Quick Please: Delete or quarantine with Avira Anti Virus?

[RobC]

My wife's computer is infected with a very aggressive virus (possibly a new TDSS variant...) that has defeated the original McAfee virus protection and all system guards. All of the security tools have been disabled now, as well as Internet Explorer.

Per the instructions in the "I'm Infected" forum posting-

I tried installing and using Malwarebytes Anti-Malware MBAM tools, and also installing and running Avira Anti Virus. The infection is blocking the installation of MBAM (also posts a ballon), but I had been successful with loading Avira AV- but then it was quickly blocked and can't be accessed again. The saved log from Avira has dissappeared. I'm not sure if it helps but I was watching the Avira scan progress closely (in hopes it would be successful) and noted some of the detections it registered:

HTML/Malicious.PDF.gen

TR/Dldr.Fraud.Lo.sxm

ADSPY/AltnetB.4

This may be an ignorant question, but does Avira not quarantine or remove the malware it detects? Maybe I missed something on the program interface, but couldn't find that option, which is dissapointing since it was so difficult getting it to run because of the infection.

I had also had some Eldycow files show up when I ran Yahoo CA Anti-Spy- one of the few programs I was able to run before being totally blocked. They should have been quarantined and removed if Anti-Spy worked.

I haven't had any luck opening or running any removal tools, can't get HiJackThis to open and install, and now cannot even open Internet Explorer (all associated shortcuts that use IE now show as an unexecutable file type).

A rogue program calling itself "Protection System" is continually posting pop-up or fake security balloon messages that bog down the system while trying to work with the computer.

I posted this problem on the BartPE forum [http://www.nu2.nu/pebuilder/ ] and asked if there was any way to run the removal tools from a boot disk or command prompt, hoping I could beat the virus without running Windows. I'm not a tech expert but have a basic knowledge, and can catch on fairly quick- I'm just a little lost on how to begin. I want to make a BartPE (or other utility) CD-Rom that will allow me to install and run MBAM and removal tools, but I have a problem-

I am not sure where the Windows XP disk for my wife's computer is, and my laptop uses Vista so I don't know how to proceed.

I'm sure the windows installation files are somewhere on my wife's computer- I just don't know the exact file path, and the infection makes it hard to work in Windows without pop-ups and blocked access by the virus program.

How can I build a clean Boot CD, or PE CD that will allow me to install and run the Malware removal tools in a PE environment or some other work-around?

Thanks,

Rob

[RobC]

I have been fighting a serious infection all week. As I had posted earlier - my wife's PC is infected with what appear to be several problems, one of which is a fake protection system. I tried following the instructions from the "I'm Infected" post, but nothing was able to load- I even tried renaming MalwareBytes MBAM, HJT but nothing worked. I made some progress this morning with running a rescure boot CD from Avira, and after it finished I was able to start the PC, and use the guest account. The regular accounts for my wife and I kept locking up.

Avira is scanning (for now) and detected some trojan files in c:\Windows\system32\wscsvc32.exe-

it is asking me whether to Move to quarantine, Delete, rename, or ignore- I can't see the benefit to the last two choices, so quarantine or delete?

For the Avira rescue boot CD- did it write the log to the CD, if so where? Can I retrieve it on my (uninfected) laptop in order to post it here?

Thanks

Rob

[RobC]

I've tried the instructions in the "I'm Infected" post, but the infection or rootkit is now blocking just about everything. After a few other attempts to request help, I ended trying Avira's rescue boot which seems to have weakened the infection, because later I was able to do a scan with Avira AV, and quarantined several items- but there's no report showing up. I can't get it to scan again now- I click on "Scan System Now" and there's a pause and nothing happens.

--During some of the post-rescue disk attempts at working this attack, I was finally able to install MBAM, but it doesn't do anything when I start it.

--The same thing happens with HiJack this

--I also tried running Win32kDiag, and it started but seemed to just stop after 15 minutes or so. I was able to run it again but it seems to stop at roughly the same point each time, and never display the "Finished" line. I will post what I have as a report below.

--I also tried running DDS, and it may or may not have installed- it never got to the report.

--Next I tried RootRepeal, and it was running- then just dissapeared- dialog box and all before I could get a report. I've also had several errors when trying to load it that say:

"could not load driver (0xc0000061)!"

In all of the above cases, I was only able to install and run the tools by renaming them before I copied them to the PC desktop from a flashdrive.

Using the flashdrive to download/save the tool applications from my laptop, then copy to PC is the only way I can get files to the infected computer- after day 1 of the infection, I'd swear it intuitively "knew" is was using IE to try and download tools to fight it. Initially it would redirect IE to what appeared to be google pages, but I would reenter the page I wanted and it eventually loaded. Now any shortcut, bookmark or the IE exe itself, all come up as unrecognizable file types.

Another trick, or problem is I get frequent error messages when I try to run or install the tools that say it requires and Adminstrator, which I am. (I've tried to attack this under all the profiles, wife's, me/adminstrator, and guest).

From reading the number of posts on here and on MalwareBytes forums, it looks like a lot of people are getting hit with this, or a variant. I'm also getting the rogue "Protection System" balloons and dialogue boxes that keep popping up & have to be closed before I can go back to seeing whatever I had open or running. I've also had it unexpectedly revert back to the user selection interface (still showed programs running under the username I had been working from), and once I received a Windows shutdown message, that I couldn't stop.

I am going to try running Root Repeal under a different file name again- I have a notepad file open so i can try to copy what (if anything) I can get in the event that it is shutdown again.

Any help or suggestions would be appreciated.

