[Not curable - Ramnit] Another (!) win32/zbot.g infection with AVG, Win XP Pro

Status
Not open for further replies.
A

ali

Posts: 23   +0
Dear techspot gurus,

A few days ago my laptop, running XP pro, became infected with Win32/Zbot.g, according to AVG 8.5 free.

As per a few other similar threads I have seen on here, I had (and have) multiple (hundreds) of infections flashing up in AVG, and more than it seems to be able to handle. Running a scan in AVG produced hundreds more results along these lines

The machine is fully backed up, so I was going to just reformat. However, I don't have an XP disk, and so far have been completely unsuccessful in using i386 files on the Cdrive to reinstall. I don't know whether the infection has hindered this, or whether there are other issues causing this, but either way WINNT32 won't run, and nor will WINNT from DOS boot using win98 boot disk.

So, meantime, it looks like a clean up could be the way forward, and any help with this very much appreciated.

I've taken the 7/5 step process, and logs will follow.

Given the advice in other threads, I also tried to access ESET online scanner, but it seems this site is being blocked by the virus, alongside things like support.microsoft.com etc.

I had never come across a site like this before these recent issues, and I have to say I'm amazed and heartened to see that folk like you are willing to put in the time to help people!

Thanks again in advance if anyone has a chance to give advice
 
MBAM log

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7035

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

05/08/2011 22:17:11
mbam-log-2011-08-05 (22-17-11).txt

Scan type: Quick scan
Objects scanned: 161093
Time elapsed: 11 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{684EE1DB-CD52-4CA9-9CCF-93D5F6B419BA} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{684EE1DB-CD52-4CA9-9CCF-93D5F6B419BA} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OsjHvplc (Spyware.Passwords.XGen) -> Value: OsjHvplc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Value: UID -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,,C:\Documents and Settings\IBM USER\Local Settings\Application Data\fbptfayy\osjhvplc.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\networkservice\application data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\ibm user\local settings\application data\fbptfayy\osjhvplc.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\ibm user\start menu\programs\startup\osjhvplc.exe (Spyware.Passwords.XGen) -> Delete on reboot.
c:\WINDOWS\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
 
GMER log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-05 23:50:11
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS548040M9AT00 rev.MG2OA5BA
Running: h1dqlr36.exe; Driver: C:\DOCUME~1\IBMUSE~1\LOCALS~1\Temp\pfrdrpod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----
 
DDS log

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Run by IBM USER at 23:52:54 on 2011-08-05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.408 [GMT 1:00]
.
AV: AVG Anti-Virus Free *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
mWinlogon: Userinit=Userinit.exe,c:\documents and settings\ibm user\local settings\application data\fbptfayy\osjhvplc.exe,
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Aim6]
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [OsjHvplc] c:\documents and settings\ibm user\local settings\application data\fbptfayy\osjhvplc.exe
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TPKMAPMN] c:\program files\thinkpad\utilities\TpKmapMn.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_SMB]
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
mRun: [TpShocks] TpShocks.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ibm user\application data\mozilla\firefox\profiles\knmxpk39.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-20 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-21 27784]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-10-15 16384]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2010-1-20 297752]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-4 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-4 22712]
S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [2009-5-26 16512]
S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [2009-5-26 131712]
S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [2010-12-19 618112]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
.
=============== Created Last 30 ================
.
2011-08-04 21:51:13 -------- d-----w- c:\documents and settings\ibm user\application data\Malwarebytes
2011-08-04 21:50:48 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-04 21:50:47 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-04 21:50:44 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-04 21:50:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 21:49:05 418708 ----a-w- C:\h1dqlr36.exe
2011-08-03 18:40:33 -------- d-----w- c:\documents and settings\ibm user\local settings\application data\Help
2011-08-01 09:52:52 -------- d--h--w- C:\$AVG8.VAULT$
2011-08-01 08:48:48 -------- d-----w- c:\documents and settings\ibm user\local settings\application data\fbptfayy
.
==================== Find3M ====================
.
.
============= FINISH: 23:54:26.38 ===============
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==================================================================

I still need Attach.txt part of DDS.
After posting that....

