TechSpot

Win32 Zbot virus on my PC

By poisongaz
Aug 2, 2011
  1. Hi,

    My PC got infected by the Zbot virus last night. AVG started going mad warning me of multiple infections in several systems.

    Malwarebytes doesn't detect anything, AVG scans finish immediately, Spywareblaster keeps asking me to allow something to run on Startup, which I keep refusing.

    I'm unable to get online as when I try to run Internet Explorer it reports a problem running particular scripts.

    I've never come accross such an agressive virus before and feel totally helpless. Please can you help me? I'm desperate.

    Thanks in anticipation.

    Gary

    P.S. I'm on my laptop writing this as I'm unable to get online with my PC, so I guess I should get a USB stick to load up all the software and transfer the scan reports.
     
  2. poisongaz

    poisongaz TS Rookie Topic Starter

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7354

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    02/08/2011 12:58:57
    mbam-log-2011-08-02 (12-58-57).txt

    Scan type: Quick scan
    Objects scanned: 160309
    Time elapsed: 9 minute(s), 30 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    -------------------------------------------------------------------------------------------------------

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-02 14:48:02
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-22LSA0 rev.06.01D06
    Running: nqv64ifo.exe; Driver: C:\DOCUME~1\Gary\LOCALS~1\Temp\kgddyfow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----
     
  3. poisongaz

    poisongaz TS Rookie Topic Starter

    .
    DDS (Ver_2011-06-23.01) - FAT32x86
    Internet Explorer: 8.0.6001.18702
    Run by Gary at 14:50:06 on 2011-08-02
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3319.2572 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Gary\Desktop\nqv64ifo.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://bt.yahoo.com
    uWindow Title = Microsoft Internet Explorer Provided by Wanadoo
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
    uInternet Connection Wizard,ShellNext = hxxp://www.wanadoo.co.uk/cd_redirects/st35install.htm
    uInternet Settings,ProxyServer = http=127.0.0.1:9090
    uInternet Settings,ProxyOverride = *.local;<local>
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    mURLSearchHooks: H - No File
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\gary\local settings\application data\mtjfdlyf\rabrnoiv.exe
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {C86AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {73F7F495-A325-4C52-BE48-5F97FA511E89} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
    uRun: [kdx] c:\program files\kontiki\KHost.exe -all
    uRun: [ccleaner] "c:\program files\ccleaner\ccleaner.exe" /AUTO
    uRun: [RabRnoiv] c:\documents and settings\gary\local settings\application data\mtjfdlyf\rabrnoiv.exe
    mRun: [LaunchApp] Alaunch
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
    mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    dPolicies-explorer: DisallowRun = 1 (0x1)
    dPolicies-disallowrun: 1 = firefox.exe
    dPolicies-disallowrun: 2 = opera.exe
    dPolicies-disallowrun: 3 = chrome.exe
    IE: &Search
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89}
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    Trusted Zone: gamehouse.com\global.fb
    Trusted Zone: microsoft.com\download.windowsupdate
    Trusted Zone: microsoft.com\update
    Trusted Zone: plentyoffish.com\www
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
    DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200418663687
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-15 135664]
    S2 Network Location Awareness (NLA) (Nla) ;Network Location Awareness (NLA) (Nla) ;c:\program files\tinyproxy\tinyproxy.exe --> c:\program files\tinyproxy\tinyproxy.exe [?]
    S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-7 1251720]
    S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\drivers\vq318vid.sys --> c:\windows\system32\drivers\vq318vid.sys [?]
    S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\gary\locals~1\temp\dmskssrh.sys --> c:\docume~1\gary\locals~1\temp\DMSKSSRh.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-11-15 135664]
    S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-7-9 30560]
    S3 S3U10Scanner;600 CU Still Image Device Service;c:\windows\system32\drivers\UsbScan.sys [2006-12-14 15104]
    .
    =============== File Associations ===============
    .
    regfile=regedit.exe "%1" %*
    .
    =============== Created Last 30 ================
    .
    2011-08-02 11:38:04 -------- d-sh--w- C:\FOUND.008
    2011-08-01 23:03:56 -------- d-sh--w- C:\FOUND.007
    2011-08-01 21:59:36 -------- d-----w- c:\documents and settings\gary\local settings\application data\mtjfdlyf
    .
    ==================== Find3M ====================
    .
    2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-02 14:02:06 1858944 ----a-w- c:\windows\system32\win32k.sys
    2007-06-28 23:52:26 25755448 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
    2006-03-22 22:26:06 1470872 ------w- c:\program files\mirc617.exe
    .
    ============= FINISH: 14:51:42.98 ===============
     
