TechSpot

I have the Win32/Zbot.g

By Demonwing
Sep 7, 2011
  1. I have no idea what to do about it, so some help would be greatly appreciated

    Thanks in advance

    ~DW
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware.

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    Would it be correct to say the you have AVG and it warned about this infection/ Hopefully we can find the entries starting off with the following:

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ============================================
    When you have finished with the above, please run this online virus scan:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    Include the Eset log if there is one.
     
  3. Demonwing

    Demonwing TS Rookie Topic Starter

    Ahh your a life saver, i've got to pop to the shop but I'll go through that sa soon as I get back!

    Thanks again!
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Post when you can.
     
  5. Demonwing

    Demonwing TS Rookie Topic Starter

    Yeah I tried the preliminary ones but can';t get either link for GMer to work :s
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You can skip GMER for now. Please go on with the rest of the steps.
     
  7. Demonwing

    Demonwing TS Rookie Topic Starter

    Well I can't get GMER or DDS to download from those links but here's the Malwarebytes log at least:
    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7696

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/09/2011 23:45:46
    mbam-log-2011-09-10 (23-45-46).txt

    Scan type: Quick scan
    Objects scanned: 154298
    Time elapsed: 27 minute(s), 12 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    e:\Desktop\Stuff!!\adobe_photoshop_cs3\Shfolder.dll (Malware.Packer.Gen) -> Delete on reboot.

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MraNnbgu (Trojan.Agent) -> Value: MraNnbgu -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    e:\Desktop\Stuff!!\adobe_photoshop_cs3\Shfolder.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\documents and settings\administrator\local settings\application data\ellbdxwe\mrannbgu.exe (Trojan.Agent) -> Delete on reboot.
    c:\documents and settings\administrator\start menu\programs\startup\mrannbgu.exe (Trojan.Agent) -> Delete on reboot.
    c:\documents and settings\administrator\local settings\temp\eaxipdibotumqvds.exe (Trojan.Agent) -> Quarantined and deleted successfully.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The DDS link is good. It has a file extension that is sometimes blocked

    Please download this file: xp_scr_fix.

    Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

    You should then be able to run DDS.scr.

    It's the .scr file extension cauing the problem.
     
  9. Demonwing

    Demonwing TS Rookie Topic Starter

    huh. I tried that and it still just opens as a blank page and nothing happens?

    Sorry for been a pain >.< lol
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you run the Eset scan yet? Log?

    I'll have you go back to DDS after I see this log.
     
  11. Demonwing

    Demonwing TS Rookie Topic Starter

    Hmm I'm getting blank pages for that as well?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Is there any message on the blank page anywhere?
    Does it say Done on the bottom left of the screen?
    Are you able to connect using other links- such as one of the Bookmarks
    =======================================
    Please reboot your computer into Safe Mode by doing the following:
    • Restart the computer and start tapping the F8 key right after the logo loads
    • Select the [Safe Mode[/b] option when the Windows Advanced in Options menu appears.
    -------------------------
    Then run exeHelper

    Please download exeHelper to your desktop.
    • Double-click on [/b]exeHelper.com[/b] to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
      Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
     
  13. Demonwing

    Demonwing TS Rookie Topic Starter

    Well I've got ESET working here and Ive got it running now but it's taking a looong time lol, I should have the results up later.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, post when ready.
     