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Attach log

Hi mate, many thanks for your reply! Will follow those steps later today, and post back logs

In the meantime, the Attach log is as follows...
======================
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 02/06/2007 01:42:01
System Uptime: 05/08/2011 22:18:46 (1 hours ago)
.
Motherboard: IBM | | 2373SG1
Processor: Intel(R) Pentium(R) M processor 1600MHz | None | 1594/400mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 34 GiB total, 2.124 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
µTorrent
Access IBM
Access IBM Message Center
Access IBM Tools
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Agere Systems AC'97 Modem
AIM 6
alm
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
AutoUpdate
AVG Free 8.5
blinkbox Download Manager
Conectiv
DivX Codec
DivX Converter
DivX Player
DivX Web Player
FileZilla Client 3.4.0
Foxit Reader
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB926239)
IBM Access Support - Local Content Pack
IBM Rapid Restore PC Setup
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Presentation Director
IBM ThinkPad UltraNav Driver
IBM ThinkPad UltraNav Wizard
IBM TrackPoint Accessibility Features
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Intel(R) Sebring API
InterVideo WinDVD
IZArc 4.1
Java Auto Updater
Java(TM) 6 Update 20
LAME v3.98.3 for Audacity
Live 8.0.1
Malwarebytes' Anti-Malware version 1.51.1.1800
Media Player Codec Pack 3.1.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Morgan Stream Switcher
Mozilla Firefox (3.6.18)
Native Instruments - Traktor 1.06
OpenOffice.org 3.2
PSP VintageWarmer v1.5d
Real Alternative 2.0.1
Reason
Scratch LIVE 1.8 (18048)
Scroll Lock Indicator Utility
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Skype Toolbars
Skype™ 5.0
Software Installer
Sony Sound Forge 8.0b
SoundMAX
System Migration Assistant
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad Power Management Driver
ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
ThinkVantage Access Connections
ThinkVantage Active Protection System
Torq 1.0.2 (build 002 -- Tue Dec 05 2006)
TPNala Wallpaper
Trust 100K Series Webcam
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VideoLAN VLC media player 0.8.6c
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
.
==== Event Viewer Messages From Past Week ========
.
05/08/2011 23:50:50, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
05/08/2011 22:20:19, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
02/08/2011 19:33:28, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IBMTPCHK
02/08/2011 19:23:34, error: Service Control Manager [7000] - The Ac Profile Manager Service service failed to start due to the following error: Access is denied.
01/08/2011 11:09:19, error: Service Control Manager [7034] - The Ac Profile Manager Service service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================
 
aswMBR log

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-06 22:02:14
-----------------------------
22:02:14.127 OS Version: Windows 5.1.2600 Service Pack 2
22:02:14.127 Number of processors: 1 586 0x905
22:02:14.127 ComputerName: IBM-C25AFBDEC71 UserName: IBM USER
22:02:15.739 Initialize success
22:02:40.325 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:02:40.325 Disk 0 Vendor: HTS548040M9AT00 MG2OA5BA Size: 34682MB BusType: 3
22:02:42.347 Disk 0 MBR read successfully
22:02:42.347 Disk 0 MBR scan
22:02:42.347 Disk 0 unknown MBR code
22:02:42.357 Disk 0 scanning sectors +71018640
22:02:42.428 Disk 0 scanning C:\WINDOWS\system32\drivers
22:02:59.793 Service scanning
22:03:01.846 Modules scanning
22:03:11.429 Disk 0 trace - called modules:
22:03:11.449 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:03:11.459 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x872fbab8]
22:03:11.469 3 CLASSPNP.SYS[f77e105b] -> nt!IofCallDriver -> \Device\000000ac[0x873219e8]
22:03:11.469 5 ACPI.sys[f76d7620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87359940]
22:03:11.830 Scan finished successfully
22:04:03.344 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\IBM USER\Desktop\MBR.dat"
22:04:03.354 The log file has been saved successfully to "C:\Documents and Settings\IBM USER\Desktop\aswMBR.txt"
 