  4. poisongaz

    poisongaz TS Rookie Topic Starter

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 29/10/2005 04:14:54
    System Uptime: 02/08/2011 14:30:39 (0 hours ago)
    .
    Motherboard: ACER | | E91M
    Processor: Intel(R) Celeron(R) CPU 2.80GHz | CPU 1 | 2793/532mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (FAT32) - 38 GiB total, 16.098 GiB free.
    D: is FIXED (FAT32) - 36 GiB total, 36.073 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1102: 14/07/2011 21:22:09 - System Checkpoint
    RP1103: 16/07/2011 11:10:42 - System Checkpoint
    RP1104: 18/07/2011 18:55:29 - System Checkpoint
    RP1105: 19/07/2011 19:00:42 - System Checkpoint
    RP1106: 21/07/2011 23:52:51 - System Checkpoint
    RP1107: 24/07/2011 21:21:50 - System Checkpoint
    RP1108: 30/07/2011 04:40:52 - System Checkpoint
    RP1109: 31/07/2011 23:36:14 - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    µTorrent
    32 Bit HP CIO Components Installer
    AbiWord 2.6.8
    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.1.0
    AIO_Scan
    AVG 2011
    BT Broadband Desktop Help
    BT Yahoo! Applications
    BTHomeHub
    BufferChm
    C4200
    C4200_doccd
    c4200_Help
    CCleaner
    Copy
    CustomerResearchQFolder
    Defraggler
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    eSupportQFolder
    Free CD to MP3 Converter
    getPlus(R)_ocx
    Google Earth
    Google Update Helper
    GoToAssist Corporate
    Highlight Viewer (Windows Live Toolbar)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB976002-v5)
    HP Customer Participation Program 9.0
    HP Imaging Device Functions 9.0
    HP OCR Software 9.0
    HP Photosmart All-In-One Software 9.0
    HP Photosmart Essential 2.01
    HP Photosmart Essential2.01
    HP Product Assistant
    HP Smart Web Printing 4.60
    HP Solution Center 9.0
    HP Update
    HPDiagnosticAlert
    HPProductAssistant
    HPSSupply
    Intel(R) Graphics Media Accelerator Driver
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_05
    Java Auto Updater
    Java(TM) 6 Update 24
    K-Lite Codec Pack 5.4.4 (Full)
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Map Button (Windows Live Toolbar)
    MarketingReg
    MarketResearch
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Corporation
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft LifeCam
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Word Viewer 2003
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    MP3 Player Utilities 3.67
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB925673)
    NTI Backup NOW! 3
    NTI CD & DVD-Maker
    NTI CD & DVD-Maker Gold
    Oolite 1.73.4.2579
    PowerDVD
    PS_AIO_ProductContext
    PS_AIO_Software
    PS_AIO_Software_min
    PSSWCORE
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.0
    SAMSUNG CDMA Modem Driver Set
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Samsung PC Studio
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Segoe UI
    Sky Player
    Smart Menus (Windows Live Toolbar)
    SmartWebPrinting
    SolutionCenter
    SopCast 3.3.2
    SpywareBlaster 4.4
    Status
    Symantec KB-DocID:2003093015493306
    Symantec Technical Support Web Controls
    The Midnight Engine
    Toolbox
    TrayApp
    UnloadSupport
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    USB Flash Disk
    Veetle TV 0.9.18
    VideoToolkit01
    Vodafone 804SS USB driver Software
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Toolbar
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows XP Service Pack 3
    WinPatrol 2009
    XML Paper Specification Shared Components Pack 1.0
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    28/07/2011 17:18:59, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
    28/07/2011 17:18:59, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    27/07/2011 19:39:32, error: Dhcp [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 002275FF7A6D has been denied by the DHCP server 10.152.140.193 (The DHCP Server sent a DHCPNACK message).
    02/08/2011 12:43:50, error: DCOM [10000] - Unable to start a DCOM Server: {657C7A59-4FEC-4C06-A354-607B1EB184FB}. The error: "%5" Happened while starting this command: "C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe" -Embedding
    02/08/2011 00:07:53, error: Service Control Manager [7022] - The Symantec Core LC service hung on starting.
    01/08/2011 23:37:05, error: Service Control Manager [7022] - The KService service hung on starting.
    01/08/2011 23:35:20, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Symantec Core LC service to connect.
    01/08/2011 23:35:20, error: Service Control Manager [7000] - The Symantec Core LC service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    01/08/2011 22:59:48, error: Service Control Manager [7034] - The Symantec Core LC service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! Give me a few minutes to check out AVG. There are already 2 of you with AVG reporting Zbot. Let's make sure it's not a False Positive! I'll be back.
    ============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this online scan while I' waiting for info:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  7. poisongaz

