Difficulty removing trojans on malwarebytes

[dsardone]

Hi,

I have been having trouble removing some trojans after multiple malware bytes and virus scans.

Here are the logs that are requested. Thank you in advance.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4121

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/22/2010 9:17:38 PM

mbam-log-2010-05-22 (21-17-38).txt

Scan type: Quick scan

Objects scanned: 126882

Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

C:\WINDOWS\Temp\90008102.tmp (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\90008102.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Attach.zip

ark.zip

[melboy]

Hi and welcome back to the Malwarebytes forums.

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
   
2. The fixes are specific to your problem and should only be used for this issue on this machine.
   
3. If you don't know or understand something, please don't hesitate to ask.
   
4. Please DO NOT run any other tools or scans, or install software other than that which I ask you to, whilst I am helping you.
   
5. It is important that you reply to this thread. Do not start a new topic.
   
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
   
7. Absence of symptoms does not mean that everything is clear.
   

NOTE: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.

================================================

Gmer

Download GMER Rootkit Scanner from here.

• Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
    
  • Drives/Partition other than Systemdrive (typically C:\)
    
  • Show All (don't miss this one)
    

  See image below

  

  [*]Then click the Scan button & wait for it to finish

  [*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file

  [*]Save it where you can easily find it, such as your desktop, and post it in your next reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

[dsardone]

Hi Melboy,

Thank you for your response! I actually did the gmer scan already, I attached it as a zip file in my original post, unless you are referring to something else or I did it incorrectly? Let me know if you'd like me to run it again.

[dsardone]

Actually scratch that, that was the dds I attached in the first post. duh!

Here is the gmer. My apologies! and Thank you!

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-22 20:34:45

Windows 5.1.2600 Service Pack 3

Running: rtoj2o79.exe; Driver: C:\DOCUME~1\Bandlady\LOCALS~1\Temp\ufrdqpog.sys

---- Kernel code sections - GMER 1.0.15 ----

? rboji.sys The system cannot find the file specified. !

? C:\WINDOWS\system32\drivers\pmiwvaw.sys A device attached to the system is not functioning.

PAGE Ntfs.sys F73D2E55 4 Bytes CALL 86F154D9

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3328] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86FAC010

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat BAFA1D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [bOOT] pmiwvaw <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\pmiwvaw@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\pmiwvaw@Start 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\pmiwvaw@ErrorControl 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\pmiwvaw@Group Boot Bus Extender

Reg HKLM\SYSTEM\ControlSet003\Services\pmiwvaw@Type 1

Reg HKLM\SYSTEM\ControlSet003\Services\pmiwvaw@Start 0

Reg HKLM\SYSTEM\ControlSet003\Services\pmiwvaw@ErrorControl 0

Reg HKLM\SYSTEM\ControlSet003\Services\pmiwvaw@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

[melboy]

Hi

Thanks for that.

ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

• You must download it to and run it from your Desktop
  
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  For instructions on how to disable your security programs, please see this topic:
  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  
• Double click combofix.exe & follow the prompts.
  
• When finished, it will produce a log. Please save that log to post in your next reply
  
• Re-enable all the programs that were disabled during the running of ComboFix..
  

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

[dsardone]

ComboFix 10-05-22.01 - Bandlady 05/22/2010 20:53:17.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.696 [GMT -4:00]

Running from: c:\documents and settings\Bandlady\My Documents\Downloads\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Bandlady\Local Settings\Application Data\{A9E7E9B9-F85B-4DD8-9B35-379A48D6BF5F}

c:\documents and settings\Bandlady\Local Settings\Application Data\{A9E7E9B9-F85B-4DD8-9B35-379A48D6BF5F}\chrome.manifest

c:\documents and settings\Bandlady\Local Settings\Application Data\{A9E7E9B9-F85B-4DD8-9B35-379A48D6BF5F}\chrome\content\_cfg.js

c:\documents and settings\Bandlady\Local Settings\Application Data\{A9E7E9B9-F85B-4DD8-9B35-379A48D6BF5F}\chrome\content\overlay.xul

c:\documents and settings\Bandlady\Local Settings\Application Data\{A9E7E9B9-F85B-4DD8-9B35-379A48D6BF5F}\install.rdf

c:\windows\iduredoxira.dll

c:\windows\system32\drivers\abbora.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_VAPSpy

-------\Service_fqgi

-------\Service_VAPSpy

((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))

.

