Inactive Win32 Zbot virus on my PC

Status
Not open for further replies.

poisongaz

Posts: 12   +0
Hi,

My PC got infected by the Zbot virus last night. AVG started going mad warning me of multiple infections in several systems.

Malwarebytes doesn't detect anything, AVG scans finish immediately, Spywareblaster keeps asking me to allow something to run on Startup, which I keep refusing.

I'm unable to get online as when I try to run Internet Explorer it reports a problem running particular scripts.

I've never come accross such an agressive virus before and feel totally helpless. Please can you help me? I'm desperate.

Thanks in anticipation.

Gary

P.S. I'm on my laptop writing this as I'm unable to get online with my PC, so I guess I should get a USB stick to load up all the software and transfer the scan reports.
 
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7354

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

02/08/2011 12:58:57
mbam-log-2011-08-02 (12-58-57).txt

Scan type: Quick scan
Objects scanned: 160309
Time elapsed: 9 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------------------------------------------------------------------------

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-02 14:48:02
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-22LSA0 rev.06.01D06
Running: nqv64ifo.exe; Driver: C:\DOCUME~1\Gary\LOCALS~1\Temp\kgddyfow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----
 
.
DDS (Ver_2011-06-23.01) - FAT32x86
Internet Explorer: 8.0.6001.18702
Run by Gary at 14:50:06 on 2011-08-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3319.2572 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Gary\Desktop\nqv64ifo.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://bt.yahoo.com
uWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uInternet Connection Wizard,ShellNext = hxxp://www.wanadoo.co.uk/cd_redirects/st35install.htm
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local;<local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\gary\local settings\application data\mtjfdlyf\rabrnoiv.exe
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {C86AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {73F7F495-A325-4C52-BE48-5F97FA511E89} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [ccleaner] "c:\program files\ccleaner\ccleaner.exe" /AUTO
uRun: [RabRnoiv] c:\documents and settings\gary\local settings\application data\mtjfdlyf\rabrnoiv.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
dPolicies-explorer: DisallowRun = 1 (0x1)
dPolicies-disallowrun: 1 = firefox.exe
dPolicies-disallowrun: 2 = opera.exe
dPolicies-disallowrun: 3 = chrome.exe
IE: &Search
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89}
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: gamehouse.com\global.fb
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: plentyoffish.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200418663687
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-15 135664]
S2 Network Location Awareness (NLA) (Nla) ;Network Location Awareness (NLA) (Nla) ;c:\program files\tinyproxy\tinyproxy.exe --> c:\program files\tinyproxy\tinyproxy.exe [?]
S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-7 1251720]
S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\drivers\vq318vid.sys --> c:\windows\system32\drivers\vq318vid.sys [?]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\gary\locals~1\temp\dmskssrh.sys --> c:\docume~1\gary\locals~1\temp\DMSKSSRh.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-11-15 135664]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-7-9 30560]
S3 S3U10Scanner;600 CU Still Image Device Service;c:\windows\system32\drivers\UsbScan.sys [2006-12-14 15104]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-08-02 11:38:04 -------- d-sh--w- C:\FOUND.008
2011-08-01 23:03:56 -------- d-sh--w- C:\FOUND.007
2011-08-01 21:59:36 -------- d-----w- c:\documents and settings\gary\local settings\application data\mtjfdlyf
.
==================== Find3M ====================
.
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02:06 1858944 ----a-w- c:\windows\system32\win32k.sys
2007-06-28 23:52:26 25755448 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2006-03-22 22:26:06 1470872 ------w- c:\program files\mirc617.exe
.
============= FINISH: 14:51:42.98 ===============
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 29/10/2005 04:14:54