Thanks-

Rob

Some small success here! I have a report from Root Repeal below:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/04 19:33

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: ABP480N5.SYS

Image Path: ABP480N5.SYS

Address: 0xF7904000 Size: 23552 File Visible: - Signed: -

Status: -

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF750D000 Size: 187776 File Visible: - Signed: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -

Status: -

Name: adpu160m.sys

Image Path: adpu160m.sys

Address: 0xF7494000 Size: 101888 File Visible: - Signed: -

Status: -

Name: afd.sys

Image Path: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xF2F42000 Size: 138496 File Visible: - Signed: -

Status: -

Name: agp440.sys

Image Path: agp440.sys

Address: 0xF773C000 Size: 42368 File Visible: - Signed: -

Status: -

Name: agpCPQ.sys

Image Path: agpCPQ.sys

Address: 0xF776C000 Size: 44928 File Visible: - Signed: -

Status: -

Name: aha154x.sys

Image Path: aha154x.sys

Address: 0xF7A54000 Size: 12800 File Visible: - Signed: -

Status: -

Name: aic78u2.sys

Image Path: aic78u2.sys

Address: 0xF769C000 Size: 55168 File Visible: - Signed: -

Status: -

Name: aic78xx.sys

Image Path: aic78xx.sys

Address: 0xF766C000 Size: 56960 File Visible: - Signed: -

Status: -

Name: ALCXWDM.SYS

Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS

Address: 0xF5DD1000 Size: 3644800 File Visible: - Signed: -

Status: -

Name: aliide.sys

Image Path: aliide.sys

Address: 0xF7B40000 Size: 5248 File Visible: - Signed: -

Status: -

Name: alim1541.sys

Image Path: alim1541.sys

Address: 0xF774C000 Size: 42752 File Visible: - Signed: -

Status: -

Name: amdagp.sys

Image Path: amdagp.sys

Address: 0xF775C000 Size: 43008 File Visible: - Signed: -

Status: -

Name: amsint.sys

Image Path: amsint.sys

Address: 0xF7A60000 Size: 12032 File Visible: - Signed: -

Status: -

Name: asc.sys

Image Path: asc.sys

Address: 0xF78D4000 Size: 26496 File Visible: - Signed: -

Status: -

Name: asc3350p.sys

Image Path: asc3350p.sys

Address: 0xF790C000 Size: 22400 File Visible: - Signed: -

Status: -

Name: asc3550.sys

Image Path: asc3550.sys

Address: 0xF7A64000 Size: 14848 File Visible: - Signed: -

Status: -

Name: ASCTRM.SYS

Image Path: C:\WINDOWS\System32\Drivers\ASCTRM.SYS

Address: 0xF7BD4000 Size: 7488 File Visible: - Signed: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF74AD000 Size: 96512 File Visible: - Signed: -

Status: -

Name: audstub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys

Address: 0xF7D46000 Size: 3072 File Visible: - Signed: -

Status: -

Name: avgio.sys

Image Path: C:\Program Files\Avira\AntiVir Desktop\avgio.sys

Address: 0xF7BB8000 Size: 6144 File Visible: - Signed: -

Status: -

Name: avgntflt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\avgntflt.sys

Address: 0xBA54C000 Size: 81920 File Visible: - Signed: -

Status: -

Name: avipbb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys

Address: 0xF2DFA000 Size: 114688 File Visible: - Signed: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF7BA2000 Size: 4224 File Visible: - Signed: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF7A4C000 Size: 12288 File Visible: - Signed: -

Status: -

Name: cbidf2k.sys

Image Path: cbidf2k.sys

Address: 0xF7A6C000 Size: 13952 File Visible: - Signed: -

Status: -

Name: cd20xrnt.sys

Image Path: cd20xrnt.sys

Address: 0xF7B4A000 Size: 7680 File Visible: - Signed: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xB9B14000 Size: 63744 File Visible: - Signed: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xF77DC000 Size: 62976 File Visible: - Signed: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xF76FC000 Size: 53248 File Visible: - Signed: -

Status: -

Name: cmdide.sys

Image Path: cmdide.sys

Address: 0xF7B42000 Size: 6656 File Visible: - Signed: -

Status: -

Name: cpqarray.sys

Image Path: cpqarray.sys

Address: 0xF7A50000 Size: 14976 File Visible: - Signed: -

Status: -

Name: dac2w2k.sys

Image Path: dac2w2k.sys

Address: 0xF7468000 Size: 179584 File Visible: - Signed: -

Status: -

Name: dac960nt.sys

Image Path: dac960nt.sys

Address: 0xF7A5C000 Size: 14720 File Visible: - Signed: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF76EC000 Size: 36352 File Visible: - Signed: -

Status: -

Name: dpti2o.sys

Image Path: dpti2o.sys

Address: 0xF7914000 Size: 20192 File Visible: - Signed: -

Status: -

Name: drmk.sys

Image Path: C:\WINDOWS\system32\drivers\drmk.sys

Address: 0xF780C000 Size: 61440 File Visible: - Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF2B19000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7BF8000 Size: 8192 File Visible: No Signed: -

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xF2E5C000 Size: 12288 File Visible: - Signed: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF000000 Size: 73728 File Visible: - Signed: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF7C4E000 Size: 4096 File Visible: - Signed: -

Status: -

Name: Fastfat.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Address: 0xF2B31000 Size: 143744 File Visible: - Signed: -

Status: -

Name: Fips.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS

Address: 0xF6729000 Size: 44544 File Visible: - Signed: -

Status: -

Name: fltmgr.sys

Image Path: fltmgr.sys

Address: 0xF7448000 Size: 129792 File Visible: - Signed: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF7BA0000 Size: 7936 File Visible: - Signed: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF74DD000 Size: 125056 File Visible: - Signed: -

Status: -

Name: GEARAspiWDM.sys

Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys

Address: 0xF72EF000 Size: 9472 File Visible: - Signed: -

Status: -

Name: getaroot.sys

Image Path: C:\WINDOWS\system32\drivers\getaroot.sys

Address: 0xB4BA3000 Size: 49152 File Visible: No Signed: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x806D0000 Size: 81152 File Visible: - Signed: -

Status: -

Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xF6769000 Size: 36864 File Visible: - Signed: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xF79D4000 Size: 28672 File Visible: - Signed: -

Status: -

Name: hidusb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xF7B18000 Size: 10368 File Visible: - Signed: -