  15. Demonwing

    Demonwing TS Rookie Topic Starter

    C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\1\798d9401-7b2c972d a variant of Java/Agent.DM trojan
    C:\Documents and Settings\Administrator\My Documents\Downloads\BestSpywareScanner_Setup.exe multiple threats
    C:\Documents and Settings\Administrator\My Documents\main formating programmes winrared\Nero.v.8.3.6.0.rar Win32/Toolbar.AskSBar application
    C:\Qoobox\Quarantine\C\Program Files\Best Spyware Scanner\BestSpywareScanner.exe.vir a variant of Win32/Adware.SpywareCease application
    C:\Qoobox\Quarantine\C\Program Files\Best Spyware Scanner\RkHitApi.dll.vir a variant of Win32/Adware.SpywareCease.AA application
    C:\Qoobox\Quarantine\C\WINXP\system32\drivers\RKHit.sys.vir Win32/Adware.SpywareCease application
    E:\Desktop\Stuff!!\FFSetup220.exe Win32/Adware.ADON application
    E:\Desktop\Stuff!!\Setups\XoftspySE\xoftspyse.4.22.0.12.patch-icu.zip probably a variant of Win32/Agent.ISNEPRR trojan
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Is the E drive a flash drive? You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
    You have folders named E:\Desktop\Stuff!! that has malware.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\1\798d9401-7b2c972d 
      C:\Documents and Settings\Administrator\My Documents\Downloads\BestSpywareScanner_Setup.exe 
      C:\Documents and Settings\Administrator\My Documents\main formating programmes winrared\Nero.v.8.3.6.0.rar 
      E:\Desktop\Stuff!!\FFSetup220.exe 
      E:\Desktop\Stuff!!\Setups\XoftspySE\xoftspyse.4.22.0.12.patch-icu.zip 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =======================================
    Please do not download any more antispyware programs unless I instruct you to. Looks like you tried [Best Spyware Scanner'- is came with malware. Same with XOfSpy.
    ======================================
    There is also malware in the Java cache so it needs to be cleared:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    ====================================
    It appears that you have or had Combofix on the system. 3 entries in Eset are in the Qoobox. That is where Combofix sends the files it quarantines. Right now I have no information on your system, so I'd like you to proceed as follows:

    1.Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    ========================================
    2. Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
    =========================================
    After running the above, please download and run DDS:
    • Download DDS by sUBs and save it to your desktop.

      After downloading the tool, disconnect from the internet and disable all antivirus protection.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results, click no to the Optional_Scan
    • Follow the instructions that pop up for posting the results.
    • When done, DDS will open two (2) logs: Please paste both in your next reply.
      [o]DDS.txt
      [o]Attach.txt
    • Close the program window, and delete the program from your desktop.
    • Enable your Antivirus protection and reconnect to the internet.
    Please note: You may have to disable any script protection running if the scan fails to run.

    Leave the logs in your next reply: The combination of RKill/ere. helper and the 2 logs from DDS.
     
  17. Demonwing

    Demonwing TS Rookie Topic Starter

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\1\798d9401-7b2c972d moved successfully.
    C:\Documents and Settings\Administrator\My Documents\Downloads\BestSpywareScanner_Setup.exe moved successfully.
    C:\Documents and Settings\Administrator\My Documents\main formating programmes winrared\Nero.v.8.3.6.0.rar moved successfully.
    E:\Desktop\Stuff!!\FFSetup220.exe moved successfully.
    E:\Desktop\Stuff!!\Setups\XoftspySE\xoftspyse.4.22.0.12.patch-icu.zip moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 516303830 bytes
    ->Temporary Internet Files folder emptied: 3755569 bytes
    ->Java cache emptied: 737 bytes
    ->FireFox cache emptied: 192029762 bytes
    ->Flash cache emptied: 8780 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 1630838 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 633646 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 72373457 bytes

    Total Files Cleaned = 750.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 09272011_174353

