Jump to content

Trojan.Agent reappears after reboot

Recommended Posts


This trojan has disabled my antivirus while also disabling me to load any antivirus websites or tech help websites. I'm using another computer to access this forum at present. I loaded MBAM chameleon after updating, then used a USB to load onto the infected computer. After scanning MBAM finds and removes this trojan but it reappears after rebooting. My antivirus scanner, while it appears to be disabled, manages to pick up a suspect file in the Temp folder and removes it also,but it also reappears after rebooting.

The trojan that is removed temporarily by MBAM is located here: HKLM\SYSTEM\CURRENTCONTROL\Services\Micorsoft Windows Service ( Trojan.Agent)

The file name located in Documents and Settings Temp file is: sgoskuyypaxxcxiv.exe

Threat name, according to AVG is: IDP,Generic 1E55DE4

Please find attached files as requested.

Thank you for any help you are able to give to me, it's much appreciated.



Link to post
Share on other sites

Hello debbiebay and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

Please uninstall the following applications:


Ares 2.1.7

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply


In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • aswMBR log
  • a new fresh DDS log file

Link to post
Share on other sites

Thank you for responding. I've followed all of your instructions with the exception of saving those programs to the desktop because like I said, none of the scan programs will open on my infected computer, therefore I saved them to a USB stick from this computer that isn't infected then opened the programs from the USB on the infected computer and performed the scans via the USB stick because the programs would not open otherwise. I'll paste the logs from the USB stick to here now.

There are now 2 showing up on the MBAM scan:

Malwarebytes Anti-Malware (PRO)


Database version: v2012.07.20.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

:: DEBBIE [administrator]

Protection: Disabled

21/07/2012 7:52:48 AM

mbam-log-2012-07-21 (07-52-48).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 187415

Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Documents and Settings\Debbie Brown\Local Settings\Temp\mbtdrcvr.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


aswMBR version Copyright© 2011 AVAST Software

Run date: 2012-07-21 09:12:09


09:12:09.687 OS Version: Windows 5.1.2600 Service Pack 3

09:12:09.687 Number of processors: 2 586 0x4B02

09:12:09.687 ComputerName: DEBBIE UserName:

09:12:10.078 Initialize success

09:12:21.640 AVAST engine download error: 0

09:12:43.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

09:12:43.375 Disk 0 Vendor: WDC_WD800JD-60LSA0 07.01D07 Size: 76319MB BusType: 3

09:12:43.390 Disk 0 MBR read successfully

09:12:43.406 Disk 0 MBR scan

09:12:43.406 Disk 0 Windows XP default MBR code

09:12:43.406 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63

09:12:43.406 Disk 0 scanning sectors +156280320

09:12:43.468 Disk 0 scanning C:\WINDOWS\system32\drivers

09:12:51.953 Service scanning

09:13:05.171 Modules scanning

09:13:11.062 Disk 0 trace - called modules:

09:13:11.093 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

09:13:11.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae16ab8]

09:13:11.109 3 CLASSPNP.SYS[f7507fd7] -> nt!IofCallDriver -> \Device\00000087[0x8adf6f18]

09:13:11.312 5 ACPI.sys[f733f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ae1c940]

09:13:11.328 Scan finished successfully

09:13:20.890 Disk 0 MBR has been saved successfully to "F:\MBR.dat"

09:13:20.890 The log file has been saved successfully to "F:\aswMBR.txt"


DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Debbie Brown at 9:13:43 on 2012-07-21

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1364 [GMT 10:00]


AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Norton Internet Worm Protection *Disabled*


============== Running Processes ===============



C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService






C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\AVG\AVG2012\avgwdsvc.exe


C:\Program Files\Common Files\Nuance\dgnsvc.exe


C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program Files\Winamp\Winampa.exe


C:\Program Files\AVG\AVG2012\avgtray.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\Program Files\AVG\AVG2012\avgemcx.exe


