Having trouble removing malware from PC

[pzmaves]

Hello,

I've been trying to remove this garbage for the last few days with mixed results. For the most part I could install malwarebytes and everything else, but a few seconds into the run it would be shut down. The only ones allowed to run were rkill.exe and spybot, but even when these were used and said everything was clear, I could tell I was still infected.

The best success I've had was when I went into safe mode, disabled cdrom emulation software with the defoggger, then ran gmer rootkit scanner. I have the ark.txt from that if you need it. After the scan, I noticed a set of numbers which was the same exe program I couldn't remove from my task manager. That program was listed as 193536976:2008065164.exe. Up to this point, I had reason to believe that besides what else was on my PC, this program could be what was prompting the Windows Security Center firewall blocks on my anti-malware and anti-virus and shutting them down everytime I ran them (I had repeatedly tried renaming and running from an administrator name, but with no success).

Okay, so I killed/deleted that exe file (though I know that doesn't mean the whole thing is gone) and went back through the malwarebytes installation again (plus renaming it) and finally got it to go. Somewhere in all of this I also had installed Avira.

So if I remember right, the original spyware or rkill picked up Win32.FakeAlert.ttam, Win32.Palevo, and MicrosoftWindowsSecurityCenter.FirewallBypass and between Malwarebytes and Avira (can't remember which picked up what) there was TrojanFakeAlert, HijackStartMenuInternet, Win32/PatchLoadA, TR/CryptZPack.Gen2, JAVAStutterX, EXP/JAVA.GimshB.2, EXP/ASF.GetCodoc.Gen, TR/Spy.ZBot.41025 and other similar spybot junk, TR/Kazy.25101.1 and other kazy junk.

Once Malwarebytes was working in safe mode with a quick scan, I did a full scan, and I'm pretty sure it was full scan with the Avira. Unfortunately this most not have been thorough enough, for when I went back to regular mode, that same exe program was back and the Windows Security Center popups were up again (they were noticeably absent once malwarebytes was working in safe mode). Worse yet, when I went back to safe mode, did defogger, then gmer with a new random link, it shut down the gmer just before it was done with the scan (as I watched it, it was right after posting that same exe program.

I'm not sure where to go from here. I hope gmer isn't done as that had worked well until I screwed it up. I haven't gone into combofix yet because I don't know enough and don't want to mess up the registry more than it already is. Here's the latest DDS.txt, attach.txt, ark.txt and malwarebytes log (quick scan, complete scan). I appreciate the help and hopefully we'll get these things knocked out. Thank you.

Peter

.

DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17

Run by Peter Maves at 15:28:46 on 2011-08-21

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.588 [GMT -5:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Active Virus Shield *Enabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

============== Running Processes ===============

.

C:\WINDOWS\1935363976:2008065164.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\msiexec.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.cnn.com/

uSearch Page =

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uSearch Bar =

mDefault_Page_URL = hxxp://www.dell4me.com/myway

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://www.dell4me.com/myway

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant =

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

mURLSearchHooks: H - No File

uWinlogon: Shell=explorer.exe,

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: {7b64f82f-f7ec-4e36-8532-9570e3346bd2} - c:\windows\system32\hgGxYPFU.dll

BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

TB: {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ANT Agent] c:\program files\garmin\ant agent\ANT Agent.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe

mRun: [intelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe

mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe

mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe

mRun: [buildBU] c:\dell\bldbubg.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [<NO NAME>]

mRun: [THGuard] "c:\program files\trojanhunter 5.0\THGuard.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [backupNowEZtray] "c:\program files\newtech infosystems\backup now ez\BackupNowEZtray.exe" -k

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\peterm~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: mswsock.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152382200068

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35

TCP: Interfaces\{C965C3B4-B799-4AC2-BC18-6506CA03AFCD} : DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SSODL: gulurukid - {13fbb66e-46b0-4848-9e64-b8d35cf05a23} - No File

SSODL: dovesisab - {af9680ea-933b-4956-8161-822d0cabdaa0} - No File

SSODL: miwegulul - {7eabe4b3-9e81-477c-b9ce-fb7c6efe3b55} - c:\windows\system32\zakubigu.dll

STS: gahurihor: {7eabe4b3-9e81-477c-b9ce-fb7c6efe3b55} - c:\windows\system32\zakubigu.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGxYPFU

LSA: Notification Packages = scecli fekabaku.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\peter maves\application data\mozilla\firefox\profiles\oq6eo1fm.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - www.slowtwitch.com

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e51233d&v=7.007.026.001&i=27&tp=ab&iy=&ychte=us&lng=en-US&q=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 63273

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\peter maves\application data\mozilla\firefox\profiles\oq6eo1fm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\peter maves\application data\mozilla\firefox\profiles\oq6eo1fm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\peter maves\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\peter maves\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\peter maves\application data\mozilla\firefox\profiles\oq6eo1fm.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 297168]

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-8-21 11608]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-21 136360]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-21 269480]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-21 61960]

S2 avgwd;AVG WatchDog;"c:\program files\avg\avg10\avgwdsvc.exe" --> c:\program files\avg\avg10\avgwdsvc.exe [?]

S2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\mcdetect.exe --> c:\program files\mcafee.com\agent\mcdetect.exe [?]

S2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe --> c:\progra~1\mcafee.com\agent\mctskshd.exe [?]

S2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\backupnowezsvr.exe --> c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [?]

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

S2 WinDefend;Windows Defender;"c:\program files\windows defender\msmpeng.exe" --> c:\program files\windows defender\MsMpEng.exe [?]

S3 Angel;Angel MPEG Device;c:\windows\system32\drivers\Angel.sys [1980-1-1 375936]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 1025352]

S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe --> c:\progra~1\mcafee.com\agent\mcupdmgr.exe [?]

S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-11-13 23296]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]

.

=============== Created Last 30 ================

.