Status: -

Name: hpn.sys

Image Path: hpn.sys

Address: 0xF7924000 Size: 25952 File Visible: - Signed: -

Status: -

Name: HSF_CNXT.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

Address: 0xF614B000 Size: 685056 File Visible: - Signed: -

Status: -

Name: HSF_DP.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

Address: 0xF61F3000 Size: 1041536 File Visible: - Signed: -

Status: -

Name: HSFHWBS2.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

Address: 0xF62F2000 Size: 220032 File Visible: - Signed: -

Status: -

Name: HTTP.sys

Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys

Address: 0xB6F86000 Size: 264832 File Visible: - Signed: -

Status: -

Name: i2omgmt.SYS

Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS

Address: 0xF7B00000 Size: 8576 File Visible: - Signed: -

Status: -

Name: i2omp.sys

Image Path: i2omp.sys

Address: 0xF78E4000 Size: 18560 File Visible: - Signed: -

Status: -

Name: i8042prt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys

Address: 0xF782C000 Size: 52480 File Visible: - Signed: -

Status: -

Name: imapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xF77CC000 Size: 42112 File Visible: - Signed: -

Status: -

Name: ini910u.sys

Image Path: ini910u.sys

Address: 0xF7A68000 Size: 16000 File Visible: - Signed: -

Status: -

Name: intelide.sys

Image Path: intelide.sys

Address: 0xF7B48000 Size: 5504 File Visible: - Signed: -

Status: -

Name: ipfltdrv.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys

Address: 0xF6759000 Size: 32896 File Visible: - Signed: -

Status: -

Name: ipnat.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xF2F8C000 Size: 152832 File Visible: - Signed: -

Status: -

Name: ipsec.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Address: 0xF3429000 Size: 75264 File Visible: - Signed: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF763C000 Size: 37248 File Visible: - Signed: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xF7954000 Size: 24576 File Visible: - Signed: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF7B3C000 Size: 8192 File Visible: - Signed: -

Status: -

Name: kmixer.sys

Image Path: C:\WINDOWS\system32\drivers\kmixer.sys

Address: 0xB3569000 Size: 172416 File Visible: - Signed: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xF6328000 Size: 143360 File Visible: - Signed: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF741F000 Size: 92288 File Visible: - Signed: -

Status: -

Name: mdmxsdk.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

Address: 0xB9194000 Size: 11840 File Visible: - Signed: -

Status: -

Name: mfeavfk.sys

Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys

Address: 0xB6EAC000 Size: 73152 File Visible: - Signed: -

Status: -

Name: mfebopk.sys

Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys

Address: 0xF79FC000 Size: 28544 File Visible: - Signed: -

Status: -

Name: mfehidk.sys

Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys

Address: 0xF2E60000 Size: 207296 File Visible: - Signed: -

Status: -

Name: mfesmfk.sys

Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys

Address: 0xB8462000 Size: 33824 File Visible: - Signed: -

Status: -

Name: mnmdd.SYS

Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Address: 0xF7BA4000 Size: 4224 File Visible: - Signed: -

Status: -

Name: Modem.SYS

Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS

Address: 0xF7A44000 Size: 30080 File Visible: - Signed: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xF7974000 Size: 23040 File Visible: - Signed: -

Status: -

Name: mouhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xF7B34000 Size: 12160 File Visible: - Signed: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF764C000 Size: 42368 File Visible: - Signed: -

Status: -

Name: Mpfp.sys

Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys

Address: 0xF33A9000 Size: 159744 File Visible: - Signed: -

Status: -

Name: mraid35x.sys

Image Path: mraid35x.sys

Address: 0xF78DC000 Size: 17280 File Visible: - Signed: -

Status: -

Name: mrxdav.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys

Address: 0xB9AC7000 Size: 180608 File Visible: - Signed: -

Status: -

Name: mrxsmb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Address: 0xF2E93000 Size: 455296 File Visible: - Signed: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF799C000 Size: 19072 File Visible: - Signed: -

Status: -

Name: msgpc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Address: 0xF72D7000 Size: 35072 File Visible: - Signed: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xF6DA0000 Size: 15488 File Visible: - Signed: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF732F000 Size: 105344 File Visible: - Signed: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF7365000 Size: 182656 File Visible: - Signed: -

Status: -

Name: ndistapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Address: 0xF6DB0000 Size: 10112 File Visible: - Signed: -

Status: -

Name: ndisuio.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Address: 0xBA5A8000 Size: 14592 File Visible: - Signed: -

Status: -

Name: ndiswan.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Address: 0xF5D01000 Size: 91520 File Visible: - Signed: -

Status: -

Name: NDProxy.SYS

Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF72A7000 Size: 40576 File Visible: - Signed: -

Status: -

Name: netbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys

Address: 0xF6749000 Size: 34688 File Visible: - Signed: -

Status: -

Name: netbt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys

Address: 0xF2F64000 Size: 162816 File Visible: - Signed: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF79A4000 Size: 30848 File Visible: - Signed: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF7392000 Size: 574976 File Visible: - Signed: -

Status: -

Name: ntkrnlpa.exe

Image Path: C:\WINDOWS\system32\ntkrnlpa.exe

Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF7CB4000 Size: 2944 File Visible: - Signed: -

Status: -

Name: nv4_disp.dll

Image Path: C:\WINDOWS\System32\nv4_disp.dll

Address: 0xBF012000 Size: 3907584 File Visible: - Signed: -

Status: -

Name: nv4_mini.sys

Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

Address: 0xF6383000 Size: 3493984 File Visible: - Signed: -

Status: -

Name: NVENETFD.sys

Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

Address: 0xF7277000 Size: 34048 File Visible: - Signed: -

Status: -

Name: nvnetbus.sys

Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

Address: 0xF72E7000 Size: 12928 File Visible: - Signed: -

Status: -

Name: NVNRM.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS

Address: 0xF5D63000 Size: 303104 File Visible: - Signed: -

Status: -

Name: NVSNPU.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS

Address: 0xF5D2C000 Size: 225280 File Visible: - Signed: -

Status: -

Name: parport.sys

Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys

Address: 0xF5D18000 Size: 80128 File Visible: - Signed: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF78C4000 Size: 19712 File Visible: - Signed: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF74FC000 Size: 68224 File Visible: - Signed: -

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7C04000 Size: 3328 File Visible: - Signed: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF78BC000 Size: 28672 File Visible: - Signed: -