System Uptime: 02/08/2011 14:30:39 (0 hours ago)
.
Motherboard: ACER | | E91M
Processor: Intel(R) Celeron(R) CPU 2.80GHz | CPU 1 | 2793/532mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (FAT32) - 38 GiB total, 16.098 GiB free.
D: is FIXED (FAT32) - 36 GiB total, 36.073 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1102: 14/07/2011 21:22:09 - System Checkpoint
RP1103: 16/07/2011 11:10:42 - System Checkpoint
RP1104: 18/07/2011 18:55:29 - System Checkpoint
RP1105: 19/07/2011 19:00:42 - System Checkpoint
RP1106: 21/07/2011 23:52:51 - System Checkpoint
RP1107: 24/07/2011 21:21:50 - System Checkpoint
RP1108: 30/07/2011 04:40:52 - System Checkpoint
RP1109: 31/07/2011 23:36:14 - System Checkpoint
.
==== Installed Programs ======================
.
µTorrent
32 Bit HP CIO Components Installer
AbiWord 2.6.8
Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
AIO_Scan
AVG 2011
BT Broadband Desktop Help
BT Yahoo! Applications
BTHomeHub
BufferChm
C4200
C4200_doccd
c4200_Help
CCleaner
Copy
CustomerResearchQFolder
Defraggler
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocProc
DocProcQFolder
eSupportQFolder
Free CD to MP3 Converter
getPlus(R)_ocx
Google Earth
Google Update Helper
GoToAssist Corporate
Highlight Viewer (Windows Live Toolbar)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Product Assistant
HP Smart Web Printing 4.60
HP Solution Center 9.0
HP Update
HPDiagnosticAlert
HPProductAssistant
HPSSupply
Intel(R) Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Java Auto Updater
Java(TM) 6 Update 24
K-Lite Codec Pack 5.4.4 (Full)
Malwarebytes' Anti-Malware version 1.51.1.1800
Map Button (Windows Live Toolbar)
MarketingReg
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Corporation
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft Office Word Viewer 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
MP3 Player Utilities 3.67
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
NTI Backup NOW! 3
NTI CD & DVD-Maker
NTI CD & DVD-Maker Gold
Oolite 1.73.4.2579
PowerDVD
PS_AIO_ProductContext
PS_AIO_Software
PS_AIO_Software_min
PSSWCORE
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.0
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Segoe UI
Sky Player
Smart Menus (Windows Live Toolbar)
SmartWebPrinting
SolutionCenter
SopCast 3.3.2
SpywareBlaster 4.4
Status
Symantec KB-DocID:2003093015493306
Symantec Technical Support Web Controls
The Midnight Engine
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
USB Flash Disk
Veetle TV 0.9.18
VideoToolkit01
Vodafone 804SS USB driver Software
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinPatrol 2009
XML Paper Specification Shared Components Pack 1.0
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
28/07/2011 17:18:59, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
28/07/2011 17:18:59, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
27/07/2011 19:39:32, error: Dhcp [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 002275FF7A6D has been denied by the DHCP server 10.152.140.193 (The DHCP Server sent a DHCPNACK message).
02/08/2011 12:43:50, error: DCOM [10000] - Unable to start a DCOM Server: {657C7A59-4FEC-4C06-A354-607B1EB184FB}. The error: "%5" Happened while starting this command: "C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe" -Embedding
02/08/2011 00:07:53, error: Service Control Manager [7022] - The Symantec Core LC service hung on starting.
01/08/2011 23:37:05, error: Service Control Manager [7022] - The KService service hung on starting.
01/08/2011 23:35:20, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Symantec Core LC service to connect.
01/08/2011 23:35:20, error: Service Control Manager [7000] - The Symantec Core LC service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
01/08/2011 22:59:48, error: Service Control Manager [7034] - The Symantec Core LC service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================
 
Welcome to TechSpot! Give me a few minutes to check out AVG. There are already 2 of you with AVG reporting Zbot. Let's make sure it's not a False Positive! I'll be back.
============================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
Please run this online scan while I' waiting for info:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
 
I'm not able to get online on the infected PC. Am I able download the online scanner to a USB stick and transfer it?
 
