Solved Zbot is giving me pain

tcmasterx · Aug 2, 2011

Hi.

I've just joined and I've just noticed that someone else (poisongaz) is having the same problem.
AVG is reporting Trojans and not letting the scan or update happen. It's not letting me open in safe mode and is refusing to open certain programs.
I guess I should do the 7 Step instructions?

I hope I can fix this. Is it a virus that attacks AVG?

Bobbye · Aug 2, 2011

I guess I should do the 7 Step instructions?

That would be correct: Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
=====================================
My Guidelines: please read and follow:

Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
Read my instructions carefully. If you don't understand or have a problem, ask me.
If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
Follow the order of the tasks I give you. Order is crucial in cleaning process.
File sharing programs should be uninstalled or disabled during the cleaning process..
Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.
Please let me know if there is any change in the system.

If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

Bobbye · Aug 2, 2011

Please run this online virus scan when you finish with the steps:

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the

on your desktop.
Check 'Yes I accept terms of use.'
Click Start button
Accept any security warnings from your browser.
Uncheck 'Remove found threats'
Check 'Scan archives/
Leave remaining settings as is.
Press the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
When the scan completes, press List of found threats
Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
Push the Back button
Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
================================
2 AVG users with Zbot. I am checking to see if it's a False Positive.

tcmasterx · Aug 2, 2011

Thanks.

I'll get into this soon.

I like you already.

Bobbye · Aug 2, 2011

So far, 3 AVG users are reporting Zbot. I'm having them all run the Eset scan. No word yet in AVG forum about possible False Positive.

tcmasterx · Aug 3, 2011

Hey.

I did the steps and the logs are below.
Just to let you know, my PC wouldn't let me connect to the site to download GMER or MalwareBytes (I did it from another computer). Same as DDS. I can however connect to loads of ordinary sites. Can't connect to Microsoft either. Seems like it doesn't want me to connect to 'helpful' sites.
I hope I've done everything properly.
Thanks again for your help with this. Much appreciated!!!!!

MBAM LOG:

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

02/08/2011 17:21:04
mbam-log-2011-08-02 (17-21-04).txt

Scan type: Quick scan
Objects scanned: 390271
Time elapsed: 48 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

****************************************************************************************************

GMER LOG:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-03 14:29:31
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 WDC_WD800JD-75MSA3 rev.10.01E04
Running: oxpbex4v.exe; Driver: C:\DOCUME~1\GRAEME~1\LOCALS~1\Temp\pxdyqpob.sys

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

*****************************************************************************************************
DDS LOG:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 26/09/2007 10:50:58
System Uptime: 02/08/2011 16:28:17 (22 hours ago)
.
Motherboard: Dell Inc. | | 0CU395
Processor: Intel Pentium II processor | Microprocessor | 2000/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 25.762 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 01/08/2011 13:28:46 - System Checkpoint
RP2: 02/08/2011 13:45:30 - System Checkpoint
RP3: 02/08/2011 16:26:30 - Removed Adobe Reader 8.2.0
RP4: 02/08/2011 16:58:06 - Removed OpenOffice.org 2.3
.
==== Installed Programs ======================
.
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Shockwave Player 11.5
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
AVG 2011
Bonjour
Broadcom Management Programs
Critical Update for Windows Media Player 11 (KB959772)
D2300_Help
DigiDelivery
Dropbox
GoldWave v5.22
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB923232)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hph_readme
hph_software_req
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 2
Java(TM) 6 Update 23
Java(TM) 6 Update 3
Java(TM) 6 Update 5
LimeWire 4.18.8
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.18)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NETGEAR Print Server Utility
PixiePack Codec Pack
PowerDVD
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
SUPER © Version 2010.bld.37 (Jan 2, 2010)
SWF Opener
Switch
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Zerius Vocoder (remove only)
.
==== Event Viewer Messages From Past Week ========
.
29/07/2011 16:47:52, error: ati2mtag [44044] - I2c return failed
29/07/2011 16:26:52, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
29/07/2011 16:06:16, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
03/08/2011 12:48:30, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows nt\accessories\wordpad.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.3355.
03/08/2011 12:45:26, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wabimp.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.3138.
03/08/2011 12:44:30, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2.1.4027.0.
03/08/2011 12:39:02, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iedw.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.3698.
03/08/2011 12:36:09, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadce.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1135.0.
03/08/2011 12:36:09, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msjro.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
03/08/2011 12:36:08, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadox.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
03/08/2011 12:36:07, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadomd.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
03/08/2011 12:36:06, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msado15.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
03/08/2011 12:35:13, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\vgx\vgx.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.3164.
03/08/2011 12:35:13, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\triedit\triedit.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.1.0.9246.
01/08/2011 15:48:30, error: DCOM [10000] - Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}. The error: "%2" Happened while starting this command: C:\Program Files\Messenger\msmsgs.exe -Embedding
01/08/2011 11:08:06, error: DCOM [10000] - Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}. The error: "%5" Happened while starting this command: C:\Program Files\Messenger\msmsgs.exe -Embedding
.
==== End Of File ===========================