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    exeHelper by Raktor
    Build 20100414
    Run at 17:57:25 on 09/27/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
    Run by Administrator at 18:04:45 on 2011-09-27
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.557 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINXP\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINXP\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINXP\System32\wltrysvc.exe
    C:\WINXP\System32\bcmwltry.exe
    C:\WINXP\system32\spoolsv.exe
    svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Java\jre7\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINXP\system32\IoctlSvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINXP\notepad.exe
    C:\WINXP\system32\hkcmd.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINXP\system32\wltray.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Registry Mechanic\RegMech.exe
    C:\WINXP\system32\ctfmon.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\WINXP\explorer.exe
    C:\WINXP\system32\notepad.exe
    C:\WINXP\system32\notepad.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mStart Page = about:blank
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
    mRun: [IgfxTray] c:\winxp\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\winxp\system32\hkcmd.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
    mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [wltray.exe] c:\winxp\system32\wltray.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    dRun: [CTFMON.EXE] c:\winxp\system32\CTFMON.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winxp\system32\wpdshserviceobj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\boiifzig.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winxp\system32\drivers\avgldx86.sys [2011-9-6 335240]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winxp\system32\drivers\avgmfx86.sys [2011-9-6 27784]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\winxp\system32\drivers\avgtdix.sys [2011-9-6 108552]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2011-9-6 297752]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-9 366640]
    R3 MBAMProtector;MBAMProtector;c:\winxp\system32\drivers\mbam.sys [2011-8-9 22712]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\winxp\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2011-5-6 13904]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\winxp\system32\drivers\mbamswissarmy.sys [2011-8-9 41272]
    S3 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\admini~1\locals~1\temp\tgbunxxv.sys --> c:\docume~1\admini~1\locals~1\temp\tgbunxxv.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\winxp\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-09-27 16:43:53 -------- d-----w- C:\_OTM
    2011-09-24 20:49:39 -------- d-----w- c:\program files\AviSynth 2.5
    2011-09-24 18:17:08 -------- d-----w- c:\program files\MiniTheatre
    2011-09-22 12:19:49 -------- d-----w- c:\program files\ESET
    2011-09-18 11:38:17 -------- d-----w- C:\spoolerlogs
    2011-09-07 23:32:52 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe
    2011-09-06 18:25:09 11952 ----a-w- c:\winxp\system32\avgrsstx.dll
    2011-09-06 18:25:07 108552 ----a-w- c:\winxp\system32\drivers\avgtdix.sys
    2011-09-06 18:24:57 335240 ----a-w- c:\winxp\system32\drivers\avgldx86.sys
    2011-09-06 18:24:51 -------- d-----w- c:\winxp\system32\drivers\Avg
    2011-09-06 18:24:49 -------- d-----w- c:\documents and settings\all users\application data\AVG Security Toolbar
    2011-09-03 18:53:12 -------- d-----w- C:\$AVG8.VAULT$
    2011-09-03 17:32:23 -------- d-----w- c:\program files\AVG
    2011-09-03 17:32:19 -------- d-----w- c:\documents and settings\all users\application data\avg8
    2011-09-03 17:01:22 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2011-09-03 17:00:56 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-09-03 16:09:00 -------- d-sha-r- C:\cmdcons
    2011-09-03 16:07:14 98816 ----a-w- c:\winxp\sed.exe
    2011-09-03 16:07:14 518144 ----a-w- c:\winxp\SWREG.exe
    2011-09-03 16:07:14 256000 ----a-w- c:\winxp\PEV.exe
    2011-09-03 16:07:14 208896 ----a-w- c:\winxp\MBR.exe
    2011-09-03 16:05:26 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Sun
    2011-09-03 06:18:22 544656 ----a-w- c:\winxp\system32\deployJava1.dll
    2011-09-03 01:30:54 -------- d-----w- c:\winxp\system32\LogFiles
    2011-09-02 15:53:02 110080 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{820c0eeb-9b12-4ad5-b39d-d15ed1dbdd06}\IconF7A21AF7.exe
    2011-09-02 15:53:02 110080 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{820c0eeb-9b12-4ad5-b39d-d15ed1dbdd06}\IconD7F16134.exe
    2011-09-02 15:53:02 110080 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{820c0eeb-9b12-4ad5-b39d-d15ed1dbdd06}\IconCF33A0CE.exe