No, you can't. I'll check these logs and see what is found. So far, 3 AVG users are reporting Zbot. I'm having all run the Eset scan. No word yet in AVG forum about possible False Positive.
=================================================
But you do have malware and we need to remove what we can. There is a change that 'zbot' may actually be a more serious file infector. You need to run Combofix. You can download to a flash drive, allow it to update. To run it, you will have to temporarily uninstall AVG. Please download one of the Temporary AV programs in the App Data removal when you download Combofix so when you uninstall AVG, you will have some protection.
==================================================
Download AppRemover and save to the desktop
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    image_preview
  5. Click on Next after choice has been made
  6. Check the AVG program you want to uninstall
  7. After uninstall shows complete, follow online prompts to Exit the program.
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
===========================================
This may help:
1. Using a flash drive, download one the following:
Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version

2. Using the flash drive, download Combofix

3. On the problem computer, follow directions to uninstall AVG
4. Connect the flash drive to the problem computer
5. Install the temporary AV you choose, then disable it to run the Combofix scan.
6. Install Combofix and scan.

Leave Combofix log in next reply.
 
ComboFix 11-08-02.02 - Gary 02/08/2011 21:45:56.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3319.2745 [GMT 1:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gary\WINDOWS
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\IsUn0407.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\regobj.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_NETWORK_LOCATION_AWARENESS_(NLA)_(NLA)_
-------\Legacy_SVCHOST
-------\Service_Network Location Awareness (NLA) (Nla)
.
.
((((((((((((((((((((((((( Files Created from 2011-07-02 to 2011-08-02 )))))))))))))))))))))))))))))))
.
.
2011-08-02 18:05 . 2011-08-02 18:05 -------- d-----w- c:\program files\ESET
2011-08-02 11:38 . 2011-08-02 11:38 -------- d-----w- C:\FOUND.008
2011-08-01 23:03 . 2011-08-01 23:03 -------- d-----w- C:\FOUND.007
2011-08-01 21:59 . 2011-08-01 21:59 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 18:52 . 2008-08-20 13:09 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2008-05-20 17:31 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-19 14:39 . 2011-06-19 14:39 0 ---ha-w- c:\documents and settings\Gary\Local Settings\Application Data\BIT11.tmp
2011-06-02 14:02 . 1979-12-31 23:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2007-06-28 23:52 . 2007-06-28 23:52 25755448 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2006-03-22 22:26 . 2006-03-22 22:25 1470872 ------w- c:\program files\mirc617.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2011-02-23 2251064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 2559488]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-29 202256]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= firefox.exe
"2"= opera.exe
"3"= chrome.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\Userinit.exe,,c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-01-15 18:47 16680 ------w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\hp\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Google\\Google Earth\\PLUGIN\\geplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\BTBB\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\BTBB\\BTHelpNotifier.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/11/2009 21:04 135664]
S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\DRIVERS\vq318vid.sys --> c:\windows\system32\DRIVERS\vq318vid.sys [?]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\Gary\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\Gary\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [15/11/2009 21:04 135664]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [09/07/2009 18:04 30560]
S3 S3U10Scanner;600 CU Still Image Device Service;c:\windows\system32\drivers\UsbScan.sys [14/12/2006 13:48 15104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 20:04]
.
2011-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 20:04]
.
2011-08-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2985075561-484364312-3234489201-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-08-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2985075561-484364312-3234489201-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://bt.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uInternet Connection Wizard,ShellNext = hxxp://www.wanadoo.co.uk/cd_redirects/st35install.htm
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local;<local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: gamehouse.com\global.fb
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: plentyoffish.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-BigBitmap - (no file)
Toolbar-SmallBitmap - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-RabRnoiv - c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe
AddRemove-Birth of the Federation version 1.0.2 - c:\botf\Uninst.isu
AddRemove-InstallShield_{4E68EAA3-775A-4542-A08A-47DB8E8E74A6} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
AddRemove-InstallShield_{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-02 21:57
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Gary\Start Menu\Programs\Startup\rabrnoiv.exe 131072 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(548)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(236)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2011-08-02 22:06:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-02 21:06
.
Pre-Run: 21,925,462,016 bytes free
Post-Run: 21,988,343,808 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 6F431DF9474973D13E2DEBA2C9091448
 