2011-08-21 19:54:45 43408 --sha-w- c:\windows\system32\c_04583.nl_

2011-08-21 16:21:45 -------- d-----w- c:\documents and settings\peter maves\local settings\application data\AVG Security Toolbar

2011-08-21 15:32:23 -------- d-----w- c:\documents and settings\peter maves\application data\Avira

2011-08-21 15:29:58 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-21 15:29:57 -------- d-----w- c:\program files\Avira

2011-08-21 15:29:57 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-08-21 15:24:44 -------- d-----w- c:\documents and settings\all users\application data\AVG Security Toolbar

2011-08-20 23:45:46 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-20 23:45:43 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-20 18:29:18 388096 ----a-r- c:\documents and settings\peter maves\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-08-20 18:29:17 -------- d-----w- c:\program files\Trend Micro

2011-08-20 14:25:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-20 11:10:36 -------- d-----w- c:\documents and settings\all users\application data\RegCure

2011-08-12 22:57:21 0 ----a-w- c:\documents and settings\peter maves\local settings\application data\rmme.exe

2011-08-12 22:57:21 0 ----a-w- c:\documents and settings\peter maves\local settings\application data\madf.exe

2011-08-12 22:57:21 0 ----a-w- c:\documents and settings\peter maves\local settings\application data\amda.exe

2011-08-12 22:57:21 0 ----a-w- c:\documents and settings\all users\application data\sbia.exe

2011-08-12 22:57:21 0 ----a-w- c:\documents and settings\all users\application data\kmnu.exe

2011-08-12 22:57:21 0 ----a-w- c:\documents and settings\all users\application data\dnfx.exe

2011-08-12 22:57:20 0 ----a-w- c:\documents and settings\peter maves\local settings\application data\gsir.exe

2011-08-12 22:57:20 0 ----a-w- c:\documents and settings\all users\application data\chph.exe

2011-08-11 04:18:14 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-11 04:17:10 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys

.

==================== Find3M ====================

.

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:18:34 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:18:34 667136 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:18:34 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-06-21 12:58:45 369664 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

2006-12-29 21:59:42 774144 -c--a-w- c:\program files\RngInterstitial.dll

.

============= FINISH: 15:29:20.84 ===============

dds.txt

attach.zip

ARK.zip

mbam-log-2011-08-21 (14-05-09).zip

mbam-log-2011-08-21 (14-53-17).zip

[LDTate]

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

You have 3 av's installed.

Use Add/Remove programs and uninstll 2 of them.

Reboot and let me know how it's running.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Active Virus Shield *Enabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

[pzmaves]

Hello LDTate and thanks for taking my case.

I'd like to keep the Avira since it is the least problematic of the lot. I'm pretty sure I had tried to uninstall AVG Anti-Virus, and it is not listed in the Add/Remove program. However it still has a folder when I go to My Computer - Program Files. When I go into the Program Files - AVG, there are two subfolders, AVG8 and AVG10. AVG8 is barren but AVG10 has the whole package, minus a uninstall program. Same with when I do Start - All Programs - AVG 2011 - AVG tray icon; AVG user interface; AVG uninstall. I try the uninstall, and it says "Windows cannot access the specified device, path or file. You may not have the approriate permissions to access them." When I try and remove the AVG icon from the toolbar, it says this "AVG LinkScanner Free Edition 2011, Unable to remove AVG Security Toolbar; Access is denied (0xE0010058)."

I am also unable to remove Active Virus Shield since I can't find it when I do a search, or when I check program files, and it is not in Add/Remove program.

The issues above were the same whether I was in regular mode or in safe mode.

I'm not sure what to do to remove the Active Virus Shield since I'm unable to find it anywhere. As for the AVG, do you want me to go into the Program Files and delete those folders? Something tells me that won't be enough to disable/remove the AVG but I could be wrong.

Thanks,

Peter

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Active Virus Shield *Enabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

[LDTate]

Try this:

AVG > AVG Removal Tool (x86)

[pzmaves]

Hello,

I don't think that worked. Ran the program in safe mode. The program only prompted me to reboot once. I then reran it again, but no prompt and no change. I rebooted anyways, reran the program still the same. Everything still appears as it was, AVG still won't allow me to uninstall it, still have icon on desktop, etc etc. Awaiting next instructions.

Peter

[LDTate]

OK, lets just move on.

Logs will be closed if you haven't replied within 3 days

Please do not attach the scan results from Combofx. Use copy/paste.

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

• If you use Firefox browser
  Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  Note: If you have SP3, use the SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[pzmaves]

Hello,

Sorry for the delay, but finally figured out how to "allow" combofix to finish. I performed the ATFCleaner, and started the ComboFix (9:30am on 8/25. It said I had Rootkit.ZeroAccess and mentioned a reboot. I thought it would do the reboot so I let it do it's thing. Eventually I had just a black screen with safe mode in the corners and couldn't log my password in or anything. Today (6pm 8/26) I hit the reboot button, and it came back on, allowing ComboFix to proceed as planned. As things were coming online, Avira popped up and posted "W32/PatchLoadA found; Program Files\...\WMP54Gv4.exe Access to this file was denied." I disabled Avira at the tray icon because I thought it might hold up ComboFix from posting the log. Not sure if that was the right thing to do, but I knew nothing else was supposed to be running while ComboFix was still finishing. Windows Installer also tried coming up and I hit cancel on that.

Everything seems to be running as well as it was before running ComboFix. However I haven't started any anti-malware or anti-virus programs which in the past prompted the Windows Security Alert (or maybe it goes by the name MicrosoftWindowsSecurityCenter.FirewallBypass...not too sure). I also haven't seen anything pertaining to the AVG LinkScanner Free Edition 2011, so perhaps that was taken care of as well. Just feels like I'm in a better place than before, and that's a good thing. ComboFix.txt listed below. Thanks.