Status: -

Name: perc2.sys

Image Path: perc2.sys

Address: 0xF791C000 Size: 27296 File Visible: - Signed: -

Status: -

Name: perc2hib.sys

Image Path: perc2hib.sys

Address: 0xF7B4C000 Size: 5504 File Visible: - Signed: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -

Status: -

Name: portcls.sys

Image Path: C:\WINDOWS\system32\drivers\portcls.sys

Address: 0xF5DAD000 Size: 147456 File Visible: - Signed: -

Status: -

Name: processr.sys

Image Path: C:\WINDOWS\system32\DRIVERS\processr.sys

Address: 0xF77BC000 Size: 35840 File Visible: - Signed: -

Status: -

Name: prodrv06.sys

Image Path: C:\WINDOWS\System32\drivers\prodrv06.sys

Address: 0xF2F03000 Size: 79488 File Visible: - Signed: -

Status: -

Name: prohlp02.sys

Image Path: prohlp02.sys

Address: 0xF7349000 Size: 111808 File Visible: - Signed: -

Status: -

Name: prosync1.sys

Image Path: prosync1.sys

Address: 0xF7B50000 Size: 6944 File Visible: - Signed: -

Status: -

Name: psched.sys

Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys

Address: 0xF5CF0000 Size: 69120 File Visible: - Signed: -

Status: -

Name: ptilink.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Address: 0xF7964000 Size: 17792 File Visible: - Signed: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF770C000 Size: 35712 File Visible: - Signed: -

Status: -

Name: ql1080.sys

Image Path: ql1080.sys

Address: 0xF76BC000 Size: 40320 File Visible: - Signed: -

Status: -

Name: ql10wnt.sys

Image Path: ql10wnt.sys

Address: 0xF767C000 Size: 33152 File Visible: - Signed: -

Status: -

Name: ql12160.sys

Image Path: ql12160.sys

Address: 0xF76DC000 Size: 45312 File Visible: - Signed: -

Status: -

Name: ql1240.sys

Image Path: ql1240.sys

Address: 0xF768C000 Size: 40448 File Visible: - Signed: -

Status: -

Name: ql1280.sys

Image Path: ql1280.sys

Address: 0xF76CC000 Size: 49024 File Visible: - Signed: -

Status: -

Name: rasacd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Address: 0xF7B04000 Size: 8832 File Visible: - Signed: -

Status: -

Name: rasl2tp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Address: 0xF788C000 Size: 51328 File Visible: - Signed: -

Status: -

Name: raspppoe.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Address: 0xF789C000 Size: 41472 File Visible: - Signed: -

Status: -

Name: raspptp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Address: 0xF78AC000 Size: 48384 File Visible: - Signed: -

Status: -

Name: raspti.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys

Address: 0xF796C000 Size: 16512 File Visible: - Signed: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -

Status: -

Name: rdbss.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Address: 0xF2F17000 Size: 175744 File Visible: - Signed: -

Status: -

Name: RDPCDD.sys

Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF7BA6000 Size: 4224 File Visible: - Signed: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xF77EC000 Size: 57600 File Visible: - Signed: -

Status: -

Name: SCSIPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS

Address: 0xF74C5000 Size: 98304 File Visible: - Signed: -

Status: -

Name: serenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys

Address: 0xF7AE0000 Size: 15744 File Visible: - Signed: -

Status: -

Name: serial.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys

Address: 0xF781C000 Size: 64512 File Visible: - Signed: -

Status: -

Name: sfhlp01.sys

Image Path: sfhlp01.sys

Address: 0xF7B4E000 Size: 4832 File Visible: - Signed: -

Status: -

Name: sisagp.sys

Image Path: sisagp.sys

Address: 0xF771C000 Size: 40960 File Visible: - Signed: -

Status: -

Name: sparrow.sys

Image Path: sparrow.sys

Address: 0xF78CC000 Size: 19072 File Visible: - Signed: -

Status: -

Name: sr.sys

Image Path: sr.sys

Address: 0xF7436000 Size: 73472 File Visible: - Signed: -

Status: -

Name: srv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys

Address: 0xB9448000 Size: 333952 File Visible: - Signed: -

Status: -

Name: ssmdrv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

Address: 0xF79DC000 Size: 23040 File Visible: - Signed: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xF7B94000 Size: 4352 File Visible: - Signed: -

Status: -

Name: sym_hi.sys

Image Path: sym_hi.sys

Address: 0xF78F4000 Size: 28384 File Visible: - Signed: -

Status: -

Name: sym_u3.sys

Image Path: sym_u3.sys

Address: 0xF78FC000 Size: 30688 File Visible: - Signed: -

Status: -

Name: symc810.sys

Image Path: symc810.sys

Address: 0xF7A58000 Size: 16256 File Visible: - Signed: -

Status: -

Name: symc8xx.sys

Image Path: symc8xx.sys

Address: 0xF78EC000 Size: 32640 File Visible: - Signed: -

Status: -

Name: sysaudio.sys

Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys

Address: 0xF6709000 Size: 60800 File Visible: - Signed: -

Status: -

Name: tcpip.sys

Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Address: 0xF33D0000 Size: 361600 File Visible: - Signed: -

Status: -

Name: TDI.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Address: 0xF795C000 Size: 20480 File Visible: - Signed: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xF72C7000 Size: 40704 File Visible: - Signed: -

Status: -

Name: toside.sys

Image Path: toside.sys

Address: 0xF7B44000 Size: 4992 File Visible: - Signed: -

Status: -

Name: ultra.sys

Image Path: ultra.sys

Address: 0xF76AC000 Size: 36736 File Visible: - Signed: -

Status: -

Name: update.sys

Image Path: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xF5C92000 Size: 384768 File Visible: - Signed: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF7B9A000 Size: 8192 File Visible: - Signed: -

Status: -

Name: usbehci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xF7A3C000 Size: 30208 File Visible: - Signed: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF7297000 Size: 59520 File Visible: - Signed: -