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::
c:\documents and settings\Gary\Local Settings\Application Data\BIT11.tmp
c:\program files\mirc617.exe
c:\docume~1\Gary\LOCALS~1\Temp\DMSKSSRh.sys
c:\documents and settings\Gary\Start Menu\Programs\Startup\rabrnoiv.exe
Folder::
C:\FOUND.008
C:\FOUND.007
c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf
DDS::
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\gary\local settings\application data\mtjfdlyf\rabrnoiv.exe
BHO: {C86AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - No File
TB: {73F7F495-A325-4C52-BE48-5F97FA511E89} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [RabRnoiv] c:\documents and settings\gary\local settings\application data\mtjfdlyf\rabrnoiv.exe
IE: &Search
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"=-
Driver::
DMSKSSRh
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
=============================================
Reboot after running the scrit. See if you can get online. IF you can, please eun the Eset Online Virus scan.
 
ComboFix 11-08-02.02 - Gary 03/08/2011 21:08:37.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3319.2755 [GMT 1:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gary\Desktop\CFScript.txt
.
FILE ::
"c:\docume~1\Gary\LOCALS~1\Temp\DMSKSSRh.sys"
"c:\documents and settings\Gary\Local Settings\Application Data\BIT11.tmp"
"c:\documents and settings\Gary\Start Menu\Programs\Startup\rabrnoiv.exe"
"c:\program files\mirc617.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gary\Local Settings\Application Data\BIT11.tmp
c:\documents and settings\gary\local settings\application data\mtjfdlyf\rabrnoiv.exe
c:\documents and settings\Gary\Start Menu\Programs\Startup\rabrnoiv.exe
C:\FOUND.007
c:\found.007\FILE0000.CHK
c:\found.007\FILE0001.CHK
c:\found.007\FILE0002.CHK
c:\found.007\FILE0003.CHK
c:\found.007\FILE0004.CHK
c:\found.007\FILE0005.CHK
c:\found.007\FILE0006.CHK
c:\found.007\FILE0007.CHK
c:\found.007\FILE0008.CHK
c:\found.007\FILE0009.CHK
c:\found.007\FILE0010.CHK
c:\found.007\FILE0011.CHK
c:\found.007\FILE0012.CHK
c:\found.007\FILE0013.CHK
c:\found.007\FILE0014.CHK
c:\found.007\FILE0015.CHK
c:\found.007\FILE0016.CHK
c:\found.007\FILE0017.CHK
c:\found.007\FILE0018.CHK
c:\found.007\FILE0019.CHK
c:\found.007\FILE0020.CHK
c:\found.007\FILE0021.CHK
c:\found.007\FILE0022.CHK
c:\found.007\FILE0023.CHK
c:\found.007\FILE0024.CHK
c:\found.007\FILE0025.CHK
c:\found.007\FILE0026.CHK
c:\found.007\FILE0027.CHK
c:\found.007\FILE0028.CHK
c:\found.007\FILE0029.CHK
c:\found.007\FILE0030.CHK
c:\found.007\FILE0031.CHK
c:\found.007\FILE0032.CHK
c:\found.007\FILE0033.CHK
c:\found.007\FILE0034.CHK
c:\found.007\FILE0035.CHK
c:\found.007\FILE0036.CHK
c:\found.007\FILE0037.CHK
C:\FOUND.008
c:\found.008\FILE0000.CHK
c:\found.008\FILE0001.CHK
c:\program files\mirc617.exe
c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DMSKSSRH
-------\Service_DMSKSSRh
.
.
((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))
.
.
2011-08-02 21:34 . 2011-08-02 21:34 -------- d-----w- c:\documents and settings\Gary\Application Data\Avira
2011-08-02 18:05 . 2011-08-02 18:05 -------- d-----w- c:\program files\ESET