C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe

C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe



C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe




============== Pseudo HJT Report ===============


uStart Page = hxxp://www.google.com.au/

uDefault_Page_URL = hxxp://www.dodo.com.au/

uSearch Bar = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll

mURLSearchHooks: H - No File

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\debbie brown\local settings\application data\wgejefto\fmsvofaf.exe,

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin1.dll

BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: NOW!Imaging: {9aa2f14f-e956-44b8-8694-a5b615cdf341} - c:\program files\dodo speed accelerator\components\NOWImaging.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin1.dll

TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - No File


EB: Easy-WebPrint: {03c1c47f-0538-4645-8372-d3109b9fc636} - c:\program files\canon\easy-webprint\Toolband.dll

EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [iSUSPM] c:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe -scheduler

uRun: [FmsVofaf] c:\documents and settings\debbie brown\local settings\application data\wgejefto\fmsvofaf.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit


mRun: [sBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"

mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"

mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [ABC Download Manager] c:\program files\kontiki\australian_bc\cache\ABCDownloadManager.exe /silent

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking11\Ereg.ini

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe

IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}

IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

Trusted Zone: ancestry.com

Trusted Zone: ancestry.com.au

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://photosrejectshop.lifepics.com/net/Uploader/LPUploader57.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} - hxxp://bigpondmusic.com/activex/multidownx.cab

TCP: DhcpNameServer =

TCP: Interfaces\{6FF37173-F71E-45EB-B956-E3CA4DBE1299} : DhcpNameServer =

Filter: text/html - {9570e373-c3ca-4cab-a8f2-b33f910d9314} -

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll


================= FIREFOX ===================


FF - ProfilePath - c:\documents and settings\debbie brown\application data\mozilla\firefox\profiles\ivvejq2w.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\debbie brown\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll


============= SERVICES / DRIVERS ===============


R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 31952]

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [2006-10-6 61184]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 235216]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 41040]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 301248]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-7-4 5160568]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]

R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2010-7-23 296808]

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [2006-10-6 16168]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-4-6 37376]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-28 22344]

R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\debbie~1\locals~1\temp\mbtdrcvr.sys --> c:\docume~1\debbie~1\locals~1\temp\mbtdrcvr.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-14 135664]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-28 655944]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 250056]

S3 Asushwio;Asushwio;c:\windows\system32\drivers\ASUSHWIO.SYS [2006-10-6 5824]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-14 135664]

S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-29 25112]

S3 KDZfiltr;KidzMouse filter driver;c:\windows\system32\drivers\KDZfiltr.sys [2011-11-6 4864]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-7-20 35144]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 113120]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]


=============== Created Last 30 ================


2012-07-20 02:28:44 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-07-18 22:49:34 -------- d-----w- C:\Malwarebytes

2012-07-18 22:49:29 -------- d-----w- c:\documents and settings\debbie brown\local settings\application data\wgejefto

2012-07-12 02:43:12 9822920 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-07-10 08:41:07 327749 ----a-w- c:\windows\system32\drvc.dll

2012-07-10 08:13:19 -------- d-----w- c:\documents and settings\debbie brown\application data\AVS4YOU

2012-07-10 07:55:13 11137024 ----a-w- c:\windows\system32\libmfxsw32.dll

2012-07-10 07:55:07 -------- d-----w- c:\program files\common files\AVSMedia

2012-07-10 07:53:25 1700352 ----a-w- c:\windows\system32\GdiPlus.dll

2012-07-10 07:53:25 -------- d-----w- c:\program files\AVS4YOU

2012-07-10 07:53:25 -------- d-----w- c:\documents and settings\all users\application data\AVS4YOU


==================== Find3M ====================


2012-07-12 02:43:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-12 02:43:15 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-03 03:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-06-08 08:10:40 1409 ----a-w- c:\windows\QTFont.for