Status: -

Name: usbohci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys

Address: 0xF7A34000 Size: 17152 File Visible: - Signed: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xF634B000 Size: 147456 File Visible: - Signed: -

Status: -

Name: USBSTOR.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

Address: 0xF79E4000 Size: 26368 File Visible: - Signed: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF7994000 Size: 20992 File Visible: - Signed: -

Status: -

Name: viaagp.sys

Image Path: viaagp.sys

Address: 0xF772C000 Size: 42240 File Visible: - Signed: -

Status: -

Name: viaide.sys

Image Path: viaide.sys

Address: 0xF7B46000 Size: 5376 File Visible: - Signed: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Address: 0xF636F000 Size: 81920 File Visible: - Signed: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF765C000 Size: 52352 File Visible: - Signed: -

Status: -

Name: wanarp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Address: 0xF779C000 Size: 34560 File Visible: - Signed: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF2DBA000 Size: 20480 File Visible: - Signed: -

Status: -

Name: wdmaud.sys

Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys

Address: 0xB999A000 Size: 83072 File Visible: - Signed: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0xF79AC000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: C:\WINDOWS\win32k.sys:2

Address: 0xF7247000 Size: 61440 File Visible: No Signed: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Address: 0xF7B3E000 Size: 8192 File Visible: - Signed: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -

Status: -

[miekiemoes]

Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
     
   • Set to "Always ask me where to Save the files".
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

In case the file gets locked (you get an access denied error afterwards), 1) Please download this file

2) Place fr33.exe next to the exe file that doesn't want to run

3) Drag the exefile into fr33.exe. That shall free/unlock it.

Example how to do this (this is an example with malwarebytes exefile (mbam.exe).

You can do that with every exe file that cannot run.

Or, in case you want to know/interests you how to do this manually and take ownership of locked files, then please see here (XP/Vista) for more info. Note, on XP Home, the "Security" tab is only visible in Safe mode. In case there's no Security tab in XP Pro, then please see here (XP Pro

But not needed to do it manually if you use fr33.exe instead to "unlock" files.

[RobC]

Prior to starting ComboFix I disabled McAfee Security Center which was the original AV prtection, the windows firewall, and Avira which I had added during my attempts to fight this, it showed the closed umbrella icon.

While running ComboFix, it restarted twice. Just before the first reboot combo fix had me note several file locations. After reboot, Combo fix continued running it's scan, except I started getting Avira messages that a virus, or trojan had been detected. I wasn't sure if that was part of the scan, or if Avira had restarted? I wasn't sure what to do so I kept selecting "Quarantine". Also- following the 2nd reboot from ComboFix, Windows decided to download/install updates, which i couldn't stop- I was still connected to the internet because ComboFix had indicated it needed to download some microsoft files for system restore. I'm not sure if the Avira quarantine alerts and the windows updates will affect the outcome or not?

In watching the process in Combo's window, I saw where Combofix was deleting some of the malicious files and links- now that it has stopped, I still see two desktop shortcuts remaining for "Protection System" & a text file named "catchme" that I hadn't noticed before. Presently, Avira shows active, and after ComboFix finished, the only thing I've done so far is save the log on my flashdrive so I could post it here, and to do a screen capture so I could include an image of the desktop, I haven't opened any programs or files. (those are my daughters by the way... ) I've attached the Desktop image.

The combo text is here:

ComboFix 09-09-04.02 - Owner 09/05/2009 10:16.1.1 - NTFSx86

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Desktop\nudetube.com.lnk

c:\documents and settings\All Users\Desktop\pornotube.com.lnk

c:\documents and settings\All Users\Desktop\youporn.com.lnk

c:\documents and settings\Owner\Desktop\Total Security 2009.lnk

c:\documents and settings\Owner\Start Menu\Programs\Total Security

c:\documents and settings\Owner\Start Menu\Programs\Total Security\Total Security 2009.lnk

c:\recycler\S-1-5-21-1038877222-1771802644-1187402616-1003

c:\windows\Installer\1324b.msi

c:\windows\system32\~.exe

c:\windows\system32\drivers\UACbgrqoiskly.sys

c:\windows\system32\lopusuji.dll

c:\windows\system32\muzaloda.dll

c:\windows\system32\namiviko.dll

c:\windows\system32\pohuyuwo.dll

c:\windows\system32\seruyone.exe

c:\windows\system32\tuwejipe.dll

c:\windows\system32\UACaqpsdimhww.dll

c:\windows\system32\UACbapynyjnmn.dat

c:\windows\system32\UACdsesupgbph.dll

c:\windows\system32\UACfrulkxgubh.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACxmlkjalxrq.dll

c:\windows\system32\wayolelu.exe

c:\windows\system32\wevetora.dll

D:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\logevent.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))

.

2009-09-05 01:40 . 2009-09-05 02:30 34816 ----a-w- c:\windows\system32\drivers\plumber.exe.sys

2009-09-05 01:05 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-05 01:05 . 2009-09-05 01:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-05 01:05 . 2009-09-05 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-05 01:05 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 23:50 . 2009-09-05 01:32 34816 ----a-w- c:\windows\system32\drivers\.sys

2009-09-04 22:15 . 2009-09-04 22:15 -------- d-----w- c:\program files\Trend Micro

2009-09-03 15:46 . 2009-09-03 15:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM

2009-09-03 15:45 . 2009-09-03 15:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-03 14:19 . 2009-09-03 14:19 -------- d-----w- c:\documents and settings\Rob\Application Data\MSNInstaller

2009-09-03 14:13 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-09-03 14:13 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-09-03 14:13 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-09-03 14:13 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-09-03 14:13 . 2009-09-03 14:13 -------- d-----w- c:\program files\Avira

2009-09-03 14:13 . 2009-09-03 14:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-09-02 00:17 . 2009-09-02 00:17 -------- d-----w- c:\program files\Microsoft Windows OneCare Live

2009-09-01 23:43 . 2009-09-01 23:43 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-01 23:42 . 2009-09-01 23:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-26 16:22 . 2009-08-26 16:22 -------- d-----w- c:\program files\NCR Media Formats

2009-08-26 16:21 . 2009-08-26 16:23 -------- d-----w- c:\program files\NCR Label Formats for MS Word Setup