2011-08-01 21:59 . 2011-08-01 21:59 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 18:52 . 2008-08-20 13:09 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2008-05-20 17:31 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02 . 1979-12-31 23:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2007-06-28 23:52 . 2007-06-28 23:52 25755448 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-02_20.56.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-03 20:27 . 2011-08-03 20:27 16384 c:\windows\Temp\Perflib_Perfdata_608.dat
- 2011-08-02 20:55 . 2011-08-02 20:55 16384 c:\windows\Temp\Perflib_Perfdata_608.dat
+ 2011-08-03 20:27 . 2011-08-03 20:27 16384 c:\windows\Temp\Perflib_Perfdata_5d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2011-02-23 2251064]
"RabRnoiv"="c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 2559488]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-29 202256]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= firefox.exe
"2"= opera.exe
"3"= chrome.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-01-15 18:47 16680 ------w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\hp\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Google\\Google Earth\\PLUGIN\\geplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\BTBB\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\BTBB\\BTHelpNotifier.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/11/2009 21:04 135664]
S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\DRIVERS\vq318vid.sys --> c:\windows\system32\DRIVERS\vq318vid.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [15/11/2009 21:04 135664]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [09/07/2009 18:04 30560]
S3 S3U10Scanner;600 CU Still Image Device Service;c:\windows\system32\drivers\UsbScan.sys [14/12/2006 13:48 15104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 20:04]
.
2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 20:04]
.
2011-08-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2985075561-484364312-3234489201-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-08-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2985075561-484364312-3234489201-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://bt.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uInternet Connection Wizard,ShellNext = hxxp://www.wanadoo.co.uk/cd_redirects/st35install.htm
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local;<local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: gamehouse.com\global.fb
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: plentyoffish.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-03 21:30
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Gary\Start Menu\Programs\Startup\rabrnoiv.exe 131072 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(556)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(2152)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2011-08-03 21:39:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-03 20:39
ComboFix2.txt 2011-08-02 21:06
.
Pre-Run: 21,998,206,976 bytes free
Post-Run: 21,992,570,880 bytes free
.
- - End Of File - - 0702532D3789832A90E05EE1B0634F8E
 