2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll

2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 05:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 05:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 05:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 05:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 05:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42:33 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec

2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2010-03-22 01:04:42 126616 ----a-w- c:\program files\BZSHLEXT.DLL


============= FINISH: 9:14:54.71 ===============

Link to post
Share on other sites

Hi, while I was waiting I decided to fiddle about and found that my AVG anti-rookit scan was still working even though the virus scan part was not. So I scanned it and it found 4 infected files, so I removed them and now my antivirus is back - no longer disabled. Im now also able to access all antivirus help pages, Microsoft and Malwarebytes websites. The only thing that isn't fixed is the System Restore. I can get it to go through the motions but upon rebooting, its unable to restore to whichever date I pick, even after going through safe mode and safe mode command prompt. It just keeps saying unable to restore to that date, try another and so on. I'm fairly sure this is a result of having those trojans because I've always been able to access System Restore until getting infected. Anyway, I've done the Malwarebytes scan and the Antivirus scans and anti-rookit scans and all are giving the all clear. I'm not sure if this means I've fixed that problem or just masked it. Thank you for your help anyway. If there is anything else that you think I should do, I'd appreciate your thoughts

Link to post
Share on other sites

No, I don't think your system is clean now. Please follow my instructions, don't try some tips from the Google.

Please visit this webpage for download links, and instructions for running the tool:


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites


Thanks for responding. I didn't try any tips from Google. What I had done was to simply run the anti-rookit scan from my AVG antivirus, as stated. IT removed further trojans and like I said, all appeared to be running okay. I was able to access those things that I wasn't able to before, like antivirus and this website and malwarebytes etc. But I thought I'd best do what you suggested and downloaded Combofix. After installing combofix it also downloaded the Microsoft Recovery Console then it went through the processes and when it reached stage 30, my computer froze. I had disabled all those things that were required, like antivirus and firewall, and gotten out of all windows programs as instructed. But, when it got to stage 30, the computer froze for an hour. The mouse wouldn 't move the computer completely froze. So I had to do something as I couldn't even shut it down. So I clicked reboot and now all that I have is a black screen. The computer starts to go through the rebooting process but completely stalls and like I said, a blank black screen. The only reason why I know it's still on is because of the lights on the tower otherwise it would seem to be turned off, but it isn't. I guess I should have left it be and not downloaded combofix because it was working fine and now I don't have the use of my computer at all. What could I possibly do to fix this now when I all have is a black screen?

Link to post
Share on other sites

Hi again. After pressing restart several times on my computer tower and nothing happening, I left it for a few hours then pressed restart again. The screen did come back as the computer went through it's rebooting process and a blue screen appeared whilst the computer went through a CHKDSK scan. There were a few corrupt files that it automatically deleted. Once the process finished the computer rebooted again. I ran combofix once more, in an effort to get through the scans. THe computer didn't freeze up this time and all seemed to work properly once again. Here is the combofix.txt:

ComboFix 12-07-21.01 - Debbie Brown 23/07/2012 13:44:44.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1423 [GMT 10:00]

Running from: c:\documents and settings\Debbie Brown\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



c:\documents and settings\All Users\Application Data\553267k63bm64pjb5fy53rbeb

c:\documents and settings\All Users\Application Data\AMMYY

c:\documents and settings\All Users\Application Data\AMMYY\hr

c:\documents and settings\All Users\Application Data\AMMYY\settings.bin

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Debbie Brown\Application Data\Adobe\plugs

c:\documents and settings\Debbie Brown\Application Data\Adobe\shed

c:\documents and settings\Debbie Brown\Application Data\inst.exe

c:\documents and settings\Debbie Brown\Application Data\PriceGong

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Debbie Brown\Application Data\PriceGong\Data\z.xml

c:\documents and settings\Debbie Brown\Local Settings\Application Data\gnvnpeib.log

c:\documents and settings\Debbie Brown\Local Settings\Application Data\hedblepb.log