ComboFix 11-08-24.06 - Peter Maves 08/26/2011 17:42:53.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.722 [GMT -5:00]

Running from: c:\documents and settings\Peter Maves\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\~WRD2563.tmp

c:\documents and settings\Peter Maves\Application Data\47A2.3EE

c:\documents and settings\Peter Maves\Application Data\Adobe\plugs

c:\documents and settings\Peter Maves\Application Data\Adobe\shed

c:\documents and settings\Peter Maves\Local Settings\Application Data\amda.exe

c:\documents and settings\Peter Maves\Local Settings\Application Data\gsir.exe

c:\documents and settings\Peter Maves\Local Settings\Application Data\madf.exe

c:\documents and settings\Peter Maves\Local Settings\Application Data\rmme.exe

c:\documents and settings\Peter Maves\My Documents\RECOVER.TMP

c:\documents and settings\Peter Maves\Templates\v528oxe2480s33lio720x04eb6dr

c:\documents and settings\Peter Maves\WINDOWS

c:\windows\$NtUninstallKB11459$\2286902131\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

c:\windows\$NtUninstallKB11459$\2286902131\click.tlb

c:\windows\$NtUninstallKB11459$\2286902131\L\myamqqou

c:\windows\$NtUninstallKB11459$\2286902131\loader(2).tlb

c:\windows\$NtUninstallKB11459$\2286902131\loader(3).tlb

c:\windows\$NtUninstallKB11459$\2286902131\loader(4).tlb

c:\windows\$NtUninstallKB11459$\2286902131\loader(5).tlb

c:\windows\$NtUninstallKB11459$\2286902131\loader(6).tlb

c:\windows\$NtUninstallKB11459$\2286902131\loader(7).tlb

c:\windows\$NtUninstallKB11459$\2286902131\U\@00000001

c:\windows\$NtUninstallKB11459$\2286902131\U\@000000c0

c:\windows\$NtUninstallKB11459$\2286902131\U\@000000cb

c:\windows\$NtUninstallKB11459$\2286902131\U\@000000cf

c:\windows\$NtUninstallKB11459$\2286902131\U\@80000000

c:\windows\$NtUninstallKB11459$\2286902131\U\@800000c0

c:\windows\$NtUninstallKB11459$\2286902131\U\@800000cb

c:\windows\$NtUninstallKB11459$\2286902131\U\@800000cf

c:\windows\$NtUninstallKB11459$\664844258

c:\windows\assembly\GAC_MSIL\desktop.ini

c:\windows\settings.reg

c:\windows\system32\c_04583.nls

c:\windows\$NtUninstallKB11459$\2286902131\loader.tlb . . . . Failed to delete

.

Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected

Restored copy from - The cat found it

c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

.

c:\program files\Avira\AntiVir Desktop\avguard.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

.

Infected copy of c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108656.exe

.

Infected copy of c:\windows\system32\DRIVERS\netbt.sys was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\netbt.sys

.

Infected copy of c:\windows\SYSTEM32\wscript.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\wscript.exe

.

c:\windows\system32\drivers\cdrom.sys was missing

Restored copy from - c:\windows\system32\dllcache\cdrom.sys

.

Infected copy of c:\program files\Avira\AntiVir Desktop\sched.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105057.exe

Infected copy of c:\program files\Avira\AntiVir Desktop\avguard.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105056.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_884f5b73

.

.

((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))

.

.

2011-08-26 22:56 . 2008-05-02 10:49 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-08-25 13:28 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-08-25 13:28 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\dllcache\mrxsmb.sys

2011-08-21 19:54 . 2011-08-26 22:40 41360 --sha-w- c:\windows\system32\c_04583.nl_

2011-08-21 16:21 . 2011-08-21 16:21 -------- d-----w- c:\documents and settings\Peter Maves\Local Settings\Application Data\AVG Security Toolbar

2011-08-21 15:32 . 2011-08-21 15:32 -------- d-----w- c:\documents and settings\Peter Maves\Application Data\Avira

2011-08-21 15:29 . 2011-07-20 16:30 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-21 15:29 . 2011-07-20 16:30 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-08-21 15:29 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-08-21 15:29 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-08-21 15:29 . 2011-08-21 15:29 -------- d-----w- c:\program files\Avira

2011-08-21 15:29 . 2011-08-21 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-08-21 15:24 . 2011-08-25 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2011-08-21 03:06 . 2011-08-21 03:06 -------- d-----w- c:\documents and settings\pzmaves

2011-08-20 23:45 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-20 23:45 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-20 21:17 . 2011-08-20 22:45 -------- d-----w- c:\program files\Windows Defender

2011-08-20 18:29 . 2011-08-20 18:29 388096 ----a-r- c:\documents and settings\Peter Maves\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-08-20 18:29 . 2011-08-20 18:29 -------- d-----w- c:\program files\Trend Micro

2011-08-20 17:45 . 2011-08-20 17:47 -------- d-----w- c:\program files\ERUNT

2011-08-20 14:25 . 2011-08-26 22:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-20 11:10 . 2011-08-20 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

2011-08-20 11:10 . 2011-08-20 11:10 -------- d-----w- c:\program files\RegCure

2011-08-12 22:57 . 2011-08-12 22:57 0 ----a-w- c:\documents and settings\All Users\Application Data\sbia.exe

2011-08-12 22:57 . 2011-08-12 22:57 0 ----a-w- c:\documents and settings\All Users\Application Data\kmnu.exe

2011-08-12 22:57 . 2011-08-12 22:57 0 ----a-w- c:\documents and settings\All Users\Application Data\dnfx.exe

2011-08-12 22:57 . 2011-08-12 22:57 0 ----a-w- c:\documents and settings\All Users\Application Data\chph.exe

2011-08-11 04:18 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-11 04:17 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-08 14:02 . 2004-08-10 10:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2004-08-10 10:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:18 . 2004-08-10 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:18 . 2004-08-10 10:00 667136 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:18 . 2004-08-10 10:00 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-06-21 12:58 . 2004-08-10 10:00 369664 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-10 10:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02 . 2004-08-10 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2006-12-29 21:59 . 2006-12-29 21:59 774144 -c--a-w- c:\program files\RngInterstitial.dll

2011-08-23 11:19 . 2011-05-12 02:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"ANT Agent"="c:\program files\Garmin\ANT Agent\ANT Agent.exe" [2011-04-14 12036968]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4583424]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 151552]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"P17Helper"="P17.dll" [2004-06-10 60928]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-29 149280]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

"BackupNowEZtray"="c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2010-09-17 577792]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]

.

c:\documents and settings\Peter Maves\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk

backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk

backup=c:\windows\pss\dlbcserv.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO.lnk

backup=c:\windows\pss\PHOTOfunSTUDIO.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-04-13 07:29 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]

2010-03-18 16:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]

2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-07-21 20:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2006-06-21 17:14 35328 ----a-w- c:\program files\Winamp\winampa.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=

"c:\\Program Files\\RegCure\\RegCure.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\winlogon.exe"=

"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=

"c:\\Program Files\\DellSupport\\DSAgnt.exe"=

"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\update.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avnotify.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\setup.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\explorer.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 9:43 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 74480]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/26/2011 5:54 PM 136360]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/21/2011 11:19 AM 366640]

R3 Angel;Angel MPEG Device;c:\windows\SYSTEM32\DRIVERS\Angel.sys [1/1/1980 375936]

R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [8/20/2011 6:45 PM 22712]

S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]

S2 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?]