ComboFix log

ComboFix 11-08-03.03 - IBM USER 06/08/2011 22:38:40.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.603 [GMT 1:00]
Running from: c:\documents and settings\IBM USER\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\IBM USER\Local Settings\Application Data\.#
c:\documents and settings\IBM USER\WINDOWS
c:\program files\messenger\msmsgsin.exe
c:\windows\system32\config\systemprofile\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-07-06 to 2011-08-06 )))))))))))))))))))))))))))))))
.
.
2011-08-06 21:14 . 2011-08-06 21:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
2011-08-05 23:00 . 2011-08-05 23:00 -------- d-s---w- c:\documents and settings\IBM USER\UserData
2011-08-04 21:51 . 2011-08-04 21:51 -------- d-----w- c:\documents and settings\IBM USER\Application Data\Malwarebytes
2011-08-04 21:50 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 21:50 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-04 21:49 . 2011-08-04 21:41 418708 ------w- C:\h1dqlr36.exe
2011-08-03 18:40 . 2011-08-04 21:55 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\Help
2011-08-01 08:48 . 2011-08-05 22:45 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 213360]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 45056]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 356839]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1507864]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 217506]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 983579]
"TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2008-05-15 16:45 356864 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebClient"=2 (0x2)
"Spooler"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [15/10/2006 23:45 16384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/08/2011 22:50 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/08/2011 22:50 22712]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\windows\TEMP\uvinpabc.sys --> c:\windows\TEMP\uvinpabc.sys [?]
S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [26/05/2009 18:43 16512]
S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [26/05/2009 18:43 131712]
S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [19/12/2010 13:19 618112]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2006-10-16 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-10-15 08:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\IBM USER\Application Data\Mozilla\Firefox\Profiles\knmxpk39.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Aim6 - (no file)
HKCU-Run-OsjHvplc - c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy\osjhvplc.exe
HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKLM-Run-UC_SMB - (no file)
HKU-Default-Run-OsjHvplc - c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe
Notify-ACNotify - ACNotify.dll
MSConfigStartUp-ibmmessages - c:\program files\IBM\Messages By IBM\ibmmessages.exe
AddRemove-Access IBM Tools - c:\program files\IBM\Access IBM\IBMUINST.EXE
AddRemove-All ATI Software - c:\program files\ATI Technologies\UninstallAll\AtiCimUn.exe
AddRemove-KB913433 - c:\windows\System32\MacroMed\Flash\genuinst.exe
AddRemove-Live 8.0.1 - c:\progra~1\Ableton\LIVE80~1.1\Install\UNWISE.EXE
AddRemove-Native Instruments - Traktor 1.06 - c:\audio\NATIVE~1\Traktor\UNINST~1\106\UNWISE.EXE
AddRemove-{98E8A2EF-4EAE-43B8-A172-74842B764777} - c:\program files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-06 22:47
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe 113152 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2011-08-06 22:51:38
ComboFix-quarantined-files.txt 2011-08-06 21:51
.
Pre-Run: 2,914,373,632 bytes free
Post-Run: 3,257,602,048 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - EC2DAABD618F2AA1D5776CAB79595631
 
Update

Hi there,

have run the scans/programmes you suggested, and the logs are above.

I uninstalled AVG before running ComboFix, and unfortunately it now won't reinstall.

Should I try and instll avast or something instead? Concerned about leaving myself open again!
 
Yes, you can install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
You don't have to uninstall them in order to run Combofix.
Just disabling them will be fine.

==================================================================

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box
  • Click OK
Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe

Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix log 2

Thanks - here's the log from running that script in combofix:

ComboFix 11-08-07.03 - IBM USER 07/08/2011 21:38:59.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.561 [GMT 1:00]
Running from: c:\documents and settings\IBM USER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\IBM USER\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe
c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy . . . . Failed to delete
c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))
.
.
2011-08-06 21:56 . 2011-08-06 21:56 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-06 21:56 . 2011-08-06 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-06 21:14 . 2011-08-07 20:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
2011-08-04 21:51 . 2011-08-04 21:51 -------- d-----w- c:\documents and settings\IBM USER\Application Data\Malwarebytes
2011-08-04 21:50 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 21:50 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-04 21:49 . 2011-08-04 21:41 418708 ------w- C:\h1dqlr36.exe
2011-08-03 18:40 . 2011-08-04 21:55 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\Help
2011-08-01 08:48 . 2011-08-05 22:45 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-06_21.47.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-07 20:46 . 2011-08-07 20:46 16384 c:\windows\Temp\Perflib_Perfdata_7c0.dat
+ 2011-08-07 20:46 . 2011-08-07 20:46 16384 c:\windows\Temp\Perflib_Perfdata_7b0.dat
+ 2011-08-07 20:46 . 2011-08-07 20:46 113152 c:\windows\Temp\gxecxrnicomgkqdv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 213360]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 45056]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 356839]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1507864]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 217506]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 983579]
"TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"OsjHvplc"="c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2008-05-15 16:45 356864 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebClient"=2 (0x2)
"Spooler"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [15/10/2006 23:45 16384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/08/2011 22:50 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/08/2011 22:50 22712]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\windows\TEMP\uvinpabc.sys --> c:\windows\TEMP\uvinpabc.sys [?]
S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [26/05/2009 18:43 16512]
S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [26/05/2009 18:43 131712]
S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [19/12/2010 13:19 618112]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2006-10-16 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-10-15 08:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\IBM USER\Application Data\Mozilla\Firefox\Profiles\knmxpk39.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-07 21:47
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
- - - - - - - > 'explorer.exe'(3692)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\System32\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TpShocks.exe
.
**************************************************************************
.
Completion time: 2011-08-07 21:53:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-07 20:53
ComboFix2.txt 2011-08-06 21:51
.
Pre-Run: 3,259,744,256 bytes free
Post-Run: 3,242,749,952 bytes free
.
- - End Of File - - CF80E7ECBB78D17E5863B0608FC71724
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box
  • Click OK
Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\TEMP\uvinpabc.sys

Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
.

Driver::
Micorsoft Windows Service

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OsjHvplc"=-


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix log 3

Hi again, another log!

ComboFix 11-08-08.01 - IBM USER 08/08/2011 20:09:41.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.563 [GMT 1:00]
Running from: c:\documents and settings\IBM USER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\IBM USER\Desktop\CFScript.txt
* Created a new restore point
.
FILE ::
"c:\windows\TEMP\uvinpabc.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy . . . . Failed to delete
c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2011-07-08 to 2011-08-08 )))))))))))))))))))))))))))))))
.
.
2011-08-06 21:56 . 2011-08-06 21:56 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-06 21:56 . 2011-08-07 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-06 21:14 . 2011-08-08 19:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
2011-08-04 21:51 . 2011-08-04 21:51 -------- d-----w- c:\documents and settings\IBM USER\Application Data\Malwarebytes
2011-08-04 21:50 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 21:50 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-04 21:49 . 2011-08-04 21:41 418708 ------w- C:\h1dqlr36.exe
2011-08-03 18:40 . 2011-08-04 21:55 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\Help
2011-08-01 08:48 . 2011-08-05 22:45 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-06_21.47.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-08 19:17 . 2011-08-08 19:17 16384 c:\windows\Temp\Perflib_Perfdata_7c0.dat
+ 2011-08-08 19:17 . 2011-08-08 19:17 16384 c:\windows\Temp\Perflib_Perfdata_7b4.dat
+ 2011-08-08 19:17 . 2011-08-08 19:17 113152 c:\windows\Temp\gxecxrnicomgkqdv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 213360]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 45056]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 356839]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1507864]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 217506]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 983579]
"TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"OsjHvplc"="c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2008-05-15 16:45 356864 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebClient"=2 (0x2)
"Spooler"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [15/10/2006 23:45 16384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/08/2011 22:50 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/08/2011 22:50 22712]
S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [26/05/2009 18:43 16512]
S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [26/05/2009 18:43 131712]
S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [19/12/2010 13:19 618112]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2006-10-16 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-10-15 08:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\IBM USER\Application Data\Mozilla\Firefox\Profiles\knmxpk39.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-08 20:18
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe 113152 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\System32\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TpShocks.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
.
**************************************************************************
.
Completion time: 2011-08-08 20:24:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-08 19:24
ComboFix2.txt 2011-08-07 20:53
ComboFix3.txt 2011-08-06 21:51
.
Pre-Run: 3,232,051,200 bytes free
Post-Run: 3,150,057,472 bytes free
.
- - End Of File - - BD1E650F1A131986BC7BED6DE5BB057F
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box
  • Click OK
Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OsjHvplc"=-


