TechSpot

Zbot is giving me pain

By tcmasterx
Aug 2, 2011
  1. Hi.

    I've just joined and I've just noticed that someone else (poisongaz) is having the same problem.
    AVG is reporting Trojans and not letting the scan or update happen. It's not letting me open in safe mode and is refusing to open certain programs.
    I guess I should do the 7 Step instructions?

    I hope I can fix this. Is it a virus that attacks AVG?
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    That would be correct: Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    =====================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this online virus scan when you finish with the steps:

    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ================================
    2 AVG users with Zbot. I am checking to see if it's a False Positive.
     
  4. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    Thanks.

    I'll get into this soon.

    I like you already.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    So far, 3 AVG users are reporting Zbot. I'm having them all run the Eset scan. No word yet in AVG forum about possible False Positive.
     
  6. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    Hey.

    I did the steps and the logs are below.
    Just to let you know, my PC wouldn't let me connect to the site to download GMER or MalwareBytes (I did it from another computer). Same as DDS. I can however connect to loads of ordinary sites. Can't connect to Microsoft either. Seems like it doesn't want me to connect to 'helpful' sites.
    I hope I've done everything properly.
    Thanks again for your help with this. Much appreciated!!!!!

    MBAM LOG:


    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    02/08/2011 17:21:04
    mbam-log-2011-08-02 (17-21-04).txt

    Scan type: Quick scan
    Objects scanned: 390271
    Time elapsed: 48 minute(s), 15 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ****************************************************************************************************

    GMER LOG:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-03 14:29:31
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 WDC_WD800JD-75MSA3 rev.10.01E04
    Running: oxpbex4v.exe; Driver: C:\DOCUME~1\GRAEME~1\LOCALS~1\Temp\pxdyqpob.sys


    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----


    *****************************************************************************************************
    DDS LOG:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 26/09/2007 10:50:58
    System Uptime: 02/08/2011 16:28:17 (22 hours ago)
    .
    Motherboard: Dell Inc. | | 0CU395
    Processor: Intel Pentium II processor | Microprocessor | 2000/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 74 GiB total, 25.762 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 01/08/2011 13:28:46 - System Checkpoint
    RP2: 02/08/2011 13:45:30 - System Checkpoint
    RP3: 02/08/2011 16:26:30 - Removed Adobe Reader 8.2.0
    RP4: 02/08/2011 16:58:06 - Removed OpenOffice.org 2.3
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Shockwave Player 11.5
    Apple Mobile Device Support
    Apple Software Update
    ATI Catalyst Control Center
    ATI Display Driver
    AVG 2011
    Bonjour
    Broadcom Management Programs
    Critical Update for Windows Media Player 11 (KB959772)
    D2300_Help
    DigiDelivery
    Dropbox
    GoldWave v5.22
    Google Update Helper
    High Definition Audio Driver Package - KB835221
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB896256)
    Hotfix for Windows XP (KB908673)
    Hotfix for Windows XP (KB909095)
    Hotfix for Windows XP (KB923232)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB935448)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    hph_readme
    hph_software_req
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 2
    Java(TM) 6 Update 23
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    LimeWire 4.18.8
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.18)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NETGEAR Print Server Utility
    PixiePack Codec Pack
    PowerDVD
    QuickTime
    RealPlayer
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB939653)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB942615)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944338)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB947864)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981350)
    Security Update for Windows XP (KB982381)
    SUPER © Version 2010.bld.37 (Jan 2, 2010)
    SWF Opener
    Switch
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB912945)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update for Windows XP (KB946627)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Installer 3.1 (KB893803)
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB889673
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    WinRAR archiver
    Zerius Vocoder (remove only)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    29/07/2011 16:47:52, error: ati2mtag [44044] - I2c return failed
    29/07/2011 16:26:52, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
    29/07/2011 16:06:16, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    03/08/2011 12:48:30, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows nt\accessories\wordpad.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.3355.
    03/08/2011 12:45:26, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wabimp.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.3138.
    03/08/2011 12:44:30, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2.1.4027.0.
    03/08/2011 12:39:02, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iedw.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.3698.
    03/08/2011 12:36:09, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadce.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1135.0.
    03/08/2011 12:36:09, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msjro.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
    03/08/2011 12:36:08, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadox.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
    03/08/2011 12:36:07, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadomd.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
    03/08/2011 12:36:06, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msado15.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
    03/08/2011 12:35:13, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\vgx\vgx.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.3164.
    03/08/2011 12:35:13, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\triedit\triedit.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.1.0.9246.
    01/08/2011 15:48:30, error: DCOM [10000] - Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}. The error: "%2" Happened while starting this command: C:\Program Files\Messenger\msmsgs.exe -Embedding
    01/08/2011 11:08:06, error: DCOM [10000] - Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}. The error: "%5" Happened while starting this command: C:\Program Files\Messenger\msmsgs.exe -Embedding
    .
    ==== End Of File ===========================
     