S2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe --> c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [?]

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]

S3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [11/13/2005 7:02 PM 23296]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 7408]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

.

2011-08-20 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

.

2011-08-21 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cnn.com/

mStart Page = hxxp://www.dell4me.com/myway

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

FF - ProfilePath - c:\documents and settings\Peter Maves\Application Data\Mozilla\Firefox\Profiles\oq6eo1fm.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - www.slowtwitch.com

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=0&v=7.007.026.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 63273

FF - prefs.js: network.proxy.type - 4

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{7B64F82F-F7EC-4E36-8532-9570E3346BD2} - c:\windows\system32\hgGxYPFU.dll

HKLM-Run-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe

HKLM-Run-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe

HKLM-Run-THGuard - c:\program files\TrojanHunter 5.0\THGuard.exe

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

HKLM-Run-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe

SharedTaskScheduler-{7eabe4b3-9e81-477c-b9ce-fb7c6efe3b55} - c:\windows\system32\zakubigu.dll

SSODL-gulurukid-{13fbb66e-46b0-4848-9e64-b8d35cf05a23} - (no file)

SSODL-dovesisab-{af9680ea-933b-4956-8161-822d0cabdaa0} - (no file)

SSODL-miwegulul-{7eabe4b3-9e81-477c-b9ce-fb7c6efe3b55} - c:\windows\system32\zakubigu.dll

Notify-avgrsstarter - (no file)

Notify-yayyYoOf - (no file)

MSConfigStartUp-asbaspam - c:\progra~1\ASBANT~1\asbaspam.exe

MSConfigStartUp-conhost - c:\documents and settings\Peter Maves\Application Data\Microsoft\conhost.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-26 18:00

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\$NtUninstallKB11459$:SummaryInformation 0 bytes hidden from API

.

.

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\Rundll32.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2011-08-26 18:13:16 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-26 23:13

.

Pre-Run: 41,827,139,584 bytes free

Post-Run: 42,104,459,264 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

[spybotsd]

timeout.old=30

.

- - End Of File - - FBAED9DB2E4936A920B8C51F7328B4EA

[LDTate]

Looks like your AntiVir is / was infected.

Lets hope CF repairs it when we do this.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\documents and settings\All Users\Application Data\sbia.exe
c:\documents and settings\All Users\Application Data\kmnu.exe
c:\documents and settings\All Users\Application Data\dnfx.exe
c:\documents and settings\All Users\Application Data\chph.exe

FireFox::
FF - ProfilePath - c:\documents and settings\Peter Maves\Application Data\Mozilla\Firefox\Profiles\oq6eo1fm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - www.slowtwitch.com
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=0&v=7.007.026.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63273
FF - prefs.js: network.proxy.type - 4

Folder::
c:\program files\AVG

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

[pzmaves]

Hello,

I performed CFScript, and put it into ComboFix. ComboFix still was stating that Rootkit.ZeroAccess was in the tcp/ip stack and that AVG Anti-Virus Free Edition 2011 was still present. ComboFix proceeded, and produced a log file.

While ComboFix is finishing (after reboot into normal mode), Avira is still turning up with W32/PatchLoadA.exe and also asking to update. After that, it posted that it "detected 2 viruses or unwanted programs; Access was denied." I ignored this, but I'm wondering if you want me to hit the remove button and also update?

Besides Avira being active and in the icon tray, I forgot to mention last time (and this time) Malwarebytes Anti-Malware has an icon there but it doesn't start up or post any warnings after the reboot. It says it is the 1.51.1.1800 (Trial) Database version 7586.

I still have no sign of AVG on the internet task bars, the icon tray, the desktop, or program files. Unless it was cleaned out this time with the ComboFix, do you want me trying the AVGremover again?

Internet still appears to be working like it has been (no proxy change that I've been able to notice). One difference is this time it didn't go to my normal homepage but instead a default FireFox page, about:home. Doesn't seem to be a problem and I know I can reset my homepage once everything is clear.

Here's the updated ComboFix.txt. Thanks.

ComboFix 11-08-27.01 - Peter Maves 08/27/2011 6:40.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.654 [GMT -5:00]

Running from: c:\documents and settings\Peter Maves\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Peter Maves\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

FILE ::

"c:\documents and settings\All Users\Application Data\chph.exe"

"c:\documents and settings\All Users\Application Data\dnfx.exe"

"c:\documents and settings\All Users\Application Data\kmnu.exe"

"c:\documents and settings\All Users\Application Data\sbia.exe"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\chph.exe

c:\documents and settings\All Users\Application Data\dnfx.exe

c:\documents and settings\All Users\Application Data\kmnu.exe

c:\documents and settings\All Users\Application Data\sbia.exe

c:\documents and settings\Peter Maves\Templates\bgqa.exe

c:\documents and settings\Peter Maves\Templates\svuq.exe

c:\documents and settings\Peter Maves\Templates\vndm.exe

c:\documents and settings\Peter Maves\Templates\wpdt.exe

c:\windows\$NtUninstallKB11459$

c:\windows\$NtUninstallKB11459$\2286902131\loader.tlb

c:\windows\$NtUninstallKB11459$\664844258

c:\windows\$NtUninstallKB11459$\84114025

.

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected

Restored copy from - The cat found it

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_avgwd

-------\Service_AVG Security Toolbar Service

-------\Service_avgwd

.

.

((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))

.

.