I'm afraid I've made a major mistake. I loaded Avast onto my system after getting the Combo report. It asked me to reboot so it could run some kind of scan. It detected threats and asked what it wanted me to do to them. I chose delete all instead of repair all..... I think I may have deleted a lot of stuff I shouldn't have..... not sure if I've messed up bad here. Sorry.
 
I would really have like to see what was found. If you can find the log from Avira, please include it in your next reply.
==================================================
If you can access the internet, download the following programs directly. If you cannot, download each to a flash drive, then install and run on the problem computer. Can you access the internet yet. If so do the following on this computer. If you cannot, download to a flash drive, then install and tun on the problem computer:
==============================
1. Download SafeBootKeyRepair.exe by sUBs and save it to your desktop.

Double-click SafeBootKeyRepair.exe to run it. Follow any prompts that may appear then post the log it produces.
=======================================
2. You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

Please download JavaRa and unzip it to your desktop.

Important!***Please close any instances of Internet Explorer before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that
    a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
===========================================
3. You will have malware in the Java cache because of the outdated versions. Empty as follows:
To clear the Java Plug-in cache:

  • [1]. Click Start > Control Panel.
    [2]. Double-click the Java icon in the control panel.
    java.png
    The Java Control Panel appears.
    plugin_cache1.jpg

    [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
    plugin_cache2.jpg

    [4] Click Delete Files.The Delete Temporary Files dialog box appears.
    plugin_cache3.jpg

    [5]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [6]. Click Apply> OK on Temporary Files Settings window.
Images courtesy java.com
==========================================
4. It appears that you do have Zbot, so in the absence of the online scan, we'll try to remove it:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Files  
    c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
================================================
5. Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
File::
c:\documents and settings\Gary\Local Settings\Application Data\mtjfdlyf\rabrnoiv.exe" 
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RabRnoiv"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
6. Right click on Start> Explore> Go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'Hide protected system files (Recommended)> Click on Yes to confirm> Go to Documents and Settings for 'Gary'> Application data> Look for 'Application Data\mtjfdlyf\rabrnoiv.exe"> if found, do a right click> Delete on both mtjfdly & rabrnoiv if found.

Then go down to Gary's Start menu> Double click to open> Right click> Delete on same entries if found.
Go back and rehide the files and folders.
=======================
Reboot the computer and give me a report on the system and if you can access the internet.

One question: Does Wanadoo require you to use a proxy server? uInternet Settings,ProxyServer = http=127.0.0.1:9090
.
 
Avast has deleted so much stuff, the system is trying to install stuff but cannot find certain files to continue. Icons have disappeared. I try to go to Control Panel or My Computer and it wants to install someting but then fails. I've really messed things up.

I've attempted to activate the restore point created before Avast, but that didn't work and also the restore point created before I used Combo fix, and that didn't work either.

I'm really sorry but I've just made things a hell of a lot worse. Not sure if there's a way back from this.

Just to add, Internet explorer is still not working, but there is a connection.

I'm going away for a few days, I will be back on Sunday evening.
 
When you get back in town, let me know and we'll start over. You are quite confused:
Avast has deleted so much stuff,

The only reference to AV programs I see are:
2011-08-02 21:34 -------- d-----w- c:\documents and settings\Gary\Application Data\Avira
2011-08-02 18:05 . 2011-08-02 18:05 -------- d-----w- c:\program files\ESET
And of course, AVG.

But have twice referred to Avast. You are removing the very entries I need to see. IT is possible that the system will become unbootable. I will not be able to help you unless you follow my directions only which clearly say:
Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.
 
Yeah, sorry about that. I downloaded Avira like you suggested but that wouldn't work properly for some reason so I used your other suggestion, Avast. That's when it instructed me to Restart the PC to complete installation and start a scan. This is when I chose DELETE instead of REPAIR by mistake, causing the extra problems I think I've created.

I'm back now and ready to continue.
 
Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]

========================


SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\Base
~~\SafeBoot\Minimal\Boot Bus Extender
~~\SafeBoot\Minimal\Boot file system
~~\SafeBoot\Minimal\dmboot.sys
~~\SafeBoot\Minimal\dmio.sys
~~\SafeBoot\Minimal\dmload.sys
~~\SafeBoot\Minimal\dmserver
~~\SafeBoot\Minimal\File system
~~\SafeBoot\Minimal\Filter
~~\SafeBoot\Minimal\PCI Configuration
~~\SafeBoot\Minimal\Primary disk
~~\SafeBoot\Minimal\RpcSs
~~\SafeBoot\Minimal\SCSI Class
~~\SafeBoot\Minimal\sermouse.sys
~~\SafeBoot\Minimal\System Bus Extender
~~\SafeBoot\Minimal\vga.sys
~~\SafeBoot\Minimal\vgasave.sys
~~\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

========================

Error: Key: system\currentcontrolset\control\safeboot\minimal does not exist!
 
My apology- lost your thread.

Does this refer to Avast?
Yeah, sorry about that. I downloaded Avira like you suggested but that wouldn't work properly for some reason so I used your other suggestion, Avast. That's when it instructed me to Restart the PC to complete installation and start a scan. This is when I chose DELETE instead of REPAIR by mistake, causing the extra problems I think I've created.

Or did you delete Safe Boot instead of repair? Do you have the installation disc for the operating system?
 
Status
Not open for further replies.
Back