of RAM. I'll hunt around for some RAM and try again.

Yes, all 5 of rkill just comes as far as "Preparing Rkill" Here is the ESET log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=d75b3ae8fd9f3242a95032db6e03cf4f # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2012-07-19 01:30:25 # local_time=2012-07-19 03:30:25 (+0200, South Africa Standard Time) # country="South Africa" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1024 16777175 100 0 12026435 12026435 0 0 # compatibility_mode=8192 67108863 100 0 375 375 0 0 # scanned=50258 # found=2 # cleaned=2 # scan_time=3791 C:\Documents and Settings\All Users\Application Data\Autorun Eater\Autorun Backup\autorun0.inf INF/Autorun worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\All Users\Application Data\Autorun Eater\Autorun Backup\autorun1.inf INF/Autorun worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

OK, I finally got it upgraded to SP3 and did all the windows updates, re-booted and repeated untill there were no more critical updates. No change though - rkill and dss still don't work.

Seems to be a terribly slow process on this PC! I'll let you know tomorrow. Thanks so far!

XP Sp2

Hi LDTate! It seems I have a bigger problem than I originally thought. - When I run rkill, the command screen opens and pauses quite a while with the message "Preparing Rkill." and then just closes without displaying any log of any processes that were terminated. Running DDS directly afterwards still produces the message "The syntax of the command is incorrect." I tried booting in safe mode, but gets a message "Reboot and Select proper Boot device or Insert Boot Media in selected Boot device". I also noticed that my folder options "Hide extensions for known file types" and "Hide protected operating system files" remains ticked after I un-tick and apply and re-open the folder options.

Thanks for the help! Unfortunately I'm on vacation - I will try rkill on Monday and report asap.

Hi, I'm suspecting that my PC is stil infected with malware after running MBAM. The programme did remove some problem files. I also ran TDSSKiller which solved my problem of MBAM and AVG Free which didn't want to update. However the PC is still very slow and from time to time I do get a warning indicating that virtual memory is too low. I then stumbled upon your "I'm infected - What do I do now?" article and realized that I might have started at the wrong point... I downloaded D.D.S. scr and ran it. The command screen pops up for a second and then closes again. I managed to screen capture it to read it and this is what I got: Note on disabling script blocking tools etc. The syntax of the command is incorrect. (x5) '''''' is not recognized as an internal or external command, operable program or batch file. It would be great if someone could give some advice here! Thanks, Johan