    poisongaz TS Rookie Topic Starter

    I'm not able to get online on the infected PC. Am I able download the online scanner to a USB stick and transfer it?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No, you can't. I'll check these logs and see what is found. So far, 3 AVG users are reporting Zbot. I'm having all run the Eset scan. No word yet in AVG forum about possible False Positive.
    =================================================
    But you do have malware and we need to remove what we can. There is a change that 'zbot' may actually be a more serious file infector. You need to run Combofix. You can download to a flash drive, allow it to update. To run it, you will have to temporarily uninstall AVG. Please download one of the Temporary AV programs in the App Data removal when you download Combofix so when you uninstall AVG, you will have some protection.
    ==================================================
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ===========================================
    This may help:
    1. Using a flash drive, download one the following:
    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version

    2. Using the flash drive, download Combofix

    3. On the problem computer, follow directions to uninstall AVG
    4. Connect the flash drive to the problem computer
    5. Install the temporary AV you choose, then disable it to run the Combofix scan.
    6. Install Combofix and scan.

    Leave Combofix log in next reply.
     
  9. poisongaz

    poisongaz TS Rookie Topic Starter

    ComboFix 11-08-02.02 - Gary 02/08/2011 21:45:56.1.1 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3319.2745 [GMT 1:00]
    Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Gary\WINDOWS
    c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
    c:\windows\Downloaded Program Files\ODCTOOLS
    c:\windows\IsUn0407.exe
    c:\windows\system32\AutoRun.inf
    c:\windows\system32\regobj.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MYWEBSEARCHSERVICE
    -------\Legacy_NETWORK_LOCATION_AWARENESS_(NLA)_(NLA)_
    -------\Legacy_SVCHOST
    -------\Service_Network Location Awareness (NLA) (Nla)
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-02 to 2011-08-02 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-02 18:05 . 2011-08-02 18:05 -------- d-----w- c:\program files\ESET
    2011-08-02 11:38 . 2011-08-02 11:38 -------- d-----w- C:\FOUND.008
    2011-08-01 23:03 . 2011-08-01 23:03 -------- d-----w- C:\FOUND.007
    2011-08-01 21:59 . 2011-08-01 21:59 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-06 18:52 . 2008-08-20 13:09 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 18:52 . 2008-05-20 17:31 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-19 14:39 . 2011-06-19 14:39 0 ---ha-w- c:\documents and settings\Gary\Local Settings\Application Data\BIT11.tmp
    2011-06-02 14:02 . 1979-12-31 23:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2007-06-28 23:52 . 2007-06-28 23:52 25755448 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
    2006-03-22 22:26 . 2006-03-22 22:25 1470872 ------w- c:\program files\mirc617.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
    "ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2011-02-23 2251064]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="Alaunch" [X]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
    "SoundMan"="SOUNDMAN.EXE" [2004-09-23 77824]
    "AlcWzrd"="ALCWZRD.EXE" [2004-09-24 2559488]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
    "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-29 202256]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "DisallowRun"= 1 (0x1)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
    "1"= firefox.exe
    "2"= opera.exe
    "3"= chrome.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\Userinit.exe,,c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2010-01-15 18:47 16680 ------w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\MSMSGS.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqnrs08.exe"=
    "c:\\Program Files\\Common Files\\hp\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqusgm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqusgh.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Google\\Google Earth\\PLUGIN\\geplugin.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\BT Broadband Desktop Help\\BTBB\\BTHelpBrowser.exe"=
    "c:\\Program Files\\BT Broadband Desktop Help\\BTBB\\BTHelpNotifier.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
    .
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/11/2009 21:04 135664]