2011-08-27 11:32 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-08-27 11:32 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys

2011-08-27 03:47 . 2011-05-25 00:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-08-26 22:56 . 2008-05-02 10:49 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-08-25 13:28 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-08-25 13:28 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\dllcache\mrxsmb.sys

2011-08-21 19:54 . 2011-08-26 22:40 41360 --sha-w- c:\windows\system32\c_04583.nl_

2011-08-21 16:21 . 2011-08-21 16:21 -------- d-----w- c:\documents and settings\Peter Maves\Local Settings\Application Data\AVG Security Toolbar

2011-08-21 15:32 . 2011-08-21 15:32 -------- d-----w- c:\documents and settings\Peter Maves\Application Data\Avira

2011-08-21 15:29 . 2011-07-20 16:30 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-21 15:29 . 2011-07-20 16:30 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-08-21 15:29 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-08-21 15:29 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-08-21 15:29 . 2011-08-21 15:29 -------- d-----w- c:\program files\Avira

2011-08-21 15:29 . 2011-08-21 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-08-21 15:24 . 2011-08-25 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2011-08-21 03:06 . 2011-08-21 03:06 -------- d-----w- c:\documents and settings\pzmaves

2011-08-20 23:45 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-20 23:45 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-20 21:17 . 2011-08-20 22:45 -------- d-----w- c:\program files\Windows Defender

2011-08-20 18:29 . 2011-08-20 18:29 388096 ----a-r- c:\documents and settings\Peter Maves\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-08-20 18:29 . 2011-08-20 18:29 -------- d-----w- c:\program files\Trend Micro

2011-08-20 17:45 . 2011-08-20 17:47 -------- d-----w- c:\program files\ERUNT

2011-08-20 14:25 . 2011-08-26 22:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-20 11:10 . 2011-08-20 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

2011-08-20 11:10 . 2011-08-20 11:10 -------- d-----w- c:\program files\RegCure

2011-08-11 04:18 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-11 04:17 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-08 14:02 . 2004-08-10 10:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2004-08-10 10:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:18 . 2004-08-10 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:18 . 2004-08-10 10:00 667136 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:18 . 2004-08-10 10:00 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-06-21 12:58 . 2004-08-10 10:00 369664 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-10 10:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02 . 2004-08-10 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2006-12-29 21:59 . 2006-12-29 21:59 774144 -c--a-w- c:\program files\RngInterstitial.dll

2011-08-23 11:19 . 2011-05-12 02:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-08-26_23.01.01 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-01-29 08:58 . 2011-07-08 13:49 46080 c:\windows\SYSTEM32\tzchange.exe

- 2007-01-29 08:58 . 2010-11-03 13:12 46080 c:\windows\SYSTEM32\tzchange.exe

+ 2011-08-27 11:57 . 2011-08-27 11:57 237568 c:\windows\ERDNT\AutoBackup\8-27-2011\Users\00000002\UsrClass.dat

+ 2011-08-27 11:57 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\8-27-2011\ERDNT.EXE

+ 2011-08-27 11:57 . 2011-08-27 11:57 11804672 c:\windows\ERDNT\AutoBackup\8-27-2011\Users\00000001\ntuser.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"ANT Agent"="c:\program files\Garmin\ANT Agent\ANT Agent.exe" [2011-04-14 12036968]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4583424]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 151552]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"P17Helper"="P17.dll" [2004-06-10 60928]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-29 149280]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

"BackupNowEZtray"="c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2010-09-17 577792]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]

.

c:\documents and settings\Peter Maves\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk

backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk

backup=c:\windows\pss\dlbcserv.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO.lnk

backup=c:\windows\pss\PHOTOfunSTUDIO.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-04-13 07:29 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]

2010-03-18 16:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]

2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-07-21 20:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2006-06-21 17:14 35328 ----a-w- c:\program files\Winamp\winampa.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=

"c:\\Program Files\\RegCure\\RegCure.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\winlogon.exe"=

"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=

"c:\\Program Files\\DellSupport\\DSAgnt.exe"=

"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\update.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avnotify.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\setup.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\explorer.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 9:43 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 74480]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/26/2011 5:54 PM 136360]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/21/2011 11:19 AM 366640]

R3 Angel;Angel MPEG Device;c:\windows\SYSTEM32\DRIVERS\Angel.sys [1/1/1980 375936]

R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [8/20/2011 6:45 PM 22712]

S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]

S2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe --> c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [?]

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]

S3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [11/13/2005 7:02 PM 23296]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 7408]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

.

2011-08-20 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

.

2011-08-21 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cnn.com/

mStart Page = hxxp://www.dell4me.com/myway

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

FF - ProfilePath - c:\documents and settings\Peter Maves\Application Data\Mozilla\Firefox\Profiles\oq6eo1fm.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-27 06:56

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(772)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

- - - - - - - > 'explorer.exe'(348)

c:\program files\NewTech Infosystems\Backup Now EZ\Pehook.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\Rundll32.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\ssflwbox.scr

.

**************************************************************************

.

Completion time: 2011-08-27 07:09:21 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-27 12:09

ComboFix2.txt 2011-08-26 23:13

.

Pre-Run: 42,304,954,368 bytes free

Post-Run: 42,229,075,968 bytes free

.

- - End Of File - - 0A45FEB643DAC4071E53E965BF63FDB7

[LDTate]

Avira is still turning up with W32/PatchLoadA.exe and also asking to update

If that happens again, hit the remove button and also update

Lets mot worry about the leftover AVG.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\system32\c_04583.nl_

Folder::
c:\documents and settings\All Users\Application Data\AVG Security Toolbar

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

[pzmaves]

Hello,

I do not have a ComboFix.txt this time because the ComboFix is stalling out (as best as I can describe it). After dragging the txt over the icon, it sets the system restore point, then posts that it is "scanning for infected files...This typically does not take more than 10 minutes However, scan times for badly infected machines may easily double" and that's it, nothing else has happened since I started this up yesterday (8/27). Windows Task Manager has it running when I look in Applications.

Before starting the ComboFix, I tried updating Avira, but it wouldn't allow me to do so. I disabled it before starting the ComboFix, and the ComboFix still says the AVG is still present.