2010-05-21 02:19 . 2010-05-21 02:19 503808 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcp71.dll

2010-05-21 02:19 . 2010-05-21 02:19 499712 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\jmc.dll

2010-05-21 02:19 . 2010-05-21 02:19 348160 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcr71.dll

2010-05-21 02:19 . 2010-05-21 02:19 12800 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-d3d.dll

2010-05-21 02:19 . 2010-05-21 02:19 61440 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-sse.dll

2010-05-21 02:19 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-21 02:18 . 2010-05-21 02:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-05-21 02:18 . 2010-05-21 02:18 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-21 02:18 . 2010-05-21 02:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-05-21 02:18 . 2010-05-21 02:18 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-21 02:18 . 2010-05-22 21:46 -------- d-----w- c:\windows\system32\drivers\Avg

2010-05-19 11:42 . 2010-05-20 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-19 11:42 . 2010-05-19 11:42 -------- d-----w- c:\program files\Alwil Software

2010-05-15 20:58 . 2010-05-22 22:26 120 ----a-w- c:\windows\Gwudogisey.dat

2010-05-15 20:58 . 2010-05-22 13:24 0 ----a-w- c:\windows\Mricahowil.bin

2010-05-15 20:56 . 2010-05-23 00:58 755200 ----a-w- c:\windows\system32\drivers\pmiwvaw.sys

2010-05-15 20:56 . 2010-05-15 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-22 22:52 . 2009-11-29 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-21 02:19 . 2004-01-28 16:27 -------- d-----w- c:\program files\Common Files\Java

2010-05-21 02:18 . 2004-01-28 16:27 -------- d-----w- c:\program files\Java

2010-05-21 02:14 . 2009-06-02 17:05 -------- d-----w- c:\program files\AVG

2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-17 11:46 . 2010-01-08 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-17 11:40 . 2009-06-02 17:09 -------- d-----w- c:\program files\CCleaner

2010-05-16 10:50 . 2010-05-16 10:50 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\qvjsge.dat

2010-05-15 20:56 . 2010-05-15 20:56 20 ----a-w- c:\documents and settings\NetworkService\Application Data\qvjsge.dat

2010-04-29 19:39 . 2010-03-27 01:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2010-03-27 01:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-02 22:13 . 2010-04-02 22:13 388096 ----a-r- c:\documents and settings\Bandlady\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-04-02 22:13 . 2010-04-02 22:13 -------- d-----w- c:\program files\TrendMicro

2010-04-02 13:50 . 2010-02-25 15:19 0 ----a-w- c:\documents and settings\Bandlady\Local Settings\Application Data\prvlcl.dat

2010-03-28 00:24 . 2010-03-28 00:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2010-03-10 06:15 . 2002-08-29 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]

"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-05-21 02:18 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]

cmsttmac REG_SZ c:\windows\system32\cmddupd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/20/2010 10:18 PM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/20/2010 10:18 PM 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [5/20/2010 10:16 PM 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/20/2010 10:16 PM 308064]

--- Other Services/Drivers In Memory ---

*Deregistered* - pmiwvaw

.

Contents of the 'Scheduled Tasks' folder

2004-02-04 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-05-23 c:\windows\Tasks\User_Feed_Synchronization-{6C8CFF52-5244-4E20-9804-72B3CC883E3B}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ask.com/?o=20011&l=dis

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

Trusted Zone: aol.com\free

FF - ProfilePath - c:\documents and settings\Bandlady\Application Data\Mozilla\Firefox\Profiles\og4r9c14.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Bandlady\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Nfizokaratiqef - c:\windows\iduredoxira.dll

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-22 20:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmiwvaw]

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2432)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Dell AIO Printer A940\dlbabmon.exe

c:\windows\TEMP\90008102.tmp

.

**************************************************************************

.