    S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\DRIVERS\vq318vid.sys --> c:\windows\system32\DRIVERS\vq318vid.sys [?]
    S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\Gary\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\Gary\LOCALS~1\Temp\DMSKSSRh.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [15/11/2009 21:04 135664]
    S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [09/07/2009 18:04 30560]
    S3 S3U10Scanner;600 CU Still Image Device Service;c:\windows\system32\drivers\UsbScan.sys [14/12/2006 13:48 15104]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 20:04]
    .
    2011-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 20:04]
    .
    2011-08-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2985075561-484364312-3234489201-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
    .
    2011-08-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2985075561-484364312-3234489201-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://bt.yahoo.com
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
    uInternet Connection Wizard,ShellNext = hxxp://www.wanadoo.co.uk/cd_redirects/st35install.htm
    uInternet Settings,ProxyServer = http=127.0.0.1:9090
    uInternet Settings,ProxyOverride = *.local;<local>
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    Trusted Zone: gamehouse.com\global.fb
    Trusted Zone: microsoft.com\download.windowsupdate
    Trusted Zone: microsoft.com\update
    Trusted Zone: plentyoffish.com\www
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-BigBitmap - (no file)
    Toolbar-SmallBitmap - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKCU-Run-RabRnoiv - c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe
    AddRemove-Birth of the Federation version 1.0.2 - c:\botf\Uninst.isu
    AddRemove-InstallShield_{4E68EAA3-775A-4542-A08A-47DB8E8E74A6} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    AddRemove-InstallShield_{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-02 21:57
    Windows 5.1.2600 Service Pack 3 FAT NTAPI
    .
    detected NTDLL code modification:
    ZwQueryDirectoryFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\documents and settings\Gary\Start Menu\Programs\Startup\rabrnoiv.exe 131072 bytes
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(548)
    c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
    .
    - - - - - - - > 'explorer.exe'(236)
    c:\windows\system32\WININET.dll
    c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Kontiki\KService.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\program files\Microsoft LifeCam\MSCamS32.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\SOUNDMAN.EXE
    c:\windows\ALCWZRD.EXE
    c:\program files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-02 22:06:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-02 21:06
    .
    Pre-Run: 21,925,462,016 bytes free
    Post-Run: 21,988,343,808 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 6F431DF9474973D13E2DEBA2C9091448
     
  10. poisongaz

    poisongaz TS Rookie Topic Starter

    Can I re-install AVG now or should I choose another AV?
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No, not yet. I did not include the following with the AppRemover because you have Symantec running also. If this is not longer on the system:
    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Do this now. Reboot the computer when finished.

    I'm checking the Combofix log now.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\documents and settings\Gary\Local Settings\Application Data\BIT11.tmp
    c:\program files\mirc617.exe
    c:\docume~1\Gary\LOCALS~1\Temp\DMSKSSRh.sys
    c:\documents and settings\Gary\Start Menu\Programs\Startup\rabrnoiv.exe
    Folder::
    C:\FOUND.008
    C:\FOUND.007
    c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf
    DDS::
    mURLSearchHooks: H - No File
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\gary\local settings\application data\mtjfdlyf\rabrnoiv.exe
    BHO: {C86AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - No File
    TB: {73F7F495-A325-4C52-BE48-5F97FA511E89} - No File
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [RabRnoiv] c:\documents and settings\gary\local settings\application data\mtjfdlyf\rabrnoiv.exe
    IE: &Search
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"=-
    Driver::
    DMSKSSRh
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    =============================================
    Reboot after running the scrit. See if you can get online. IF you can, please eun the Eset Online Virus scan.
     