  7. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    In addition to the above, I couldn't get connected to the ESET scanner. Got (eventually) to the website, but got blocked from getting any further.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You will have malware in the Java cache because you have several outdated versions of Java:

    1. You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
    Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    ===========================================
    After You have udated Java to the current version:
    2. To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =================================================
    3. Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

    Please use a flash drive to download the programs. Then connect and run/install on the problem computer.

    Leave Combofix log in the next reply> this is the only log to leave.
    Please let me know when the internet connection is restored.
     
  9. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    Hi

    I ran JAVARAVA no problem. Downloaded from the link for JRE and unzipped and tried to install but I got a message one time saying that it was "interrupted" and another attempts said "Internal error 2753. regutils.dll" I tried the offline download and the on line but still the same result.

    Therefore, I can't move to the next step. Or should I jump this part and move on?

    What should I do?

    Thanks again.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay. Yes, you can go on. But I'm curious about the 'unzip.' I thought it was just the setup to save to the desktop, then double click to run.
     
  11. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    Well, I did UnZip, and when I double clicked it proceeded as it should to install, but there were only four blue blocks on the progress bar when it gave me the error message.

    I'll press on. I will miss out installing Java (obviously) and go to Number 2, Clear Java Plug-In cache and move on.

    I'll put the next log up soon.

    Thanks again.
     
  12. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    OK. Scratch the part about the Java Cache. I got the message "Cannot find the REGISTRY KEY"
    Going to ComboFix now.
     
  13. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    OK.

    I tried everythin I could to stop AVG running, but I couldnt. I tried UNinstalling, I tried stopping the process in 'processes' of the Task Manager. I tried trashing the AVG folder. No joy.
    I thought, what the hey, just run Combofix anyway. It did it's thing and here is the log.

    ComboFix 11-08-11.01 - graeme mackenzie 11/08/2011 12:05:43.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.449 [GMT 1:00]
    Running from: c:\documents and settings\graeme mackenzie\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\graeme mackenzie\WINDOWS
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_FAD
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-11 to 2011-08-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-03 11:37 . 2011-08-03 11:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-02 14:57 . 2011-08-02 14:59 -------- d-----w- c:\windows\system32\NtmsData
    2011-07-28 12:30 . 2011-07-28 12:30 -------- d--h--w- c:\windows\PIF
    2011-07-27 14:24 . 2011-08-11 12:14 -------- d-----w- c:\documents and settings\graeme mackenzie\Local Settings\Application Data\mkifowgd
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-06 18:52 . 2010-03-29 15:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 18:52 . 2010-03-29 15:03 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-16 09:05 . 2011-06-16 09:05 1409 ----a-w- c:\windows\QTFont.for
    2006-05-03 10:06 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 11:47 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 13:30 216064 --sh--r- c:\windows\system32\nbDX.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 467464]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    .
    c:\documents and settings\graeme mackenzie\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\graeme mackenzie\Local Settings\Application Data\mkifowgd\uqaryapt.exe"
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    2006-05-10 09:12 172485 ------w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Documents and Settings\\graeme mackenzie\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
    .
    R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [30/08/2007 09:22 3456]
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 16:27 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 03:48 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 03:48 248656]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07/09/2010 03:49 297168]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [18/04/2011 17:39 7398752]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [08/02/2011 05:33 269520]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 21:42 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 21:42 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 21:42 27216]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2011 14:05 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2011 14:05 136176]
    S3 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\GRAEME~1\LOCALS~1\Temp\ccxycwig.sys --> c:\docume~1\GRAEME~1\LOCALS~1\Temp\ccxycwig.sys [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
    2008-06-18 15:04 90467 ------w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
    .
    2011-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-03 13:05]
    .
    2011-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-03 13:05]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = hxxp://www.euro.dell.com
    uInternet Settings,ProxyOverride = *.local
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\graeme mackenzie\Application Data\Mozilla\Firefox\Profiles\r4bys7q3.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b3d2cf0&i=23&tp=ab&ychte=uk&nt=1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
    FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\DropboxExt.14.dll
    ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\DropboxExt.14.dll
    ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\DropboxExt.14.dll
    ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\DropboxExt.14.dll
    HKCU-Run-UqaRyapt - c:\documents and settings\graeme mackenzie\Local Settings\Application Data\mkifowgd\uqaryapt.exe
    AddRemove-GoldWave v5.22 - c:\program files\GoldWave\unstall.exe
    AddRemove-SUPER © - c:\progra~1\ERIGHT~1\SUPER\Setup.exe
    AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-11 13:15
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    detected NTDLL code modification:
    ZwQueryDirectoryFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\documents and settings\graeme mackenzie\Start Menu\Programs\Startup\uqaryapt.exe 79332 bytes executable
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(808)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(3608)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\progra~1\AVG\AVG10\avgchsvx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\AVG\AVG10\avgnsx.exe
    c:\program files\AVG\AVG10\avgemcx.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    c:\progra~1\AVG\AVG10\avgrsx.exe
    c:\program files\AVG\AVG10\avgcsrvx.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-11 13:29:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-11 12:28
    .
    Pre-Run: 27,033,772,032 bytes free
    Post-Run: 28,956,516,352 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 54F152CBE1853093DAD619B42F40C6AA
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, let's slow down and do one step at a time: If you ran Java Ra first, then you might not have any Java to update. We will handle that.