c:\documents and settings\Debbie Brown\Local Settings\Application Data\iestjlpr.log

c:\documents and settings\Debbie Brown\Local Settings\Application Data\knwxhfvg.log

c:\documents and settings\Debbie Brown\Local Settings\Application Data\lwqlrayv.log

c:\documents and settings\Debbie Brown\Local Settings\Application Data\sgwrjwqr.log

c:\documents and settings\Debbie Brown\Local Settings\Application Data\ucedrsog.log

c:\documents and settings\Debbie Brown\Local Settings\Application Data\uynovvuu.log

c:\documents and settings\Debbie Brown\Local Settings\Application Data\wgejefto\fmsvofaf.exe


c:\program files\Shared

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf















((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))






((((((((((((((((((((((((( Files Created from 2012-06-23 to 2012-07-23 )))))))))))))))))))))))))))))))



2012-07-21 11:09 . 2012-07-21 11:09 -------- d-----w- c:\program files\uTorrent

2012-07-21 10:37 . 2012-07-21 10:37 -------- d-----w- c:\windows\MATS

2012-07-21 10:37 . 2012-07-21 10:37 -------- d-----w- c:\program files\Microsoft Fix it Center

2012-07-21 09:54 . 2012-07-21 09:54 -------- d-----w- c:\program files\ACW

2012-07-18 22:49 . 2012-07-18 22:49 -------- d-----w- C:\Malwarebytes

2012-07-18 22:49 . 2012-07-21 09:54 -------- d-----w- c:\documents and settings\Debbie Brown\Local Settings\Application Data\wgejefto

2012-07-12 02:43 . 2012-07-12 02:43 9822920 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-07-10 08:41 . 2004-07-01 15:00 327749 ----a-w- c:\windows\system32\drvc.dll

2012-07-10 08:13 . 2012-07-10 09:42 -------- d-----w- c:\documents and settings\Debbie Brown\Application Data\AVS4YOU

2012-07-10 07:55 . 2012-03-23 09:58 11137024 ----a-w- c:\windows\system32\libmfxsw32.dll

2012-07-10 07:55 . 2012-07-10 07:55 -------- d-----w- c:\program files\Common Files\AVSMedia

2012-07-10 07:53 . 2012-07-10 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU

2012-07-10 07:53 . 2012-07-10 07:55 -------- d-----w- c:\program files\AVS4YOU

2012-07-10 07:53 . 2012-03-23 09:59 1700352 ----a-w- c:\windows\system32\GdiPlus.dll




(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2012-07-12 02:43 . 2012-03-31 22:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-12 02:43 . 2011-07-02 23:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-03 03:46 . 2011-03-28 11:45 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-13 13:19 . 2006-02-28 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-06-08 08:10 . 2012-06-08 08:10 1409 ----a-w- c:\windows\QTFont.for

2012-06-05 15:50 . 2009-08-19 07:07 1372672 ------w- c:\windows\system32\msxml6.dll

2012-06-05 15:50 . 2006-02-28 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 04:32 . 2006-02-28 12:00 152576 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 05:19 . 2007-06-18 22:59 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 05:19 . 2007-06-18 22:59 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 05:19 . 2006-10-06 04:34 329240 ----a-w- c:\windows\system32\wucltui.dll

2012-06-02 05:19 . 2006-10-06 04:34 210968 ----a-w- c:\windows\system32\wuweb.dll

2012-06-02 05:19 . 2006-10-06 04:34 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 05:19 . 2007-06-18 22:59 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 05:19 . 2006-10-06 04:34 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 05:19 . 2006-10-06 04:34 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 05:19 . 2006-02-28 12:00 97304 ----a-w- c:\windows\system32\cdm.dll

2012-06-02 05:19 . 2005-05-25 18:16 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 05:19 . 2007-06-18 22:59 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 05:19 . 2006-10-06 04:34 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 05:19 . 2006-10-06 04:34 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-05-31 13:22 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-11 14:42 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec

2012-05-04 13:16 . 2006-02-28 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46 . 2006-10-06 04:32 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2010-03-22 01:04 . 2010-12-02 04:06 126616 ----a-w- c:\program files\BZSHLEXT.DLL

2012-07-18 10:50 . 2011-07-19 06:29 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2010-12-31 10:27 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin1.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin1.dll" [2010-12-31 3911776]




[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin1.dll" [2010-12-31 3911776]







2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Debbie Brown\Application Data\Dropbox\bin\DropboxExt.13.dll





2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Debbie Brown\Application Data\Dropbox\bin\DropboxExt.13.dll





2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Debbie Brown\Application Data\Dropbox\bin\DropboxExt.13.dll



"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2010-07-23 222496]



"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-15 6803456]

"nwiz"="nwiz.exe" [2005-06-15 1519616]

"NvMediaCenter"="NvMCTray.dll" [2005-06-15 86016]

"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]

"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2002-04-26 12288]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-04 2587008]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-15 259624]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-25 2569616]

"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848]



"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart





[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]

2003-06-17 15:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

2003-09-17 00:43 57344 ----a-w- c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2008-08-29 07:11 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]




"EnableFirewall"= 0 (0x0)




"c:\\Program Files\\Messenger\\msmsgs.exe"=


"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Documents and Settings\\Debbie Brown\\Application Data\\Dropbox\\bin\\Dropbox.exe"=


"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=



"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management


R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19/04/2012 4:50 AM 24896]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7/09/2010 3:48 AM 31952]

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [6/10/2006 2:58 PM 61184]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/09/2010 3:48 AM 235216]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/09/2010 3:49 AM 301248]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [14/02/2012 4:53 AM 193288]

R2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [23/07/2010 1:19 PM 296808]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [28/03/2011 9:45 PM 655944]

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [6/10/2006 3:39 PM 16168]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [6/04/2009 6:40 AM 37376]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23/12/2011 1:32 PM 139856]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23/12/2011 1:32 PM 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23/12/2011 1:32 PM 17232]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [28/03/2011 9:45 PM 22344]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [4/07/2012 5:25 PM 5160568]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/08/2010 2:54 PM 135664]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 6:19 PM 13592]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [1/04/2012 8:14 AM 250056]

S3 Asushwio;Asushwio;c:\windows\system32\drivers\ASUSHWIO.SYS [6/10/2006 2:49 PM 5824]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/08/2010 2:54 PM 135664]

S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [29/07/2010 12:25 AM 25112]

S3 KDZfiltr;KidzMouse filter driver;c:\windows\system32\drivers\KDZfiltr.sys [6/11/2011 12:14 PM 4864]

S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [13/06/2011 10:09 PM 267568]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [25/04/2012 7:34 PM 113120]

S3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [17/03/2007 1:42 PM 47360]


Contents of the 'Scheduled Tasks' folder


2012-07-23 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 01:43]


2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 04:54]


2012-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 04:54]


2012-07-22 c:\windows\Tasks\User_Feed_Synchronization-{F1D6EDF7-1CED-49AD-AE43-382ADCD11BF2}.job

- c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]



------- Supplementary Scan -------


uStart Page = hxxp://www.google.com.au/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: ancestry.com

Trusted Zone: ancestry.com.au

TCP: DhcpNameServer =

DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} - hxxp://bigpondmusic.com/activex/multidownx.cab

FF - ProfilePath - c:\documents and settings\Debbie Brown\Application Data\Mozilla\Firefox\Profiles\ivvejq2w.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - prefs.js: network.proxy.type - 0


- - - - ORPHANS REMOVED - - - -


URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\tbuTo1.dll

BHO-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\tbuTo1.dll

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\tbuTo1.dll

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\uTorrentBar\tbuTo1.dll

WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)