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix log

ComboFix 11-08-09.02 - IBM USER 09/08/2011 21:02:30.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.453 [GMT 1:00]
Running from: c:\documents and settings\IBM USER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\IBM USER\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))
.
.
2011-08-06 21:56 . 2011-08-06 21:56 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-06 21:56 . 2011-08-08 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-06 21:14 . 2011-08-08 19:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
2011-08-04 21:51 . 2011-08-04 21:51 -------- d-----w- c:\documents and settings\IBM USER\Application Data\Malwarebytes
2011-08-04 21:50 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 21:50 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-04 21:49 . 2011-08-04 21:41 418708 ------w- C:\h1dqlr36.exe
2011-08-03 18:40 . 2011-08-04 21:55 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\Help
2011-08-01 08:48 . 2011-08-05 22:45 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-06_21.47.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-09 19:53 . 2011-08-09 19:53 16384 c:\windows\Temp\Perflib_Perfdata_ec.dat
+ 2011-08-09 19:53 . 2011-08-09 19:53 16384 c:\windows\Temp\Perflib_Perfdata_dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 213360]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 45056]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 356839]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1507864]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 217506]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 983579]
"TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2008-05-15 16:45 356864 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebClient"=2 (0x2)
"Spooler"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [15/10/2006 23:45 16384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/08/2011 22:50 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/08/2011 22:50 22712]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\IBMUSE~1\LOCALS~1\Temp\uvinpabc.sys --> c:\docume~1\IBMUSE~1\LOCALS~1\Temp\uvinpabc.sys [?]
S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [26/05/2009 18:43 16512]
S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [26/05/2009 18:43 131712]
S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [19/12/2010 13:19 618112]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2006-10-16 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-10-15 08:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\IBM USER\Application Data\Mozilla\Firefox\Profiles\knmxpk39.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-09 21:08
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe 113152 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
- - - - - - - > 'explorer.exe'(1880)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-09 21:10:44
ComboFix-quarantined-files.txt 2011-08-09 20:10
ComboFix2.txt 2011-08-08 19:24
ComboFix3.txt 2011-08-07 20:53
ComboFix4.txt 2011-08-06 21:51
.
Pre-Run: 3,165,790,208 bytes free
Post-Run: 3,148,668,928 bytes free
.
- - End Of File - - 3C72BDCFE0A78AA051AE4EC45D1DD640
 
Just to give you an update on computer behaviour - links to Avast, AVG and MS support sites are no longer being blocked. AVG installation was getting blocked, and is now ok.

Still lots of threats popping up, but fewer than before!
 
We're not out of the woods yet, but Combofix log looks better.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box
  • Click OK
Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
C:\h1dqlr36.exe
c:\docume~1\IBMUSE~1\LOCALS~1\Temp\uvinpabc.sys
c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe

Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy


Driver::
"Micorsoft Windows Service"