  13. poisongaz

    poisongaz TS Rookie Topic Starter

    ComboFix 11-08-02.02 - Gary 03/08/2011 21:08:37.2.1 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3319.2755 [GMT 1:00]
    Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Gary\Desktop\CFScript.txt
    .
    FILE ::
    "c:\docume~1\Gary\LOCALS~1\Temp\DMSKSSRh.sys"
    "c:\documents and settings\Gary\Local Settings\Application Data\BIT11.tmp"
    "c:\documents and settings\Gary\Start Menu\Programs\Startup\rabrnoiv.exe"
    "c:\program files\mirc617.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Gary\Local Settings\Application Data\BIT11.tmp
    c:\documents and settings\gary\local settings\application data\mtjfdlyf\rabrnoiv.exe
    c:\documents and settings\Gary\Start Menu\Programs\Startup\rabrnoiv.exe
    C:\FOUND.007
    c:\found.007\FILE0000.CHK
    c:\found.007\FILE0001.CHK
    c:\found.007\FILE0002.CHK
    c:\found.007\FILE0003.CHK
    c:\found.007\FILE0004.CHK
    c:\found.007\FILE0005.CHK
    c:\found.007\FILE0006.CHK
    c:\found.007\FILE0007.CHK
    c:\found.007\FILE0008.CHK
    c:\found.007\FILE0009.CHK
    c:\found.007\FILE0010.CHK
    c:\found.007\FILE0011.CHK
    c:\found.007\FILE0012.CHK
    c:\found.007\FILE0013.CHK
    c:\found.007\FILE0014.CHK
    c:\found.007\FILE0015.CHK
    c:\found.007\FILE0016.CHK
    c:\found.007\FILE0017.CHK
    c:\found.007\FILE0018.CHK
    c:\found.007\FILE0019.CHK
    c:\found.007\FILE0020.CHK
    c:\found.007\FILE0021.CHK
    c:\found.007\FILE0022.CHK
    c:\found.007\FILE0023.CHK
    c:\found.007\FILE0024.CHK
    c:\found.007\FILE0025.CHK
    c:\found.007\FILE0026.CHK
    c:\found.007\FILE0027.CHK
    c:\found.007\FILE0028.CHK
    c:\found.007\FILE0029.CHK
    c:\found.007\FILE0030.CHK
    c:\found.007\FILE0031.CHK
    c:\found.007\FILE0032.CHK
    c:\found.007\FILE0033.CHK
    c:\found.007\FILE0034.CHK
    c:\found.007\FILE0035.CHK
    c:\found.007\FILE0036.CHK
    c:\found.007\FILE0037.CHK
    C:\FOUND.008
    c:\found.008\FILE0000.CHK
    c:\found.008\FILE0001.CHK
    c:\program files\mirc617.exe
    c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_DMSKSSRH
    -------\Service_DMSKSSRh
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-02 21:34 . 2011-08-02 21:34 -------- d-----w- c:\documents and settings\Gary\Application Data\Avira
    2011-08-02 18:05 . 2011-08-02 18:05 -------- d-----w- c:\program files\ESET
    2011-08-01 21:59 . 2011-08-01 21:59 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-06 18:52 . 2008-08-20 13:09 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 18:52 . 2008-05-20 17:31 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-02 14:02 . 1979-12-31 23:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2007-06-28 23:52 . 2007-06-28 23:52 25755448 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-02_20.56.07 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-03 20:27 . 2011-08-03 20:27 16384 c:\windows\Temp\Perflib_Perfdata_608.dat
    - 2011-08-02 20:55 . 2011-08-02 20:55 16384 c:\windows\Temp\Perflib_Perfdata_608.dat
    + 2011-08-03 20:27 . 2011-08-03 20:27 16384 c:\windows\Temp\Perflib_Perfdata_5d8.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
    "ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2011-02-23 2251064]
    "RabRnoiv"="c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
    "SoundMan"="SOUNDMAN.EXE" [2004-09-23 77824]
    "AlcWzrd"="ALCWZRD.EXE" [2004-09-24 2559488]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