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-05 17:06 . 2004-08-26 16:11 56320 ----a-w- c:\windows\system32\eventlog.dll

2009-09-05 17:03 . 2005-11-07 17:16 -------- d-----w- c:\program files\McAfee

2009-09-05 16:26 . 2009-06-05 16:26 88064 --sha-w- c:\windows\system32\yobijowu.dll

2009-09-04 21:47 . 2009-06-04 21:47 88064 --sha-w- c:\windows\system32\fayebuzu.dll

2009-09-02 23:08 . 2008-12-17 05:58 -------- d-----w- c:\program files\Windows Live Safety Center

2009-09-02 15:49 . 2009-06-02 15:49 49152 --sha-w- c:\windows\system32\fekabaku.dll

2009-09-02 15:49 . 2009-06-02 15:49 88576 --sha-w- c:\windows\system32\loyuwisa.dll

2009-09-01 15:46 . 2006-02-07 02:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView

2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2004-08-26 16:12 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-10 17:45 . 2005-11-07 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-06-16 14:36 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-26 16:12 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 16:19 . 2004-08-26 18:00 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2004-08-26 16:11 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2004-08-26 16:12 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-09 21:57 . 2006-02-15 19:56 35512 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-02 15:50 . 2009-06-02 15:50 49152 --sha-w- c:\windows\system32\higawaka.dll

2009-06-02 15:50 . 2009-06-02 15:50 49152 --sha-w- c:\windows\system32\yelesato.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442629e0-33f0-442f-86e8-d06ff99aae38}]

2009-06-02 15:50 49152 --sha-w- c:\windows\system32\yelesato.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 176128]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]

"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-26 36904]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-20 221184]

"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]

"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]

"jusupiyetu"="c:\windows\system32\higawaka.dll" [2009-06-02 49152]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"rebuninat"="c:\windows\system32\fayebuzu.dll" [2009-09-04 88064]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"OOBEDDDemise"="erase" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{3b5fecf4-783c-443a-abbf-dec53a1282b7}"= "c:\windows\system32\fayebuzu.dll" [2009-09-04 88064]

"{084d3224-2dd0-4a21-b016-d359d42d8472}"= "c:\windows\system32\yobijowu.dll" [2009-09-05 88064]

"{57d164c6-a20a-4a44-bec1-ad2c907258cd}"= "c:\windows\system32\fayebuzu.dll" [2009-09-04 88064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"kederibeh"= {3b5fecf4-783c-443a-abbf-dec53a1282b7} - c:\windows\system32\fayebuzu.dll [2009-09-04 88064]

"bifapemif"= {084d3224-2dd0-4a21-b016-d359d42d8472} - c:\windows\system32\yobijowu.dll [2009-09-05 88064]

"mekuzutaz"= {57d164c6-a20a-4a44-bec1-ad2c907258cd} - c:\windows\system32\fayebuzu.dll [2009-09-04 88064]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"=

"c:\\Program Files\\Yahoo!\\SoftwareUpdate\\YahooAUService.exe"=

"c:\\WINDOWS\\explorer.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/3/2009 7:13 AM 108289]

S3 getaroot;getaroot;\??\c:\windows\system32\drivers\getaroot.sys --> c:\windows\system32\drivers\getaroot.sys [?]

S3 plumber.exe;plumber.exe;c:\windows\system32\drivers\plumber.exe.sys [9/4/2009 6:40 PM 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-16 18:53]

2009-01-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-16 18:53]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-11948004 - c:\documents and settings\All Users\Application Data\11948004\11948004.exe

SafeBoot-mfehidk

SafeBoot-mferkdk

SafeBoot-mfetdik

SafeBoot-mfetdik.sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarLM/YSetSearch/2007/11/18/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-05 10:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

OOBEDDDemise = cmd /x /c erase c:\windows\System32\oobe\msoobe.exe??????????????????????C?w?????????????????????????%??????????????i?wis???????????H???????????????????????????*&?|l????&?|??-w????????????????????????????????????????????????????`??????????????|?&?|?????&?|B%?|???????????????????|?$?|??????-wC

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2376)

c:\program files\SiteAdvisor\6253\saHook.dll

c:\windows\system32\higawaka.dll

c:\windows\system32\fayebuzu.dll

c:\windows\system32\yobijowu.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\windows\system32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Logitech\Video\FxSvr2.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

.

**************************************************************************

.

Completion time: 2009-09-05 10:44 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-05 17:44

Pre-Run: 80,401,629,184 bytes free

Post-Run: 80,950,607,872 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

250 --- E O F --- 2009-08-26 18:05

[miekiemoes]

Hi,

Please delete the orphaned links on your desktop (the ones in your screenshot).

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\system32\higawaka.dll

c:\windows\system32\fayebuzu.dll

c:\windows\system32\yobijowu.dll

c:\windows\system32\fekabaku.dll

c:\windows\system32\loyuwisa.dll

c:\windows\system32\higawaka.dll

c:\windows\system32\yelesato.dll

Suspect::[8]

c:\windows\system32\drivers\plumber.exe.sys

Driver::

getaroot

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442629e0-33f0-442f-86e8-d06ff99aae38}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"jusupiyetu"=-

"rebuninat"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{3b5fecf4-783c-443a-abbf-dec53a1282b7}"=-

"{084d3224-2dd0-4a21-b016-d359d42d8472}"=-

"{57d164c6-a20a-4a44-bec1-ad2c907258cd}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"kederibeh"=-

"bifapemif"=-

"mekuzutaz"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\explorer.exe"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[RobC]

Ok- I'm about to perform those steps.

Question- since running the previous (first) ComboFix, I've just let the PC sit (using laptop to post), and following the CoboFix run Avira was turned on. It has displayed several warnings about Trojan files detected. I've been selecting "Quarantine"

Is that the correct thing to do?

Do I need to turn Avira AV - or anything else off before the steps you listed above?

[miekiemoes]

Hi,

Yes, as I already told you, please disable Avira during the Combofix run.