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 11-08-09.03 - IBM USER 10/08/2011 9:03.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.584 [GMT 1:00]
Running from: c:\documents and settings\IBM USER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\IBM USER\Desktop\CFScript.txt
.
FILE ::
"c:\docume~1\IBMUSE~1\LOCALS~1\Temp\uvinpabc.sys"
"c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe"
"C:\h1dqlr36.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy\osjhvplc.exe
c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe
c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe
C:\h1dqlr36.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-07-10 to 2011-08-10 )))))))))))))))))))))))))))))))
.
.
2011-08-10 08:12 . 2011-08-10 08:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
2011-08-09 20:42 . 2011-08-09 20:42 -------- d-----w- c:\documents and settings\IBM USER\Application Data\AVG10
2011-08-09 20:37 . 2011-08-10 08:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-08-09 20:37 . 2011-08-10 07:53 -------- d-----w- c:\windows\system32\drivers\AVG
2011-08-06 21:56 . 2011-08-06 21:56 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-06 21:56 . 2011-08-10 07:54 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-04 21:51 . 2011-08-04 21:51 -------- d-----w- c:\documents and settings\IBM USER\Application Data\Malwarebytes
2011-08-04 21:50 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 21:50 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-03 18:40 . 2011-08-04 21:55 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-06_21.47.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2011-08-10 08:11 . 2011-08-10 08:11 16384 c:\windows\Temp\Perflib_Perfdata_7dc.dat
+ 2011-08-10 08:11 . 2011-08-10 08:11 16384 c:\windows\Temp\Perflib_Perfdata_7ac.dat
+ 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2011-08-10 08:11 . 2011-08-10 08:11 113152 c:\windows\Temp\gxecxrnicomgkqdv.exe
+ 1980-01-01 07:00 . 2004-08-04 07:56 640000 c:\windows\system32\dllcache\dbghelp.dll
+ 2011-08-09 20:36 . 2011-08-09 20:36 219648 c:\windows\Installer\27b9d7.msi
+ 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2011-08-09 20:40 . 2011-08-09 20:40 3489280 c:\windows\Installer\27b9df.msi
+ 2011-08-09 20:36 . 2011-08-09 20:36 1611776 c:\windows\Installer\27b9db.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 213360]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 45056]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 356839]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1507864]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 217506]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 983579]
"TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNjkxNTE4MzI4LVQxLVVDQUxMKzEtVUNBTEwyKzItVEI4KzItRkwrOC1GOE04QSszLUY4TTlBKzMtRjhNMTFDKzEtVVBHKzIwMTEtRjhNMTFFKzEtWE84KzEtRERUKzAtRkwxMCsxLUZPSSsx&prod=90&ver=10.0.1392" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"OsjHvplc"="c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2008-05-15 16:45 356864 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebClient"=2 (0x2)
"Spooler"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [15/10/2006 23:45 16384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/08/2011 22:50 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/08/2011 22:50 22712]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\windows\TEMP\uvinpabc.sys --> c:\windows\TEMP\uvinpabc.sys [?]
S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [26/05/2009 18:43 16512]
S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [26/05/2009 18:43 131712]
S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [19/12/2010 13:19 618112]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2006-10-16 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-10-15 08:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\IBM USER\Application Data\Mozilla\Firefox\Profiles\knmxpk39.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-10 09:12
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
- - - - - - - > 'explorer.exe'(2212)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\System32\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TpShocks.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
.
**************************************************************************
.
Completion time: 2011-08-10 09:18:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-10 08:17
ComboFix2.txt 2011-08-09 20:10
ComboFix3.txt 2011-08-08 19:24
ComboFix4.txt 2011-08-07 20:53
ComboFix5.txt 2011-08-10 08:02
.
Pre-Run: 2,846,900,224 bytes free
Post-Run: 2,816,983,040 bytes free
.
- - End Of File - - 067A93BF2A55454C1E90F601AAE248EF
 
Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
 
Hi there,

Unfortunately the website won't work. It seems that whatever part of the virus that was blocking particular websites is back. Can no longer get onto avast.com, microsoft.com again either...
 
Download following tool.
Disconnect from the internet (VERY IMPORTANT!)

Please click HERE to download Kaspersky Virus Removal Tool.

  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop (be patient; it may take a while).
  • Accept license agreement and click "Start" button.
  • Click on Settings button
    p4484522.gif
    • In Scan scope leave pre-checked items as they're and also checkmark My Computer
    • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
  • Click on Automatic Scan tab and then click on Start scanning button.
  • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  • When the scan is done NO log will be produced.
  • Click on Report button
    p4484523.gif
    then on Automatic Scan report tab.
  • Right click anywhere within right pane, click Select All then right click again and click Copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.
 
Hi - thanks for that. Was away at the weekend, but have started running Kaspersky tonight.

Will let you know the results!
 
I ran the scan last night, and it cleared out lots of stuff from the machine. Unfortunately, the log seems to be blank. Kaspersky shutdown my computer several times, and I had had to restart the scan each time. Upon restarting the final time, the log appeared to be blank.

It was getting late though, so I probably screwed it up myself to be honest!

I'll run it again tomorrow at a more civilised hour, and get back to you...
 
Status
Not open for further replies.

Similar threads

midian182
SXSW festival crowd responds to AI promo video with chorus of boos
Replies
7
Views
145
erickmendes
erickmendes
Bob O'Donnell
I got to play with the Apple Vision Pro and saw the future of computing. Again.
2
Replies
25
Views
2K
RandomWAN
R
Cal Jeffrey
TikTok and others scrape your data, whether you use their apps or not
Replies
11
Views
1K
Hodor
Hodor

Latest posts

Back