Completion time: 2010-05-22 21:02:03 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-23 01:02

ComboFix2.txt 2003-09-19 09:16

Pre-Run: 101,243,703,296 bytes free

Post-Run: 101,280,669,696 bytes free

- - End Of File - - 1529233ED68817B4D286F9C614048047

[melboy]

COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

  File::
  c:\windows\Gwudogisey.dat  
  c:\windows\Mricahowil.bin
  c:\windows\system32\config\systemprofile\Application Data\qvjsge.dat
  c:\documents and settings\NetworkService\Application Data\qvjsge.dat
  c:\windows\TEMP\90008102.tmp
  
  Driver:: 
  pmiwvaw
  
  Rootkit:: 
  c:\windows\system32\drivers\pmiwvaw.sys

  
  

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• If you need help to disable your protection programs see here.
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

================

After reboot and combofix has finshed and produced it's log:

================

Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

• Open Malwarebytes' Anti-Malware
  
• Select the Update tab
  
• Click Check for Updates
  
• After the update have been completed, Select the Scanner tab.
  
• Select Perform Quick scan, then click on Scan
  
• When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  
• Check all items then click on Remove Selected
  
• After it has removed the items, Notepad will open. Please post this log in your next reply.
  The log can also be found here:
  
  1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
     
  2. Or via the Logs tab when the application is started.
     

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.

Failure to reboot will prevent MBAM from removing all the malware.

SystemLook

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  rboji.*

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Check a file

• Go to VirusTotal or Jotti's
  

  c:\windows\system32\cmddupd.dll

  
  
• Copy/Paste the first file on the list into the white Upload a file box.
  
• Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  NOTE: if you receive a message stating:
  
  • File has already been analyzed,(VirusTotal) click Reanalyze file Now.
    
  • File has been scanned before(Jotti), click Scan again.
    

  [*]After a while, a window will open, with details of what the scans found.

  [*] Copy and paste the results into your next reply.

In your next reply:

1. Combofix.txt
   
2. MBAM log
   
3. SystemLook.txt
   
4. VirusTotal results
   

[dsardone]

Hi,

For the virus total, you said I was to paste this file into the upload a file box right? c:\windows\system32\cmddupd.dll

It is not reading it, it gives me an error, it says "file not found"

Should I try it in another tab, such as Hash search? Thanks

[melboy]

No, no need - post the other logs.

[dsardone]

Ok, thanks.

ComboFix 10-05-22.01 - Bandlady 05/24/2010 13:43:19.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.459 [GMT -4:00]

Running from: c:\documents and settings\Bandlady\My Documents\Downloads\ComboFix.exe

Command switches used :: c:\documents and settings\Bandlady\Desktop\cfscript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\documents and settings\NetworkService\Application Data\qvjsge.dat"

"c:\windows\Gwudogisey.dat"

"c:\windows\Mricahowil.bin"

"c:\windows\system32\config\systemprofile\Application Data\qvjsge.dat"

"c:\windows\TEMP\90008102.tmp"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\NetworkService\Application Data\qvjsge.dat

c:\windows\Gwudogisey.dat

c:\windows\Mricahowil.bin

c:\windows\system32\config\systemprofile\Application Data\qvjsge.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PMIWVAW

-------\Service_pmiwvaw

((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))

.

2010-05-21 02:19 . 2010-05-21 02:19 503808 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcp71.dll

2010-05-21 02:19 . 2010-05-21 02:19 499712 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\jmc.dll

2010-05-21 02:19 . 2010-05-21 02:19 348160 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcr71.dll

2010-05-21 02:19 . 2010-05-21 02:19 12800 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-d3d.dll

2010-05-21 02:19 . 2010-05-21 02:19 61440 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-sse.dll

2010-05-21 02:19 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-21 02:18 . 2010-05-21 02:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-05-21 02:18 . 2010-05-21 02:18 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-21 02:18 . 2010-05-21 02:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-05-21 02:18 . 2010-05-21 02:18 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-21 02:18 . 2010-05-24 16:29 -------- d-----w- c:\windows\system32\drivers\Avg

2010-05-19 11:42 . 2010-05-20 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-19 11:42 . 2010-05-19 11:42 -------- d-----w- c:\program files\Alwil Software