Everything else appears to be functioning okay. Internet is the same as I last posted and no Windows Security and/or Firewall pop-ups. Looking at the Task Manager, I'm not seeing that 193536976:2008065164.exe, which among other things I do believe was linked to the whole "Windows Security" blocking any anti-virus and/or anti-malware from working.

A few things that concern me now when looking at the Windows Task Manager: I still have a lot of svchost.exe present; I thing sched.exe is new or wasn't running last week, avguard.exe and avgnt.exe are still there despite my deleting the files from the Program Files location (again, should I try doing end process on these or run avgremover?); tfswctrl.exe and CF21534.3XE are new this week (I do realize some or all of these "new" processes could be the combofix...I just don't know which ones or if I should be concerned about the ones that aren't Combofix).

That's all I've got for now. Again, not sure why ComboFix is stalling out. Do you have a different "KillAll line-up" that I should put into ComboFix?

Peter

[LDTate]

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.

I have 10 running myself.

sched.exe is a process belonging to AntiVir which protects your computer against Internet-bound threats such as spyware and trojans which can be distributed through e-mail or attack directly to the computer allowing unauthorized access to your computer.

Tfswctrl.exe belongs to the Drive Letter Access (DLA) component, which is part of the DirectCD software. DirectCD is a Packet Writing software manufactured by HP, VERITAS and Sonic Solutions. The process allows a user to write data on CDs or DVDs by using Windows Explorer.

CF21534.3XEThat's a CF file.

avguard.exe and avgnt.exe<--Those are part of your AntiVir anti-virus

AntiVir Guard/XP Control Program. Part of the AntiVir anti-virus application.

[LDTate]

Please give this a try:

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

Allow AVP to delete all infections found

Once it has finished select report tab (last tab)

Select Detected threads report from the left and press Save button

Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

On completion click the link to locate the zip file to upload and attach to your next post

[pzmaves]

Hello,

Thanks for the task manager info. I get confused about which are legit programs and which ones may be malicious. I wasn't about to delete any, knowing that's a quick way to crash my whole system.

Ran the Kaspersky early yesterday, but later realized I hadn't done a complete job. Ran it again last night in which case it found way more issues. Tried disinfection option, but usually it would opt out of that and only allow me to delete. Some of the delections required a reboot. Not sure how you wanted the detected threats so I made it a zip instead of attaching the txt file.

One clarification. You said rerun AVP then select manual disinfection tab, etc. By rerun did you mean just reopen it (post-reboot) and just go to manual disinfection or did you want a new scan done before selecting the manual disinfection tab?

PC seems to be running as usual, as in same as it was before running the Kaspersky and Combofix. No Windows Security pop-ups. Internet is running well. Only thing I was able to note was some time after the scan and before rebooting, got a screen that came up for jusched.exe, saying it needed to close and send a message to Microsoft or whoever.

Thanks,

Peter

Status: Deleted (events: 71)

9/1/2011 8:04:24 AM Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\Avira\AntiVir Desktop\avshadow.exe High

9/1/2011 8:04:24 AM Deleted Trojan program Trojan.Win32.Patched.mf c:\Program Files\Avira\AntiVir Desktop\update.exe High

9/1/2011 8:04:24 AM Deleted Trojan program Trojan.Win32.Patched.mf c:\Program Files\Avira\AntiVir Desktop\avshadow.exe High

9/1/2011 7:56:06 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Peter Maves\Application Data\Sun\Java\Deployment\cache\6.0\23\5ab40f57-1fe6ae3c High

9/1/2011 7:56:38 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Peter Maves\Application Data\Sun\Java\Deployment\cache\6.0\34\199fa022-4a0eac42 High

9/1/2011 7:56:38 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Peter Maves\Application Data\Sun\Java\Deployment\cache\6.0\34\199fa022-6ed615bb High

9/1/2011 9:58:20 PM Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\Avira\AntiVir Desktop\avscan.exe High

9/1/2011 9:58:20 PM Deleted Trojan program Trojan.Win32.Patched.mf c:\Program Files\Avira\AntiVir Desktop\avscan.exe High

9/1/2011 10:59:17 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\Qoobox\Quarantine\C\WINDOWS\ASSEMBLY\GAC_MSIL\desktop.ini.vir High

9/1/2011 10:59:17 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mrxsmb.sys.vir High

9/1/2011 10:59:34 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir High

9/1/2011 11:05:16 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1031\A0104309.ini High

9/1/2011 11:06:57 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104422.ini High

9/1/2011 11:07:26 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104435.ini High

9/1/2011 11:07:34 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104449.ini High

9/1/2011 11:07:44 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104460.ini High

9/1/2011 11:09:02 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104473.ini High

9/1/2011 11:10:42 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104484.ini High

9/1/2011 11:10:49 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104513.ini High

9/1/2011 11:11:03 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104527.ini High

9/1/2011 11:11:07 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104540.ini High

9/1/2011 11:12:45 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104565.ini High

9/1/2011 11:13:01 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104585.ini High

9/1/2011 11:13:33 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104613.ini High

9/1/2011 11:14:43 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1035\A0104641.ini High

9/1/2011 11:15:32 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1035\A0104656.ini High

9/1/2011 11:16:41 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1035\A0104679.ini High

9/1/2011 11:17:16 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1036\A0104705.ini High

9/1/2011 11:17:22 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1036\A0104713.ini High

9/1/2011 11:17:34 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1036\A0104721.ini High

9/1/2011 11:17:42 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1036\A0104729.ini High

9/1/2011 11:20:34 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1036\A0104753.ini High

9/1/2011 11:21:14 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1037\A0104812.ini High

9/1/2011 11:21:28 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1038\A0104840.ini High

9/1/2011 11:24:09 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104868.ini High

9/1/2011 11:24:42 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104897.ini High

9/1/2011 11:24:44 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104906.ini High

9/1/2011 11:25:00 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104930.ini High

9/1/2011 11:25:02 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104953.ini High

9/1/2011 11:26:11 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104978.ini High

9/1/2011 11:26:12 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104993.ini High

9/1/2011 11:26:13 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105005.ini High

9/1/2011 11:26:18 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105015.ini High

9/1/2011 11:26:20 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105022.ini High

9/1/2011 11:26:23 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105053.ini High