tcmasterx · Aug 3, 2011

In addition to the above, I couldn't get connected to the ESET scanner. Got (eventually) to the website, but got blocked from getting any further.

Bobbye · Aug 5, 2011

You will have malware in the Java cache because you have several outdated versions of Java:

1. You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

Please download JavaRa and unzip it to your desktop.

Important!***Please close any instances of Internet Explorer before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that
a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.

Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
===========================================
After You have udated Java to the current version:
2. To clear the Java Plug-in cache:

[1]. Click Start > Control Panel.
[2]. Double-click the Java icon in the control panel.

The Java Control Panel appears.

[3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.

[4] Click Delete Files.The Delete Temporary Files dialog box appears.

[5]. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
[6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
=================================================
3. Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

Double click combofix.exe & follow the prompts.
ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
.Click on Yes, to continue scanning for malware
.If Combofix asks you to update the program, allow
.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
.Close any open browsers.
.Double click combofix.exe

& follow the prompts to run.
When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

Please use a flash drive to download the programs. Then connect and run/install on the problem computer.

Leave Combofix log in the next reply> this is the only log to leave.
Please let me know when the internet connection is restored.

tcmasterx · Aug 8, 2011

Hi

I ran JAVARAVA no problem. Downloaded from the link for JRE and unzipped and tried to install but I got a message one time saying that it was "interrupted" and another attempts said "Internal error 2753. regutils.dll" I tried the offline download and the on line but still the same result.

Therefore, I can't move to the next step. Or should I jump this part and move on?

What should I do?

Thanks again.

Bobbye · Aug 10, 2011

Sorry for delay. Yes, you can go on. But I'm curious about the 'unzip.' I thought it was just the setup to save to the desktop, then double click to run.

tcmasterx · Aug 11, 2011

Well, I did UnZip, and when I double clicked it proceeded as it should to install, but there were only four blue blocks on the progress bar when it gave me the error message.

I'll press on. I will miss out installing Java (obviously) and go to Number 2, Clear Java Plug-In cache and move on.

I'll put the next log up soon.

Thanks again.

tcmasterx · Aug 11, 2011

OK. Scratch the part about the Java Cache. I got the message "Cannot find the REGISTRY KEY"
Going to ComboFix now.

tcmasterx · Aug 11, 2011

OK.

I tried everythin I could to stop AVG running, but I couldnt. I tried UNinstalling, I tried stopping the process in 'processes' of the Task Manager. I tried trashing the AVG folder. No joy.
I thought, what the hey, just run Combofix anyway. It did it's thing and here is the log.