    I neglected to give you the following to uninstall AVG before Combofix- my apology:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.
    Be sure to out one of these AV on the system:
    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please reboot the computer
    =============================
    Please run catchme:
    catchme is the rootkit/stealth malware scanner that scans for:
    • hidden processes
    • hidden registry keys
    • hidden services
    • hidden files
    catchme can also delete, destroy and collect malicious files.

    Download catchme.exe ( 137KB ) and save to your desktop.
    • Double click the catchme.exe to run it
    • Click the "Scan" button to start scan
    • Open catchme.log to see results

    Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format. Then paste the log in your next reply.
    =====================================================
    After you have run carchme:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Using Windows Explorer (Right click on Start> Explore) go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck [Hide protected system files (Recommended)> Confirm Yes> Apply> OK.

    Go to Docs. & Settings for graeme mackenzie> Start Menu> Programs startup and see if uqaryapt.exe> If listed do a right click> Delete.
    Go back and reset the hidden files & folders to 'don't show hidden Files & folders] and check Hide protected system files again.
    Exit Explorer.
    If it not there, do not worry- it may have been removed by catchme.
    This is the full path:
    c:\documents and settings\graeme mackenzie\Start Menu\Programs\Startup\uqaryapt.exe
    ==========================================
    Paste the catchme log in your next reply.
     
  15. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    Thanks for your continued efforts in helping me wth this. It gives me a lot of help to know you are there.

    I did Catchme and the log is below. When I went into Safe Mode.....it didn't let me. Blue screen saying "A problem has been detected and windows has been shut down to prevent damage to your computer.
    At the bottom it says:

    STOP: 0x00000007B (0xF798E528, 0xC0000034, 0x00000000, 0x00000000)

    Here is the log for catchme:


    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-15 15:56:03
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    C:\Documents and Settings\graeme mackenzie\Local Settings\Application Data\mkifowgd\uqaryapt.exe 79332 bytes executable
    C:\Documents and Settings\graeme mackenzie\Start Menu\Programs\Startup\uqaryapt.exe 79332 bytes executable

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 2
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    To destroy malicious executable files

    Click on Script tab
    [​IMG]

    Paste files in "Files to kill"
    Code:
    C:\Documents and Settings\graeme mackenzie\Local Settings\Application Data\mkifowgd\uqaryapt.exe 
    C:\Documents and Settings\graeme mackenzie\Start Menu\Programs\Startup\uqaryapt.exe 
    
    Click Run button
    Files will be destroyed and zipped to catchme.zip on desktop.
    [​IMG]

    Reboot to complete operation.

    Images courtesy 2.gmer.net/catchme
     
  17. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    Thanks

    Before I got to do Catchme again, the Windows Malicious file remover -thing kicked in. I let it scan and it found about a thousand infected files. It said it found two trojan type files and it had "partially removed " them

    I ran Catchme again and it found.... nothing. Zero hidden processes, service or files.
    You had told me to replace AVG with one of the two AV programs. It didn't like Avira so I loaded Avast. At the moment everything seems to be ok. No alerts from Avast. I still can't get into Safe Mode and I don't want to re-install Quicktime, Adobe Acrobat or OpenOffice (the progs that won't run) unless you say so.
    What happens now?