    "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-29 202256]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "DisallowRun"= 1 (0x1)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
    "1"= firefox.exe
    "2"= opera.exe
    "3"= chrome.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2010-01-15 18:47 16680 ------w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\MSMSGS.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqnrs08.exe"=
    "c:\\Program Files\\Common Files\\hp\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqusgm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqusgh.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Google\\Google Earth\\PLUGIN\\geplugin.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\BT Broadband Desktop Help\\BTBB\\BTHelpBrowser.exe"=
    "c:\\Program Files\\BT Broadband Desktop Help\\BTBB\\BTHelpNotifier.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
    .
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/11/2009 21:04 135664]
    S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\DRIVERS\vq318vid.sys --> c:\windows\system32\DRIVERS\vq318vid.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [15/11/2009 21:04 135664]
    S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [09/07/2009 18:04 30560]
    S3 S3U10Scanner;600 CU Still Image Device Service;c:\windows\system32\drivers\UsbScan.sys [14/12/2006 13:48 15104]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 20:04]
    .
    2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 20:04]
    .
    2011-08-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2985075561-484364312-3234489201-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
    .
    2011-08-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2985075561-484364312-3234489201-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://bt.yahoo.com
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
    uInternet Connection Wizard,ShellNext = hxxp://www.wanadoo.co.uk/cd_redirects/st35install.htm
    uInternet Settings,ProxyServer = http=127.0.0.1:9090
    uInternet Settings,ProxyOverride = *.local;<local>
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    Trusted Zone: gamehouse.com\global.fb
    Trusted Zone: microsoft.com\download.windowsupdate
    Trusted Zone: microsoft.com\update
    Trusted Zone: plentyoffish.com\www
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-03 21:30
    Windows 5.1.2600 Service Pack 3 FAT NTAPI
    .
    detected NTDLL code modification:
    ZwQueryDirectoryFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\documents and settings\Gary\Start Menu\Programs\Startup\rabrnoiv.exe 131072 bytes
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(556)
    c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
    .
    - - - - - - - > 'explorer.exe'(2152)
    c:\windows\system32\WININET.dll
    c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Kontiki\KService.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\program files\Microsoft LifeCam\MSCamS32.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\SOUNDMAN.EXE
    c:\windows\ALCWZRD.EXE
    c:\program files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-03 21:39:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-03 20:39
    ComboFix2.txt 2011-08-02 21:06
    .
    Pre-Run: 21,998,206,976 bytes free
    Post-Run: 21,992,570,880 bytes free
    .
    - - End Of File - - 0702532D3789832A90E05EE1B0634F8E
     