2010-05-15 20:56 . 2010-05-15 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-22 22:52 . 2009-11-29 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-21 02:19 . 2004-01-28 16:27 -------- d-----w- c:\program files\Common Files\Java

2010-05-21 02:18 . 2004-01-28 16:27 -------- d-----w- c:\program files\Java

2010-05-21 02:14 . 2009-06-02 17:05 -------- d-----w- c:\program files\AVG

2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-17 11:46 . 2010-01-08 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-17 11:40 . 2009-06-02 17:09 -------- d-----w- c:\program files\CCleaner

2010-04-29 19:39 . 2010-03-27 01:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2010-03-27 01:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-02 22:13 . 2010-04-02 22:13 388096 ----a-r- c:\documents and settings\Bandlady\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-04-02 22:13 . 2010-04-02 22:13 -------- d-----w- c:\program files\TrendMicro

2010-04-02 13:50 . 2010-02-25 15:19 0 ----a-w- c:\documents and settings\Bandlady\Local Settings\Application Data\prvlcl.dat

2010-03-28 00:24 . 2010-03-28 00:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2010-03-10 06:15 . 2002-08-29 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-05-23_00.58.29 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-05-24 17:49 . 2010-05-24 17:49 16384 c:\windows\Temp\Perflib_Perfdata_190.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]

"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-05-21 02:18 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]

cmsttmac REG_SZ c:\windows\system32\cmddupd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/20/2010 10:18 PM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/20/2010 10:18 PM 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [5/20/2010 10:16 PM 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/20/2010 10:16 PM 308064]

.

Contents of the 'Scheduled Tasks' folder

2004-02-04 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-05-24 c:\windows\Tasks\User_Feed_Synchronization-{6C8CFF52-5244-4E20-9804-72B3CC883E3B}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ask.com/?o=20011&l=dis

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

Trusted Zone: aol.com\free

FF - ProfilePath - c:\documents and settings\Bandlady\Application Data\Mozilla\Firefox\Profiles\og4r9c14.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Bandlady\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-24 13:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3908)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Dell AIO Printer A940\dlbabmon.exe

.

**************************************************************************

.

Completion time: 2010-05-24 13:52:43 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-24 17:52

ComboFix2.txt 2010-05-23 01:02

ComboFix3.txt 2003-09-19 09:16

Pre-Run: 101,272,936,448 bytes free

Post-Run: 101,228,949,504 bytes free

- - End Of File - - D3FB3D4404CB7053EF5E8465B75FB45C

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4139

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/24/2010 2:01:11 PM

mbam-log-2010-05-24 (14-01-11).txt

Scan type: Quick scan

Objects scanned: 127494

Time elapsed: 5 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 14:04 on 24/05/2010 by Bandlady (Administrator - Elevation successful)

========== filefind ==========

Searching for "rboji.*"

No files found.

-=End Of File=-

[melboy]

Hi

Good, that looks better. How are things running?

Uninstall Programs

• click on start
  
• Click on control panel
  
• Double click the icon add/remove programs
  
• click on the program below and click Remove
  

Java 2 Runtime Environment, SE v1.4.2

Update Adobe Reader

Your Adobe Reader is out of date.

Older versions may have vulnerabilities that malware can use to infect your system.

Please download Adobe Reader 9.3 to your PC's desktop.

• Uninstall via Start > Control Panel > Add/Remove Programs:

  Adobe Reader 7.0

• Install the new downloaded updated software.
  
• Then using the internal updater update the software to the current increment 9.3.2
  • Open Adobe Reader go to > Help > Check for updates and allow the updater to check.
    
  • If updates are found click Show Details and check the boxes to click to download and install any necessary updates.
    

TFC

• Please download TFC by Old Timer to your desktop,
  
• Save any unsaved work. TFC will close all open application windows.
  
• Double-click TFC.exe to run the program.
  
• Click the Start button in the bottom left of TFC
  
• If prompted, click "Yes" to reboot.
  

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  
• Now click on Advanced Settings and select the following:
  

• • Scan for potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth Technology
    

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[dsardone]

Hi,

Things seem to be running fine, except ESET still detected 5 items, as you'll see below.