    2011-09-02 15:51:57 -------- d-----w- C:\sh4ldr
    2011-09-02 15:51:57 -------- d-----w- c:\program files\Enigma Software Group
    2011-09-02 05:11:17 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
    2011-09-02 02:55:01 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2011-09-02 02:54:24 65024 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{cddcbbf1-2703-46bc-938b-bcc81a1eeaaa}\IconCDDCBBF15.exe
    2011-09-02 02:54:24 5120 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{cddcbbf1-2703-46bc-938b-bcc81a1eeaaa}\IconCDDCBBF16.exe
    2011-09-02 02:54:24 18944 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{cddcbbf1-2703-46bc-938b-bcc81a1eeaaa}\IconCDDCBBF13.exe
    2011-09-02 02:52:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-09-02 02:52:21 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
    2011-09-02 02:48:14 -------- d-----w- c:\program files\common files\Wise Installation Wizard
    2011-09-02 01:24:29 -------- d-----w- c:\documents and settings\administrator\local settings\application data\NPE
    2011-09-02 01:24:27 -------- d-----w- c:\documents and settings\all users\application data\Norton
    2011-09-01 22:03:54 404640 ----a-w- c:\winxp\system32\FlashPlayerCPLApp.cpl
    2011-09-01 21:31:54 134104 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-09-01 21:31:53 16856 ------w- c:\program files\mozilla firefox\plugin-container.exe
    2011-09-01 21:31:52 924632 ------w- c:\program files\mozilla firefox\firefox.exe
    2011-09-01 21:31:52 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-09-01 21:31:52 785368 ------w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-09-01 21:31:52 719832 ------w- c:\program files\mozilla firefox\mozcpp19.dll
    2011-09-01 21:31:52 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-09-01 21:31:52 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-09-01 21:31:52 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-09-01 21:31:52 1846232 ------w- c:\program files\mozilla firefox\mozjs.dll
    2011-09-01 21:31:52 15832 ------w- c:\program files\mozilla firefox\mozalloc.dll
    2011-09-01 19:28:46 -------- d-----w- c:\documents and settings\administrator\local settings\application data\ellbdxwe
    2011-09-01 17:27:45 17801 ----a-w- c:\winxp\system32\drivers\AegisP.sys
    2011-09-01 17:25:48 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
    2011-09-01 17:25:45 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
    2011-09-01 17:25:42 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
    2011-09-01 16:00:51 -------- d-----w- c:\documents and settings\all users\application data\PC Drivers HeadQuarters Inc
    2011-09-01 15:49:59 -------- d-----w- c:\documents and settings\administrator\application data\GetRightToGo
    .
    ==================== Find3M ====================
    .
    2011-09-03 06:17:32 128000 ----a-w- c:\winxp\system32\javacpl.cpl
    2011-07-06 18:52:42 41272 ----a-w- c:\winxp\system32\drivers\mbamswissarmy.sys
    2011-07-06 18:52:42 22712 ----a-w- c:\winxp\system32\drivers\mbam.sys
    .
    ============= FINISH: 18:05:36.07 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 09/08/2011 03:41:26
    System Uptime: 27/09/2011 17:45:46 (1 hours ago)
    .
    Motherboard: Dell Computer Corp. | | 0G1548
    Processor: Intel(R) Celeron(R) CPU 2.40GHz | Microprocessor | 2392/400mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 18.721 GiB free.
    D: is CDROM (CDFS)
    E: is FIXED (NTFS) - 149 GiB total, 14.88 GiB free.
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: BT Voyager 1055 Laptop Adapter
    Device ID: USB\VID_1690&PID_0715\0016E3A1C813
    Manufacturer: BT
    Name: BT Voyager 1055 Laptop Adapter
    PNP Device ID: USB\VID_1690&PID_0715\0016E3A1C813
    Service: USB_RNDIS
    .
    Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
    Description: PCI Simple Communications Controller
    Device ID: PCI\VEN_14F1&DEV_2702&SUBSYS_8D881043&REV_01\4&3B1CAF2B&0&28F0
    Manufacturer:
    Name: PCI Simple Communications Controller
    PNP Device ID: PCI\VEN_14F1&DEV_2702&SUBSYS_8D881043&REV_01\4&3B1CAF2B&0&28F0
    Service:
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Broadcom 440x 10/100 Integrated Controller
    Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
    Manufacturer: Broadcom
    Name: Broadcom 440x 10/100 Integrated Controller
    PNP Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
    Service: bcm4sbxp
    .
    ==== System Restore Points ===================
    .
    RP42: 11/09/2011 07:03:33 - System Checkpoint
    RP43: 12/09/2011 07:57:43 - System Checkpoint
    RP44: 13/09/2011 08:15:18 - System Checkpoint
    RP45: 14/09/2011 09:15:26 - System Checkpoint
    RP46: 16/09/2011 06:50:53 - System Checkpoint