HKCU-Run-FmsVofaf - c:\documents and settings\Debbie Brown\Local Settings\Application Data\wgejefto\fmsvofaf.exe

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

HKLM-Run-ABC Download Manager - c:\program files\Kontiki\australian_bc\cache\ABCDownloadManager.exe

AddRemove-Campfire Legends - The Babysitter - c:\documents and settings\Debbie Brown\Desktop\Campfire Legends - The Babysitter\Uninstall.exe

AddRemove-Dexter The Game - c:\program files\Icarus Studios

AddRemove-Easy-WebPrint - c:\program files\Canon\Easy-WebPrint\Uninst.isu






catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-23 13:57

Windows 5.1.2600 Service Pack 3 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...



c:\documents and settings\Debbie Brown\Application Data\Dropbox\shellext\l\500cccce 124 bytes


scan completed successfully

hidden files: 1




--------------------- LOCKED REGISTRY KEYS ---------------------



@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)






--------------------- DLLs Loaded Under Running Processes ---------------------


- - - - - - - > 'winlogon.exe'(556)




- - - - - - - > 'explorer.exe'(3884)


c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

c:\documents and settings\Debbie Brown\Application Data\Dropbox\bin\DropboxExt.13.dll







c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

c:\program files\Microsoft Office\OFFICE11\msohev.dll


------------------------ Other Running Processes ------------------------











Completion time: 2012-07-23 14:03:36 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-23 04:03


Pre-Run: 22,896,283,648 bytes free

Post-Run: 22,878,015,488 bytes free


- - End Of File - - AA0F195199815BC546D1B7F304ABD126

Link to post
Share on other sites

Since then my computer has frozen up at least 5 times during the day/evening and I've had to attempt rebooting. It doesn't work until I've left it rest for a period of time, then it will restart up again. This problem has only started since the downloading and running of Combofix. If you could offer a fix to this problem I would appreciate it

Link to post
Share on other sites

Your system is still infected.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

c:\documents and settings\Debbie Brown\Local Settings\Application Data\wgejefto
c:\program files\uTorrent
c:\program files\ConduitEngine
c:\program files\uTorrentBar

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Trusted Zone: ancestry.com
Trusted Zone: ancestry.com.au


Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

After shutting down my computer for the night, it now won't boot up at all. I've tried hitting the reset button several times, holding down the On button until it turns off then after a few minutes I start it up again. It doesn't boot up only enough to turn the fans/lights etc on in the tower, but it doesn't boot up all the way. I've attempted this several times this morning to no avail

Link to post
Share on other sites

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Link to post
Share on other sites

I downloaded the recovery scan tool as instructed, loaded it onto a USB stick, put the stick into the infected computer and restarted. Nothing happens. Like I said, the computer is not booting up. The BIOS is not loading. Tapping f8 is futile. The screen is blank. The monitor isn't showing anything other than a blank screen because the computer is not booting up properly. All that is occurring is the fan and lights come on upon starting. I can hear that it doesn't go through the process of booting up, therefore the BIOS is not showing. I placed Windows disc into the CD/DVD drive, then started machine again. Nothing is happening. Same as stated. Nothing

Link to post
Share on other sites

Yeah, I'm sure. I tried the f8 and delete button as stated in the "how to set BIOS" link that you posted above just in case, but like I said, it doesn't boot up enough to even get a screen - it's blank and I can tell by the sound it makes that it's not getting to a stage in the booting up part where the process starts where tapping F8 works. I've tried it with the USB flashdrive in and I've tried it without. I've tried it with the Windows CD in the drive, I've tried it without. Nothing is working.

Link to post
Share on other sites

Your system was seriously infected, problem could not be due to ComboFix, because from the beginning of this problem would occur. Even if something happened, then there is absolutely no way that they can't even boot from the CD. I have strong suspicion that the problem is hardware related. Is there any option to anyone has dealt with computer hardware?

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.