  14. poisongaz

    poisongaz TS Rookie Topic Starter

    I'm afraid I've made a major mistake. I loaded Avast onto my system after getting the Combo report. It asked me to reboot so it could run some kind of scan. It detected threats and asked what it wanted me to do to them. I chose delete all instead of repair all..... I think I may have deleted a lot of stuff I shouldn't have..... not sure if I've messed up bad here. Sorry.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I would really have like to see what was found. If you can find the log from Avira, please include it in your next reply.
    ==================================================
    If you can access the internet, download the following programs directly. If you cannot, download each to a flash drive, then install and run on the problem computer. Can you access the internet yet. If so do the following on this computer. If you cannot, download to a flash drive, then install and tun on the problem computer:
    ==============================
    1. Download SafeBootKeyRepair.exe by sUBs and save it to your desktop.

    Double-click SafeBootKeyRepair.exe to run it. Follow any prompts that may appear then post the log it produces.
    =======================================
    2. You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
    Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    ===========================================
    3. You will have malware in the Java cache because of the outdated versions. Empty as follows:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    ==========================================
    4. It appears that you do have Zbot, so in the absence of the online scan, we'll try to remove it:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ================================================
    5. Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe" 
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RabRnoiv"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    6. Right click on Start> Explore> Go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'Hide protected system files (Recommended)> Click on Yes to confirm> Go to Documents and Settings for 'Gary'> Application data> Look for 'Application Data\mtjfdlyf\rabrnoiv.exe"> if found, do a right click> Delete on both mtjfdly & rabrnoiv if found.

    Then go down to Gary's Start menu> Double click to open> Right click> Delete on same entries if found.
    Go back and rehide the files and folders.
    =======================
    Reboot the computer and give me a report on the system and if you can access the internet.

    One question: Does Wanadoo require you to use a proxy server? uInternet Settings,ProxyServer = http=127.0.0.1:9090
    .
     
  16. poisongaz

    poisongaz TS Rookie Topic Starter

    Avast has deleted so much stuff, the system is trying to install stuff but cannot find certain files to continue. Icons have disappeared. I try to go to Control Panel or My Computer and it wants to install someting but then fails. I've really messed things up.

    I've attempted to activate the restore point created before Avast, but that didn't work and also the restore point created before I used Combo fix, and that didn't work either.

    I'm really sorry but I've just made things a hell of a lot worse. Not sure if there's a way back from this.

    Just to add, Internet explorer is still not working, but there is a connection.

    I'm going away for a few days, I will be back on Sunday evening.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When you get back in town, let me know and we'll start over. You are quite confused:
    The only reference to AV programs I see are:
    2011-08-02 21:34 -------- d-----w- c:\documents and settings\Gary\Application Data\Avira
    2011-08-02 18:05 . 2011-08-02 18:05 -------- d-----w- c:\program files\ESET
    And of course, AVG.

    But have twice referred to Avast. You are removing the very entries I need to see. IT is possible that the system will become unbootable. I will not be able to help you unless you follow my directions only which clearly say:
     
  18. poisongaz

    poisongaz TS Rookie Topic Starter

    Yeah, sorry about that. I downloaded Avira like you suggested but that wouldn't work properly for some reason so I used your other suggestion, Avast. That's when it instructed me to Restart the PC to complete installation and start a scan. This is when I chose DELETE instead of REPAIR by mistake, causing the extra problems I think I've created.

    I'm back now and ready to continue.
     
  19. poisongaz

    poisongaz TS Rookie Topic Starter

    Reg export of SafeBoot key after repair:
    ========================

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]

    ========================


    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    ~~\SafeBoot\Minimal\Base
    ~~\SafeBoot\Minimal\Boot Bus Extender
    ~~\SafeBoot\Minimal\Boot file system
    ~~\SafeBoot\Minimal\dmboot.sys
    ~~\SafeBoot\Minimal\dmio.sys
    ~~\SafeBoot\Minimal\dmload.sys
    ~~\SafeBoot\Minimal\dmserver
    ~~\SafeBoot\Minimal\File system
    ~~\SafeBoot\Minimal\Filter
    ~~\SafeBoot\Minimal\PCI Configuration
    ~~\SafeBoot\Minimal\Primary disk
    ~~\SafeBoot\Minimal\RpcSs
    ~~\SafeBoot\Minimal\SCSI Class
    ~~\SafeBoot\Minimal\sermouse.sys
    ~~\SafeBoot\Minimal\System Bus Extender
    ~~\SafeBoot\Minimal\vga.sys
    ~~\SafeBoot\Minimal\vgasave.sys
    ~~\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
    ~~\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
    ~~\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
    ~~\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
    ~~\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
    ~~\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

    ========================

    Error: Key: system\currentcontrolset\control\safeboot\minimal does not exist!
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My apology- lost your thread.

    Does this refer to Avast?
    Or did you delete Safe Boot instead of repair? Do you have the installation disc for the operating system?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...