9/1/2011 11:26:30 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105083.ini High

9/1/2011 11:27:51 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105444.ini High

9/1/2011 11:27:52 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105453.ini High

9/1/2011 11:28:41 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105540.ini High

9/1/2011 11:28:49 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105554.sys High

9/1/2011 11:28:49 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105555.ini High

9/1/2011 11:29:28 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105588.sys High

9/1/2011 11:29:28 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105589.ini High

9/1/2011 11:29:29 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0107597.sys High

9/1/2011 11:29:30 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0107598.ini High

9/1/2011 11:29:38 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0107638.sys High

9/1/2011 11:29:32 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0107639.ini High

9/1/2011 11:29:39 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108638.sys High

9/1/2011 11:29:33 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108639.ini High

9/1/2011 11:29:42 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108654.sys High

9/1/2011 11:29:39 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108655.ini High

9/1/2011 11:29:46 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108671.sys High

9/1/2011 11:29:42 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108672.ini High

9/1/2011 11:29:54 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108678.sys High

9/1/2011 11:29:43 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108679.ini High

9/1/2011 11:30:14 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108778.sys High

9/1/2011 11:30:10 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108779.ini High

9/1/2011 11:30:21 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0109779.sys High

9/1/2011 11:30:17 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0109785.ini High

9/1/2011 11:31:45 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1043\A0110023.sys High

9/1/2011 11:54:19 PM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\WINDOWS\ASSEMBLY\GAC_MSIL\Desktop(2).ini High

Status: Disinfected (events: 14)

9/1/2011 7:56:06 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.bw C:\Documents and Settings\Peter Maves\Application Data\Sun\Java\Deployment\cache\6.0\26\6ae23b9a-14c3e6d1 High

9/1/2011 7:56:06 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.bw C:\Documents and Settings\Peter Maves\Application Data\Sun\Java\Deployment\cache\6.0\26\6ae23b9a-14c3e6d1/buildService/BuildClass.class High

9/1/2011 7:56:06 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.br C:\Documents and Settings\Peter Maves\Application Data\Sun\Java\Deployment\cache\6.0\31\54e27b5f-73d5f6d6 High

9/1/2011 7:56:06 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.br C:\Documents and Settings\Peter Maves\Application Data\Sun\Java\Deployment\cache\6.0\31\54e27b5f-73d5f6d6/buildService/BuildClass.class High

9/1/2011 7:56:42 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.bw C:\Documents and Settings\Peter Maves\Application Data\Sun\Java\Deployment\cache\6.0\35\24a4dc63-58db13fb High

9/1/2011 7:56:42 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.bw C:\Documents and Settings\Peter Maves\Application Data\Sun\Java\Deployment\cache\6.0\35\24a4dc63-58db13fb/buildService/BuildClass.class High

9/1/2011 9:44:44 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe High

9/1/2011 9:42:36 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe High

9/1/2011 11:26:49 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105304.old High

9/1/2011 11:26:49 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105309.old High

9/1/2011 11:26:49 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105313.old High

9/1/2011 11:26:53 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105321.old High

9/1/2011 11:26:56 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105367.rbf High

9/1/2011 11:26:58 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105385.rbf High

Status: Quarantined (events: 2)

9/1/2011 9:43:46 PM Quarantined unknown threat UDS:DangerousObject.Multi.Generic C:\Program Files\AOL\Installers\AOL Explorer 1.0\ocpinst.exe High

9/1/2011 11:36:21 PM Quarantined unknown threat UDS:DangerousObject.Multi.Generic C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1050\A0112128.exe High

Status: Will be disinfected when the computer is restarted (events: 33)

9/1/2011 10:58:15 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Avira\AntiVir Desktop\avguard.exe.vir High

9/1/2011 10:58:14 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Avira\AntiVir Desktop\sched.exe.vir High

9/1/2011 10:58:15 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe.vir High

9/1/2011 10:58:55 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\wscript.exe.vir High

9/1/2011 11:26:39 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105134.exe High

9/1/2011 11:26:44 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105223.exe High

9/1/2011 11:26:43 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105230.exe High

9/1/2011 11:27:55 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105458.exe High

9/1/2011 11:27:57 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105459.EXE High

9/1/2011 11:28:04 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105460.exe High

9/1/2011 11:28:05 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105461.exe High

9/1/2011 11:28:06 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105462.exe High

9/1/2011 11:28:09 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105463.exe High

9/1/2011 11:28:12 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105464.exe High

9/1/2011 11:28:13 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105465.exe High

9/1/2011 11:28:17 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105466.exe High

9/1/2011 11:28:20 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105467.EXE High

9/1/2011 11:28:22 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105468.exe High

9/1/2011 11:28:25 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105469.exe High

9/1/2011 11:28:26 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105470.exe High

9/1/2011 11:28:28 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105471.EXE High

9/1/2011 11:28:29 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105472.exe High

9/1/2011 11:28:33 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105473.exe High

9/1/2011 11:28:36 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105474.exe High

9/1/2011 11:28:44 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105551.exe High

9/1/2011 11:28:45 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105552.EXE High

9/1/2011 11:30:02 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0108708.exe High

9/1/2011 11:30:20 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0109830.exe High

9/1/2011 11:30:22 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0109831.exe High

9/1/2011 11:30:29 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0109832.exe High

9/1/2011 11:30:29 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0109833.exe High

9/1/2011 11:31:47 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1050\A0112126.exe High

9/1/2011 11:31:57 PM Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1050\A0112127.exe High

Status: Will be deleted when the computer is restarted (events: 38)

9/1/2011 11:05:15 PM Will be deleted when the computer is restarted Trojan program Backdoor.Win32.ZAccess.dg C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1031\A0101487.ini High

9/1/2011 11:06:44 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1031\A0104308.sys High

9/1/2011 11:07:02 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104421.sys High

9/1/2011 11:07:33 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104434.sys High

9/1/2011 11:07:35 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104448.sys High

9/1/2011 11:09:58 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104459.sys High

9/1/2011 11:09:58 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104472.sys High

9/1/2011 11:09:58 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1033\A0104483.sys High

9/1/2011 11:10:49 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104512.sys High

9/1/2011 11:12:04 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104526.sys High