ComboFix 11-08-11.01 - graeme mackenzie 11/08/2011 12:05:43.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.449 [GMT 1:00]
Running from: c:\documents and settings\graeme mackenzie\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\graeme mackenzie\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FAD
.
.
((((((((((((((((((((((((( Files Created from 2011-07-11 to 2011-08-11 )))))))))))))))))))))))))))))))
.
.
2011-08-03 11:37 . 2011-08-03 11:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-02 14:57 . 2011-08-02 14:59 -------- d-----w- c:\windows\system32\NtmsData
2011-07-28 12:30 . 2011-07-28 12:30 -------- d--h--w- c:\windows\PIF
2011-07-27 14:24 . 2011-08-11 12:14 -------- d-----w- c:\documents and settings\graeme mackenzie\Local Settings\Application Data\mkifowgd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 18:52 . 2010-03-29 15:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2010-03-29 15:03 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-16 09:05 . 2011-06-16 09:05 1409 ----a-w- c:\windows\QTFont.for
2006-05-03 10:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 467464]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\graeme mackenzie\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\graeme mackenzie\Local Settings\Application Data\mkifowgd\uqaryapt.exe"
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-05-10 09:12 172485 ------w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\graeme mackenzie\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [30/08/2007 09:22 3456]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 16:27 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 03:48 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 03:48 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07/09/2010 03:49 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [18/04/2011 17:39 7398752]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [08/02/2011 05:33 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 21:42 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 21:42 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 21:42 27216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2011 14:05 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2011 14:05 136176]
S3 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\GRAEME~1\LOCALS~1\Temp\ccxycwig.sys --> c:\docume~1\GRAEME~1\LOCALS~1\Temp\ccxycwig.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 15:04 90467 ------w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
2011-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-03 13:05]
.
2011-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-03 13:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.euro.dell.com
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\graeme mackenzie\Application Data\Mozilla\Firefox\Profiles\r4bys7q3.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b3d2cf0&i=23&tp=ab&ychte=uk&nt=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\DropboxExt.14.dll
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\DropboxExt.14.dll
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\DropboxExt.14.dll
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\DropboxExt.14.dll
HKCU-Run-UqaRyapt - c:\documents and settings\graeme mackenzie\Local Settings\Application Data\mkifowgd\uqaryapt.exe
AddRemove-GoldWave v5.22 - c:\program files\GoldWave\unstall.exe
AddRemove-SUPER © - c:\progra~1\ERIGHT~1\SUPER\Setup.exe
AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-11 13:15
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\graeme mackenzie\Start Menu\Programs\Startup\uqaryapt.exe 79332 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG10\avgnsx.exe
c:\program files\AVG\AVG10\avgemcx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\program files\AVG\AVG10\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2011-08-11 13:29:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-11 12:28
.
Pre-Run: 27,033,772,032 bytes free
Post-Run: 28,956,516,352 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 54F152CBE1853093DAD619B42F40C6AA

Bobbye · Aug 12, 2011

Okay, let's slow down and do one step at a time: If you ran Java Ra first, then you might not have any Java to update. We will handle that.

I neglected to give you the following to uninstall AVG before Combofix- my apology:
Download AppRemover and save to the desktop

Double click the setup on the desktop> click Next
Select “Remove Security Application”
Let scan finish to determine security apps
A screen like below will appear:
Click on Next after choice has been made
Check the AVG program you want to uninstall
After uninstall shows complete, follow online prompts to Exit the program.

Be sure to out one of these AV on the system:
Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please reboot the computer
=============================
Please run catchme:
catchme is the rootkit/stealth malware scanner that scans for:

hidden processes
hidden registry keys
hidden services
hidden files

catchme can also delete, destroy and collect malicious files.

Download catchme.exe ( 137KB ) and save to your desktop.

Double click the catchme.exe to run it
Click the "Scan" button to start scan
Open catchme.log to see results

Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format. Then paste the log in your next reply.
=====================================================
After you have run carchme:
Boot into Safe Mode

Restart your computer and start pressing the F8 key on your keyboard.
Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Using Windows Explorer (Right click on Start> Explore) go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck [Hide protected system files (Recommended)> Confirm Yes> Apply> OK.

Go to Docs. & Settings for graeme mackenzie> Start Menu> Programs startup and see if uqaryapt.exe> If listed do a right click> Delete.
Go back and reset the hidden files & folders to 'don't show hidden Files & folders] and check Hide protected system files again.
Exit Explorer.
If it not there, do not worry- it may have been removed by catchme.
This is the full path:
c:\documents and settings\graeme mackenzie\Start Menu\Programs\Startup\uqaryapt.exe
==========================================
Paste the catchme log in your next reply.

tcmasterx · Aug 15, 2011

Thanks for your continued efforts in helping me wth this. It gives me a lot of help to know you are there.

I did Catchme and the log is below. When I went into Safe Mode.....it didn't let me. Blue screen saying "A problem has been detected and windows has been shut down to prevent damage to your computer.
At the bottom it says:

STOP: 0x00000007B (0xF798E528, 0xC0000034, 0x00000000, 0x00000000)

Here is the log for catchme:

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-15 15:56:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\graeme mackenzie\Local Settings\Application Data\mkifowgd\uqaryapt.exe 79332 bytes executable
C:\Documents and Settings\graeme mackenzie\Start Menu\Programs\Startup\uqaryapt.exe 79332 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2

Bobbye · Aug 15, 2011

To destroy malicious executable files

Click on Script tab

Paste files in "Files to kill"

Code:

C:\Documents and Settings\graeme mackenzie\Local Settings\Application Data\mkifowgd\uqaryapt.exe 
C:\Documents and Settings\graeme mackenzie\Start Menu\Programs\Startup\uqaryapt.exe

Click Run button
Files will be destroyed and zipped to catchme.zip on desktop.