    And as always.......many thanks.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The Microsoft Malicious Software Removal Tool is strictly a post-infection removal tool. The tool removes only specific prevalent malicious software. Specific prevalent malicious software is a small subset of all the malicious software that exists today. So as far as I'm concerned, it's a half-a.. program and not worth running!

    Now the problem is I don't know what it removed. And having it run when we're in the middle of cleaning was not good. Please disable it so we can proceed without it doing any more harm. This tool came through as a Windows update. If your system is set to Install updates automatically please change it to 'notify but don't install'.

    And when you get the notice, don't just think you have to install all the updates! You do not and should take some responsibility for what's going on your system by looking at the update content and deciding if you need/want it! MS has been sending some BS updates over the years. Some are more aimed at making MS feel better instead of enhancing or protecting the system of the user.

    Please reboot the computer first, Then update and run Combofix again. Disable or uninstall the above and don't allow anymore scan from programs that I have not instructed you to run.

    Please tell me what happens what you attempt to boot into Safe Mode.
     
  19. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    Completely understood. I was off work yesterday and this probably got through in my absence.

    Doing as instructed now.

    Thanks
     
  20. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    OK. I did as you said. The ComboFix log is below.
    It went into Safe Mode no problem.
    Incidentally, when I startup Windows I get TWO 'stop' noises.


    ComboFix 11-08-17.01 - graeme mackenzie 17/08/2011 16:49:19.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.670 [GMT 1:00]
    Running from: c:\documents and settings\graeme mackenzie\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_Micorsoft Windows Service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-17 to 2011-08-17 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-17 10:54 . 2011-08-17 10:54 -------- d-----w- c:\windows\system32\MpEngineStore
    2011-08-15 15:47 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-08-15 15:47 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-08-15 15:47 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-08-15 15:47 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-08-15 15:47 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-08-15 15:47 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-08-15 15:47 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-08-15 15:47 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-08-15 15:45 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-08-15 15:45 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-08-15 15:45 . 2011-08-15 15:45 -------- d-----w- c:\program files\AVAST Software
    2011-08-15 15:45 . 2011-08-15 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-08-03 11:59 . 2011-08-03 11:59 143360 ------w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2011-08-03 11:59 . 2011-08-03 11:59 143360 ------w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2011-08-03 11:59 . 2011-08-03 11:59 143360 ------w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
    2011-08-03 11:59 . 2011-08-03 11:59 143360 ------w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
    2011-08-03 11:37 . 2011-08-03 11:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-02 14:57 . 2011-08-15 15:25 -------- d-----w- c:\windows\system32\NtmsData
    2011-07-28 12:30 . 2011-07-28 12:30 -------- d--h--w- c:\windows\PIF
    2011-07-27 14:24 . 2011-08-17 09:13 -------- d-----w- c:\documents and settings\graeme mackenzie\Local Settings\Application Data\mkifowgd
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-06 18:52 . 2010-03-29 15:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 18:52 . 2010-03-29 15:03 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-16 09:05 . 2011-06-16 09:05 1409 ----a-w- c:\windows\QTFont.for
    2006-05-03 10:06 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 11:47 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 13:30 216064 --sh--r- c:\windows\system32\nbDX.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-11_12.15.48 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-17 15:05 . 2011-08-17 15:05 16384 c:\windows\Temp\Perflib_Perfdata_7b4.dat
    + 2007-09-26 09:39 . 2011-08-17 12:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2007-09-26 09:39 . 2011-08-11 09:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2011-08-16 16:19 . 2011-08-17 12:52 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2011-08-15 15:47 . 2011-08-15 15:47 219648 c:\windows\Installer\7b9cc.msi
    + 2007-09-28 09:27 . 2011-08-17 04:38 52390856 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UqaRyapt"="c:\documents and settings\graeme mackenzie\Local Settings\Application Data\mkifowgd\uqaryapt.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    .
    c:\documents and settings\graeme mackenzie\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    2006-05-10 09:12 90112 ------w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Documents and Settings\\graeme mackenzie\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    .
    R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [30/08/2007 09:22 3456]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [15/08/2011 16:47 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [15/08/2011 16:47 309848]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/08/2011 16:47 19544]
    S1 sewbmfhb;sewbmfhb;\??\c:\windows\system32\drivers\sewbmfhb.sys --> c:\windows\system32\drivers\sewbmfhb.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2011 14:05 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2011 14:05 136176]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
    .
    2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-03 13:05]
    .
    2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-03 13:05]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = hxxp://www.euro.dell.com
    uInternet Settings,ProxyOverride = *.local
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\graeme mackenzie\Application Data\Mozilla\Firefox\Profiles\r4bys7q3.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b3d2cf0&i=23&tp=ab&ychte=uk&nt=1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
    .
    - - - - ORPHANS REMOVED - - - -
    .
    ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
    HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
    HKLM_ActiveSetup-{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-17 16:59
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    C:\## aswSnx private storage
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(684)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(2052)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-17 17:05:20
    ComboFix-quarantined-files.txt 2011-08-17 16:05
    ComboFix2.txt 2011-08-11 12:29
    .
    Pre-Run: 28,962,197,504 bytes free
    Post-Run: 28,887,212,032 bytes free
    .
    - - End Of File - - 9F5A41A917AEF065F57FF4EF06E0B252
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'd like you to run catchme again: But with a slight difference:
    How to delete malware files
    1. Click on Script tab
    2. Paste log results in "Files to delete" Command
    3. Click Run button
    4. Files will be deleted and zipped to catchme.zip[ on desktop.
    5. Reboot to complete.
    Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format. Then paste the log in your next reply.