I uninstalled adobe reader, but should I do anything with my other adobe programs that I have installed?

For the Eset, I copied the list of of files to notepad. I didn't see any other options for saving a log file, so I hope this is what you needed.

C:\Documents and Settings\All Users\Application Data\WinSoftware\WinAntiVirus 2005\Quarantine\Install_AIM.exezvsrtkjp Win32/Adware.WBug.A application

C:\Qoobox\Quarantine\C\WINDOWS\iduredoxira.dll.vir a variant of Win32/Cimag.CK trojan

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\pmiwvaw.sys.vir a variant of Win32/Rootkit.Kryptik.BI trojan

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP5\A0006495.dll a variant of Win32/Cimag.CK trojan

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP6\A0006716.sys a variant of Win32/Rootkit.Kryptik.BI trojan

Thanks

[melboy]

Hi

I'll give you more information soon about updating non-microsoft programs such as the various adobe programs.

4 of the ESET detections I expected, so nothing to worry about too much.

Trusted Sites.

The CFScript below will remove AOL.com from the list of trusted sites.

It is not advisable to give sites "trusted" status as it lowers your protection for sites in this zone. Even legitimate sites can be hacked. Visiting these sites whilst they are compromised would leave you at a greater risk of infection whilst they have trusted status.

COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

  File:: 
  c:\windows\system32\cmddupd.dll
  
  Folder::
  C:\Documents and Settings\All Users\Application Data\WinSoftware
  
  Registry:: 
  [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
  "cmsttmac"=-
  
  DDS::
  Trusted Zone: aol.com\free

  
  

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• If you need help to disable your protection programs see here.
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[dsardone]

ComboFix 10-05-22.01 - Bandlady 05/24/2010 17:46:55.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.415 [GMT -4:00]

Running from: c:\documents and settings\Bandlady\My Documents\Downloads\ComboFix.exe

Command switches used :: c:\documents and settings\Bandlady\Desktop\cfscript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\windows\system32\cmddupd.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\WinSoftware

c:\documents and settings\All Users\Application Data\WinSoftware\WinAntiVirus 2005\AV.log

.

((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))

.

2010-05-24 21:06 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Bandlady\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-05-24 21:04 . 2010-05-24 21:04 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-05-24 21:03 . 2010-05-24 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-05-24 19:17 . 2010-05-24 19:17 -------- d-----w- c:\program files\ESET

2010-05-21 02:19 . 2010-05-21 02:19 503808 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcp71.dll

2010-05-21 02:19 . 2010-05-21 02:19 499712 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\jmc.dll

2010-05-21 02:19 . 2010-05-21 02:19 348160 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcr71.dll

2010-05-21 02:19 . 2010-05-21 02:19 12800 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-d3d.dll

2010-05-21 02:19 . 2010-05-21 02:19 61440 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-sse.dll

2010-05-21 02:19 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-21 02:18 . 2010-05-21 02:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-05-21 02:18 . 2010-05-21 02:18 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-21 02:18 . 2010-05-21 02:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-05-21 02:18 . 2010-05-21 02:18 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-21 02:18 . 2010-05-24 16:29 -------- d-----w- c:\windows\system32\drivers\Avg

2010-05-19 11:42 . 2010-05-20 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-19 11:42 . 2010-05-19 11:42 -------- d-----w- c:\program files\Alwil Software

2010-05-15 20:56 . 2010-05-15 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-24 21:08 . 2004-04-16 01:24 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-24 21:06 . 2009-06-30 13:03 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-05-24 19:07 . 2004-01-28 16:27 -------- d-----w- c:\program files\Common Files\Java

2010-05-22 22:52 . 2009-11-29 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-21 02:18 . 2004-01-28 16:27 -------- d-----w- c:\program files\Java

2010-05-21 02:14 . 2009-06-02 17:05 -------- d-----w- c:\program files\AVG

2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-17 11:46 . 2010-01-08 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-17 11:40 . 2009-06-02 17:09 -------- d-----w- c:\program files\CCleaner