9/1/2011 11:12:04 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104539.sys High

9/1/2011 11:13:00 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104564.sys High

9/1/2011 11:12:58 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104584.sys High

9/1/2011 11:14:12 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1034\A0104612.sys High

9/1/2011 11:14:48 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1035\A0104640.sys High

9/1/2011 11:16:41 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1035\A0104655.sys High

9/1/2011 11:16:45 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1035\A0104678.sys High

9/1/2011 11:17:25 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1036\A0104704.sys High

9/1/2011 11:17:24 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1036\A0104712.sys High

9/1/2011 11:18:22 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1036\A0104720.sys High

9/1/2011 11:18:30 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1036\A0104728.sys High

9/1/2011 11:21:11 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1036\A0104752.sys High

9/1/2011 11:21:27 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1037\A0104811.sys High

9/1/2011 11:23:58 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1038\A0104839.sys High

9/1/2011 11:24:09 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104867.sys High

9/1/2011 11:24:50 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104896.sys High

9/1/2011 11:24:52 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104905.sys High

9/1/2011 11:26:10 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104929.sys High

9/1/2011 11:26:10 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104952.sys High

9/1/2011 11:26:10 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104977.sys High

9/1/2011 11:26:17 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0104992.sys High

9/1/2011 11:26:16 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105004.sys High

9/1/2011 11:26:18 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105014.sys High

9/1/2011 11:26:29 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105021.sys High

9/1/2011 11:26:31 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105052.sys High

9/1/2011 11:26:34 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105082.sys High

9/1/2011 11:28:53 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105443.sys High

9/1/2011 11:28:53 PM Will be deleted when the computer is restarted Trojan program Rootkit.Win32.ZAccess.f C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1039\A0105452.sys High

Detected threats.zip

avptool_sysinfo.zip

[LDTate]

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

[pzmaves]

Hello,

Things are looking up. Hopefully with Kaspersky deleting all those malicious files yesterday and Malwarebytes giving a positive report (below), my system is clear or nearly clear.

Everything appears to be running well. One thing to note is that while Malwarebytes was running, I had a program screen come up again (same as yesterday) saying something about jusched.exe needing to close. Other than that, all seems to be going well.

I have concerns about what I should run besides Malwarebytes for protecting my PC, especially after seeing AVG and Avira being used as cover for the malware. I'd like to know what you recommend best for protection...but I'm sure you'll address that once we're definitely in the clear with the clean up process.

Here's the malwarebytes log.

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7640

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

9/2/2011 8:56:20 PM

mbam-log-2011-09-02 (20-56-20).txt

Scan type: Full scan (A:\|C:\|)

Objects scanned: 303578

Time elapsed: 1 hour(s), 31 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[LDTate]

I use MBAM Pro along with Microsoft Security Essentialsand haven't had any issues.

You can delete AVPTool

Good job

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

• Click START run
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  

For Vista / Windows 7

• Click START Search
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK
  

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
     
  2. Click once on the Security tab
     
  3. Click once on the Internet icon so it becomes highlighted.
     
  4. Click once on the Custom Level button.
     
  5. Change the Download signed ActiveX controls to Prompt
     
  6. Change the Download unsigned ActiveX controls to Disable
     
  7. Change the Initialize and script ActiveX controls not marked as safe to Disable
     
  8. Change the Installation of desktop items to Prompt
     
  9. Change the Launching programs and files in an IFRAME to Prompt
     
  10. Change the Navigate sub-frames across different domains to Prompt
      
  11. When all these settings have been made, click on the OK button.
      
  12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      
  13. Next press the Apply button and then the OK to exit the Internet Properties page.
      

  [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

  (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

  Without a firewall your computer is succeptible to being hacked and taken over.

  I am very serious about this and see it happen almost every day with my clients.

  Simply using a Firewall in its default configuration can lower your risk greatly.

  [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

  •Free browser plug-in for Internet Explorer and Firefox

  •Real-time safety ratings

  •Ideal for Facebook, Twitter and LinkedIn

  [*] JAVA Click this link and click on the Free JAVA Download

  [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

  This will ensure your computer has always the latest security updates available installed on your computer.

  If there are new updates to install, install them immediately, reboot your computer, and revisit the site

  until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
  
• Malware Execution Prevention
  

Save yourself the hassle and get protected.

[pzmaves]

Okay, I've uninstalled ComboFix, used DeFogger to reenable cd emulation drivers, installed MS Essentials and the updated Java.

Despite the all clear from Kaspersky and Malwarebytes, when I ran MS Essentials (quick scan and full scan), it came up with 3 threats:

Exploit:Java/CVE-2010-0094.Ert

Exploit:Java/CVE-2010-0840.Ew

Backdoor:Win32/Smadow.gen!B

These were removed by the program. I ran MS Essentials in safe mode and then again in regular mode but no further threats were detected.

When I tried installing the Java, I was given an error message. It said it could no unzip the Java folder: Error code 25099. I looked this error code up online, and it said to remove all Java folders from Program Files, then try reinstalling. After doing that and rebooting, the updated version of Java was allowed to be fully installed. Another reboot was requested. After the reboot, a message came up with this:

Data Execution Prevention - Microsoft Windows

To help protect your computer, Windows closed this program

Spooler Subsystem App

also, Malwarebytes showed this messge: [shell_NotifyIcon] Failed to perform action. Error Code:0

So after all of that I believe the Java is updated and fully installed now.

I figured out (via google) that the spooler subsystem app had to do with my printer not working. Besides the general computer functions, I don't often print and had failed to notice that that wasn't working and thus failed to notice that it was still not functional after all the malware had been cleared. I found my Microsoft Drivers cd and wasn't able to run it since my drive was disabled. I had reenabled the DeFogger already but I wasn't sure if this had anything to do with the drive being disabled. I found the Microsoft Support link to Microsoft FixIt, ran that, and got the drive going. I ran the cd to reinstall the printer, and now that seems to be working like normal.

Everything else is running smoothly. Please let me know if you have any further instruction, such as with the printer and/or cd drive, in case I missed something or failed to bring them back correctly.

Thanks again,

Peter

[LDTate]

I would think you're good to go.

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.