    Are you having another problem other than can't get into Safe Mode? Describe what happens when you try. Are you doing this?

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Please describe the sounds you're hearing. Are these beep codes? There are 2 correct? Exactly when you they come.
     
  22. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    I will do that now.

    I can get into Safe Mode now no problem. That is a new thing. Up until the last move you told me (I think) It would look like it was going into Safe Mode but would come up with the blue screen as mentione before ("A problem has been detected and windows has been shut down to prevent damage to your computer")

    The noise is CRITICAL STOP. I'll double check but I think they happen very soon after my desktop appears. One straight after the other. I don't think there are any other noises (beeps especially). I have the PC connected to speakers and The Critical Stop noises are coming out of them.

    Back to you soon.

    Thanks again.
     
  23. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    OK. Did what you said. Catchme log below.
    In the SCRIPT box there was no "Files to Kill" prompt.

    Into safe mode ok. Searched for "uqarypt.exe" but not there.

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-19 11:29:17
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    C:\## aswSnx private storage
    C:\## aswSnx private storage\snx_rhive 262144 bytes
    C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes
    C:\## aswSnx private storage\webStorage
    C:\## aswSnx private storage\webStorage\attrib
    C:\## aswSnx private storage\webStorage\image
    C:\## aswSnx private storage\webStorage\snx_fs.dat 180 bytes

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 7
     
  24. tcmasterx

    tcmasterx TS Member Topic Starter Posts: 48

    Next one.

    I manually typed FILES TO KILL and got this result:

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-19 11:29:17
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    C:\## aswSnx private storage
    C:\## aswSnx private storage\snx_rhive 262144 bytes
    C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes
    C:\## aswSnx private storage\webStorage
    C:\## aswSnx private storage\webStorage\attrib
    C:\## aswSnx private storage\webStorage\image
    C:\## aswSnx private storage\webStorage\snx_fs.dat 180 bytes

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 7


    Processing "Files to kill:"

    read file error: C:\## aswSnx private storage, Access is denied.
    read file error: C:\## aswSnx private storage\snx_rhive 262144 bytes, The system cannot find the file specified.
    read file error: C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes, The system cannot find the file specified.
    read file error: C:\## aswSnx private storage\webStorage, Access is denied.
    read file error: C:\## aswSnx private storage\webStorage\attrib, Access is denied.
    read file error: C:\## aswSnx private storage\webStorage\image, Access is denied.
    read file error: C:\## aswSnx private storage\webStorage\snx_fs.dat 180 bytes, The system cannot find the file specified.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Just because a file comes up hidden does not mean it's malware. And you should not take it further unless I instruct you too. Research done at bleeping computer shows that these files are related to Avast.

    I'd like to run an error check. What you are describing sounds like a system problem

    Starting through Windows Explorer:
    Right click on Start> Explore> My Computer> Right click on Local Drive (usually C)> Properties> Tools> Error Check> check both boxes on the screen that comes up> Apply> Close the message and reboot for the Error Checking to start.

    The nag message is just asking if you want to schedule chkdsk for next reboot. Closing the message and rebooting will start the checking in a few seconds.

    There is no logs for this for me. After the checking has finished, try running the system for a while and see how it does. Sometimes an improper shutdown (aka as a crash') can cause problems like you describe.

    Go out for coffee while it runs. You have nothing else to do except wait for the system to reboot after the Error Checking has finished.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...