    RP47: 16/09/2011 16:43:37 - Update to an unsigned driver
    RP48: 18/09/2011 05:37:09 - System Checkpoint
    RP49: 18/09/2011 16:31:19 - Avg8 Update
    RP50: 18/09/2011 16:48:21 - Avg8 Update
    RP51: 20/09/2011 00:21:23 - System Checkpoint
    RP52: 21/09/2011 04:41:12 - System Checkpoint
    RP53: 22/09/2011 04:49:42 - System Checkpoint
    RP54: 23/09/2011 06:29:25 - System Checkpoint
    RP55: 24/09/2011 19:17:01 - Installed MiniCoder
    RP56: 25/09/2011 19:26:48 - System Checkpoint
    RP57: 26/09/2011 19:39:59 - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    .
    Adobe Flash Player 10 Plugin
    Adventure Maker v4.5.2 (build1)
    AllToAVI v4 r5394
    AVG Free 8.5
    AviSynth 2.5
    Blender
    BT Voyager Wireless Utility
    ESET Online Scanner v3
    FormatFactory 2.20
    Intel(R) Extreme Graphics Driver
    Java Auto Updater
    Java(TM) 6 Update 7
    Java(TM) 7
    JDownloader
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 3.0
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    MiniCoder
    Mozilla Firefox 6.0.2 (x86 en-US)
    MSXML 6.0 Parser (KB925673)
    Nero 8
    neroxml
    Registry Mechanic 8.0
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB980195)
    SpyHunter
    SUPERAntiSpyware Free Edition
    Update for Microsoft Windows (KB971513)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    VCRedistSetup
    VLC media player 1.1.11
    WebFldrs XP
    Windows Communication Foundation
    Windows Presentation Foundation
    Windows Workflow Foundation
    WinRAR 4.00 (32-bit)
    XML Paper Specification Shared Components Pack 1.0
    yWriter5
    .
    ==== Event Viewer Messages From Past Week ========
    .
    27/09/2011 17:48:33, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    27/09/2011 17:48:33, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    27/09/2011 17:43:59, error: Service Control Manager [7034] - The NMIndexingService service terminated unexpectedly. It has done this 1 time(s).
    27/09/2011 17:43:57, error: Service Control Manager [7034] - The PLFlash DeviceIoControl Service service terminated unexpectedly. It has done this 1 time(s).
    27/09/2011 17:43:57, error: Service Control Manager [7034] - The Nero BackItUp Scheduler 3 service terminated unexpectedly. It has done this 1 time(s).
    27/09/2011 17:43:55, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
    27/09/2011 17:43:55, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    27/09/2011 17:43:55, error: Service Control Manager [7034] - The Broadcom Wireless LAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
    27/09/2011 17:43:55, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    21/09/2011 14:13:44, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
    20/09/2011 19:43:37, error: W32Time [34] - The time service has detected that the system time needs to be changed by +86515 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.66:123->65.55.59.52:123) is working properly.
    .
    ==== End Of File ===========================
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay then! Took a while but finally got it! There are entries I will need to remove- did you gather some scans on the internet to try and resolve the problem?

    I'd like you to run Combofix. It won't run with AVG on the system and AVG left no way to disable it, so you will have to remove it temporarily. I note that you still have AVG v8.5. If you do put it back on the system when we are through, you might want to get the current v2011.
    ===================================
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =======================================
    Comments:
    1: From OTM> Total Files Cleaned = 750.00 mb That a lot of files you don't need running on the system. You might want to consider doing routine maintenance on the system more ofter.

    2. Advise you remove Registry Mechanic. We don't recommend that anyone use a registry cleaner.

    3: You should get the Java v6u27 update rather than Java 7 is still being tested.
     
  19. Demonwing

    Demonwing TS Rookie Topic Starter

    Hey, I don't know if you will need me to start again or something. I only just got back online, lost the internet for (quite) awhile there, and I don't think I finished doing this.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- thread should have been closed and marked 'Inactive.' Please start a new thread, describe current problems run new scans If you would like us to check the system for malware, please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ===============================================
    Either Broni or I will pick the new thread up. The scans in this thread a too far out pf date- you will have to start over.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...