[RobC]

Ok here is the new ComboFix Log. I attempted to access the BleepingComputer link above (I had to copy it to PC desktop from my flash)- but I get an Error message that says:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

I also tried to open Internet Explorer and see if I could type the link in, but nothing happens when I click the IE shortcut.

After the reboot, ComboFix resumed and just before completing said that it was uploading files to the server- I'm not sure where it uploaded them to.

ComboFix 09-09-04.02 - Owner 09/05/2009 12:31.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.123 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: L:\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\windows\system32\fayebuzu.dll"

"c:\windows\system32\fekabaku.dll"

"c:\windows\system32\higawaka.dll"

"c:\windows\system32\loyuwisa.dll"

"c:\windows\system32\yelesato.dll"

"c:\windows\system32\yobijowu.dll"

file zipped: c:\windows\system32\drivers\plumber.exe.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\fayebuzu.dll

c:\windows\system32\fekabaku.dll

c:\windows\system32\higawaka.dll

c:\windows\system32\loyuwisa.dll

c:\windows\system32\yelesato.dll

c:\windows\system32\yobijowu.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_GETAROOT

-------\Service_getaroot

((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))

.

2009-09-05 01:40 . 2009-09-05 02:30 34816 ----a-w- c:\windows\system32\drivers\plumber.exe.sys

2009-09-05 01:05 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-05 01:05 . 2009-09-05 01:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-05 01:05 . 2009-09-05 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-05 01:05 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 22:15 . 2009-09-04 22:15 -------- d-----w- c:\program files\Trend Micro

2009-09-03 15:46 . 2009-09-03 15:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM

2009-09-03 15:45 . 2009-09-03 15:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-03 14:19 . 2009-09-03 14:19 -------- d-----w- c:\documents and settings\Rob\Application Data\MSNInstaller

2009-09-03 14:13 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-09-03 14:13 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-09-03 14:13 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-09-03 14:13 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-09-03 14:13 . 2009-09-03 14:13 -------- d-----w- c:\program files\Avira

2009-09-03 14:13 . 2009-09-03 14:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-09-02 00:17 . 2009-09-02 00:17 -------- d-----w- c:\program files\Microsoft Windows OneCare Live

2009-09-01 23:43 . 2009-09-01 23:43 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-01 23:42 . 2009-09-01 23:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-26 16:22 . 2009-08-26 16:22 -------- d-----w- c:\program files\NCR Media Formats

2009-08-26 16:21 . 2009-08-26 16:23 -------- d-----w- c:\program files\NCR Label Formats for MS Word Setup

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-05 17:30 . 2006-02-07 02:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView

2009-09-05 17:06 . 2004-08-26 16:11 56320 ----a-w- c:\windows\system32\eventlog.dll

2009-09-05 17:03 . 2005-11-07 17:16 -------- d-----w- c:\program files\McAfee

2009-09-02 23:08 . 2008-12-17 05:58 -------- d-----w- c:\program files\Windows Live Safety Center

2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2004-08-26 16:12 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-10 17:45 . 2005-11-07 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-06-16 14:36 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-26 16:12 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 16:19 . 2004-08-26 18:00 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2004-08-26 16:11 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2004-08-26 16:12 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-09 21:57 . 2006-02-15 19:56 35512 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 176128]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]

"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-26 36904]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-20 221184]

"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]

"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"OOBEDDDemise"="erase" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"=

"c:\\Program Files\\Yahoo!\\SoftwareUpdate\\YahooAUService.exe"=

"c:\\Program Files\\Logitech\\Video\\LogiTray.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/3/2009 7:13 AM 108289]

S3 plumber.exe;plumber.exe;c:\windows\system32\drivers\plumber.exe.sys [9/4/2009 6:40 PM 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-16 18:53]

2009-01-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-16 18:53]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarLM/YSetSearch/2007/11/18/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-05 12:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

OOBEDDDemise = cmd /x /c erase c:\windows\System32\oobe\msoobe.exe??????????????????????C?w?????????????????????????%??????????????i?wis???????????H???????????????????????????*&?|l????&?|??-w????????????????????????????????????????????????????`??????????????|?&?|?????&?|B%?|???????????????????|?$?|??????-wC

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(976)

c:\program files\SiteAdvisor\6253\saHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\Common Files\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\program files\McAfee\VirusScan\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\system32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Logitech\Video\FxSvr2.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-05 12:48 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-05 19:48

ComboFix2.txt 2009-09-05 17:44

Pre-Run: 80,965,263,360 bytes free

Post-Run: 80,924,160,000 bytes free

208 --- E O F --- 2009-08-26 18:05

Upload was successful

[miekiemoes]

Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[RobC]

ComboFix is uninstalled successfully.

Update on the previous post- I was able to copy the C:\Qoobox\Quarantine\[8]-Submit_date_time.zip file from her PC onto the flashdrive and uploaded it to BleepingComputer from my laptop. I pasted this thread as the source.

Avira is active, and I am able to log onto Windows from my wife's, mine and the Guest profile. I did a reboot and everything looks fine, except for Internet Explorer. It's not working,

I had been wanting to switch her computer over to another browser anyway- possibly Chrome. She primarily just uses her computer to brows and email, go to Facebook, etc. -so i thought Chrome might be a good choice for her to browse with- what do you think? (sorry for asking another question while we are still working on the problem)

[miekiemoes]

Hi,

Please uninstall McAfee, because since you have Avira, you can't have McAfee on top. More than 1 Antivirus and Firewall causes a lot of problems since they are not compatible...

So please uninstall McAfee AV+Firewall

Reboot afterwards.

It could be possible that your IE works again afterwards.

If not, please explain the "IE not working" issue. What error do you get? Or what do you get?

Chrome is great, but I prefer Firefox

[RobC]

Ok, McAfee is completely uninstalled. Is there anything else I should uninstall or delete?

In addition to Avira, I had installed MBAM- three's not a conflict between having these two is there?

For the IE problem- this started happening during the infection a few days ago- IE just stopped working. When I click on the IE icon, I get this:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

[miekiemoes]

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Ok, in that case, it's a permissions issue and you need to take ownership.

I already posted the fr33.exe earlier, so you can use that for it.