2010-04-29 19:39 . 2010-03-27 01:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2010-03-27 01:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-02 22:13 . 2010-04-02 22:13 388096 ----a-r- c:\documents and settings\Bandlady\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-04-02 22:13 . 2010-04-02 22:13 -------- d-----w- c:\program files\TrendMicro

2010-04-02 13:50 . 2010-02-25 15:19 0 ----a-w- c:\documents and settings\Bandlady\Local Settings\Application Data\prvlcl.dat

2010-03-28 00:24 . 2010-03-28 00:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2010-03-10 06:15 . 2002-08-29 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-05-23_00.58.29 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-05-24 19:15 . 2010-05-24 19:15 16384 c:\windows\Temp\Perflib_Perfdata_1b4.dat

+ 2010-05-24 21:06 . 2010-05-24 21:06 24576 c:\windows\Installer\66487c.msi

+ 2010-05-24 21:06 . 2010-05-24 21:06 27648 c:\windows\Installer\664877.msi

+ 2006-12-02 02:54 . 2006-12-02 02:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll

+ 2006-12-02 02:54 . 2006-12-02 02:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll

+ 2006-12-02 02:54 . 2006-12-02 02:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll

+ 2010-05-24 21:09 . 2010-05-24 21:09 3940352 c:\windows\Installer\664881.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]

"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-05-21 02:18 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/20/2010 10:18 PM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/20/2010 10:18 PM 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [5/20/2010 10:16 PM 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/20/2010 10:16 PM 308064]

.

Contents of the 'Scheduled Tasks' folder

2004-02-04 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-05-24 c:\windows\Tasks\User_Feed_Synchronization-{6C8CFF52-5244-4E20-9804-72B3CC883E3B}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ask.com/?o=20011&l=dis

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

FF - ProfilePath - c:\documents and settings\Bandlady\Application Data\Mozilla\Firefox\Profiles\og4r9c14.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Bandlady\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-24 17:52

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-05-24 17:54:07

ComboFix-quarantined-files.txt 2010-05-24 21:54

ComboFix2.txt 2010-05-24 17:52

ComboFix3.txt 2010-05-23 01:02

ComboFix4.txt 2003-09-19 09:16

Pre-Run: 100,932,153,344 bytes free

Post-Run: 100,889,018,368 bytes free

- - End Of File - - B0F9777759CA0029D049A203BEFB0CC4

[melboy]

Hi

Your computer was infected with a ROOTKIT.

A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

Due to its rootkit functionality, it's impossible to tell what may have been done when the system was compromised.

Therefore it may be prudent to:

1. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
   
2. Change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password)
   

What are rootkits from Wikipedia

How do I respond to a possible identity theft and how do I prevent it

===============

Your log now appears to be clean.

This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are. If not, please follow the instructions below:

Uninstall Combofix

We Need to Remove ComboFix

1. Please go to Start -> Run
   
2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
   
   
3. Press OK (Or hit enter).
   
4. Allow ComboFix to remove itself.
   

OTC by OldTimer

Download OTC by Old Timer and save it to your Desktop.

• Double-click OTC.exe
  
• Click the CleanUp! button
  
• Select Yes when the Begin cleanup Process? Prompt appears
  
• If you are prompted to Reboot during the cleanup, select Yes
  
• The tool will delete itself once it finishes, if not delete it by yourself
  

==========================

General Security and Computer Health

Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

• Make sure that you keep your antivirus updated
  New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  Uninstall Tools for Major Antivirus Products
  
• Security Updates for Windows, Internet Explorer & Microsoft Office
  Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
  Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  
• Update Non-Microsoft Programs
  Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

• WinPatrol
  As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  
• Malwarebytes' Anti-Malware
  As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. (TIP: Cleaning out temp files can reduce scanning times.)
  Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  
• Hosts File
  For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  
• Install and use a firewall with outbound protection
  The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
  Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
  Suggestions:
  
  • Online Armor Free
    
  • PcTools Firewall (Free)
    
  • Outpost Firewall Free
    

  [Please note that trial pay is not needed to get any product for free.]

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

[dsardone]

Thank you so much for all of your help. I don't appear to be having any issues at the moment. I appreciate it very much. Have a great day.

-Donna

[melboy]

You're most welcome, Donna.