Browse to the C:\Program Files\Internet Explorer folder and find iexplore.exe in there. Place the fr33.exe next to it and drag the iexplore.exe into fr33.exe.

This should unlock the file.

Or.. in case you want to know/interests you how to do this manually and take ownership of locked files, then please see here (XP/Vista) for more info. Note, on XP Home, the "Security" tab is only visible in Safe mode. In case there's no Security tab in XP Pro, then please see here (XP Pro

But not needed to do it manually if you use fr33.exe instead to "unlock" files.

[RobC]

Thanks! I will give that a try with IE and the fr33 unlock.

It worked! IE seems to run fine now.

About the MBAM and Avira- is it Ok to have both installed?

I had posted an earlier question that I wanted to see if you can answer-

During normal use - what is the correct procedure when Avira (or MBAM) have a detection? Quarantine or Delete??

If something is quarantined, what exactly does that mean?- when are the malicious files actually removed?

Also - is it OK if i do a system scan now with Avira and / or Malwarebytes?

[miekiemoes]

Hi,

Yes, it's Ok to have both installed since mbam is compatible with every Antivirus. Mbam is an addition to your existing Antivirus.

For a detection, the best action is to quarantine. Quarantine means, it puts the malware in quarantine (makes it inactive and puts it into an isolated folder). The quarantine is recommended, this in case of false positives, because every scanner suffers from this. So, when in quarantine, you can always restore it again in case of a false positive.

It's a good idea to delete the contents of quarantine (there's an option for that in every scanner) once a month or so.

Yes, please go ahead and scan with mbam and Avira. Don't scan with both at the same time though, because it will be real slow then.

[RobC]

Thanks for explaining the quarantine.

I tried running MBAM first but got an error message that says Runtime Error 5, then it closed - I have a screen shot, but I can't upload it due to the file size.

MBAM was scanning C:\Windows\system32\zipfldr.dll when it stopped with the runtime error.

I then tried Avira and it is scanning and is currently showing 7 warnings and 1 Detection.

Once the Avira Scan completes what should I do?

[miekiemoes]

You may need to uninstall and redownload/reinstall mbam again.

For Avira, for the detection, please quarantine them.

For the warnings, in most cases it's nothing to worry about as it's not always malware, but just some locked files.

In either way, once the Avira scan has finished, select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

[RobC]

I'm waiting to uninstal MBAM until after you have a look at this. I didn't want to change anything on the PC in case there is a problem

Here is the Avira Scan log

Avira AntiVir Personal

Report file date: Saturday, September 05, 2009 14:10

Scanning for 1684065 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : HEATSBOX

Version information:

BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00

AVSCAN.EXE : 9.0.3.7 466689 Bytes 9/5/2009 20:59:38

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 17:21:42

ANTIVIR2.VDF : 7.1.5.201 3414528 Bytes 9/3/2009 22:21:08

ANTIVIR3.VDF : 7.1.5.209 43520 Bytes 9/4/2009 22:21:09

Engineversion : 8.2.1.8

AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 21:31:50

AESCRIPT.DLL : 8.1.2.27 467321 Bytes 9/4/2009 22:21:20

AESCN.DLL : 8.1.2.5 127346 Bytes 9/4/2009 22:21:18

AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 17:59:39

AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 21:31:50

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 17:59:39

AEHEUR.DLL : 8.1.0.155 1921400 Bytes 9/4/2009 22:21:17

AEHELP.DLL : 8.1.7.0 237940 Bytes 9/4/2009 22:21:13

AEGEN.DLL : 8.1.1.60 364915 Bytes 9/4/2009 22:21:12

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40

AECORE.DLL : 8.1.7.8 184692 Bytes 9/4/2009 22:21:10

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, F:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: Saturday, September 05, 2009 14:10

Starting search for hidden objects.

'47469' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'FxSvr2.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'LogiTray.exe' - '1' Module(s) have been scanned

Scan process 'LVCOMSX.EXE' - '1' Module(s) have been scanned

Scan process 'YMailAdvisor.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'SearchProtection.exe' - '1' Module(s) have been scanned

Scan process 'SiteAdv.exe' - '1' Module(s) have been scanned

Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'soundman.exe' - '1' Module(s) have been scanned

Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned

Scan process 'shwiconEM.exe' - '1' Module(s) have been scanned

Scan process 'YahooAUService.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned

Scan process 'mdm.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

41 processes with 41 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Master boot sector HD4

[iNFO] No virus was found!

Master boot sector HD5

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Boot sector 'F:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '76' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\Rob\Desktop\GetaRoot.exe

[WARNING] The file could not be opened!

C:\Program Files\Internet Explorer\iexplore.exe

[WARNING] The file could not be opened!

C:\Program Files\Protection System\firewall.dll

[DETECTION] Is the TR/PCK.Tdss.Y.387 Trojan

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

[WARNING] The file could not be opened!

C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[WARNING] The file could not be opened!

C:\WINDOWS\system32\dumprep.exe

[WARNING] The file could not be opened!

Begin scan in 'D:\' <RECOVERY>

Begin scan in 'F:\'

Beginning disinfection:

C:\Program Files\Protection System\firewall.dll

[DETECTION] Is the TR/PCK.Tdss.Y.387 Trojan

[NOTE] The file was moved to '4b14e487.qua'!

End of the scan: Saturday, September 05, 2009 15:20

Used time: 1:09:21 Hour(s)

The scan has been done completely.

12717 Scanned directories

557821 Files were scanned

1 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

1 Files were moved to quarantine

0 Files were renamed

7 Files cannot be scanned

557813 Files not concerned

20801 Archives were scanned

7 Warnings

3 Notes

47469 Objects were scanned with rootkit scan

0 Hidden objects were found

[miekiemoes]

Hi,

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\Rob\Desktop\GetaRoot.exe

[WARNING] The file could not be opened!

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

[WARNING] The file could not be opened!

C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[WARNING] The file could not be opened!

C:\WINDOWS\system32\dumprep.exe

[WARNING] The file could not be opened!

The files I marked in bold are locked. To unlock them, you can also use fr33.exe on them.

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.