Reboot to complete operation.

Images courtesy 2.gmer.net/catchme

tcmasterx · Aug 17, 2011

Thanks

Before I got to do Catchme again, the Windows Malicious file remover -thing kicked in. I let it scan and it found about a thousand infected files. It said it found two trojan type files and it had "partially removed " them

I ran Catchme again and it found.... nothing. Zero hidden processes, service or files.
You had told me to replace AVG with one of the two AV programs. It didn't like Avira so I loaded Avast. At the moment everything seems to be ok. No alerts from Avast. I still can't get into Safe Mode and I don't want to re-install Quicktime, Adobe Acrobat or OpenOffice (the progs that won't run) unless you say so.
What happens now?

And as always.......many thanks.

Bobbye · Aug 17, 2011

The Microsoft Malicious Software Removal Tool is strictly a post-infection removal tool. The tool removes only specific prevalent malicious software. Specific prevalent malicious software is a small subset of all the malicious software that exists today. So as far as I'm concerned, it's a half-a.. program and not worth running!

Now the problem is I don't know what it removed. And having it run when we're in the middle of cleaning was not good. Please disable it so we can proceed without it doing any more harm. This tool came through as a Windows update. If your system is set to Install updates automatically please change it to 'notify but don't install'.

And when you get the notice, don't just think you have to install all the updates! You do not and should take some responsibility for what's going on your system by looking at the update content and deciding if you need/want it! MS has been sending some BS updates over the years. Some are more aimed at making MS feel better instead of enhancing or protecting the system of the user.

Please reboot the computer first, Then update and run Combofix again. Disable or uninstall the above and don't allow anymore scan from programs that I have not instructed you to run.

Please tell me what happens what you attempt to boot into Safe Mode.

tcmasterx · Aug 17, 2011

Completely understood. I was off work yesterday and this probably got through in my absence.

Doing as instructed now.

Thanks

tcmasterx · Aug 18, 2011

OK. I did as you said. The ComboFix log is below.
It went into Safe Mode no problem.
Incidentally, when I startup Windows I get TWO 'stop' noises.

ComboFix 11-08-17.01 - graeme mackenzie 17/08/2011 16:49:19.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.670 [GMT 1:00]
Running from: c:\documents and settings\graeme mackenzie\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2011-07-17 to 2011-08-17 )))))))))))))))))))))))))))))))
.
.
2011-08-17 10:54 . 2011-08-17 10:54 -------- d-----w- c:\windows\system32\MpEngineStore
2011-08-15 15:47 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-15 15:47 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-15 15:47 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-15 15:47 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-15 15:47 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-15 15:47 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-15 15:47 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-15 15:47 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-15 15:45 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-15 15:45 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-15 15:45 . 2011-08-15 15:45 -------- d-----w- c:\program files\AVAST Software
2011-08-15 15:45 . 2011-08-15 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-03 11:59 . 2011-08-03 11:59 143360 ------w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-08-03 11:59 . 2011-08-03 11:59 143360 ------w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-08-03 11:59 . 2011-08-03 11:59 143360 ------w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
2011-08-03 11:59 . 2011-08-03 11:59 143360 ------w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
2011-08-03 11:37 . 2011-08-03 11:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-02 14:57 . 2011-08-15 15:25 -------- d-----w- c:\windows\system32\NtmsData
2011-07-28 12:30 . 2011-07-28 12:30 -------- d--h--w- c:\windows\PIF
2011-07-27 14:24 . 2011-08-17 09:13 -------- d-----w- c:\documents and settings\graeme mackenzie\Local Settings\Application Data\mkifowgd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 18:52 . 2010-03-29 15:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2010-03-29 15:03 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-16 09:05 . 2011-06-16 09:05 1409 ----a-w- c:\windows\QTFont.for
2006-05-03 10:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-11_12.15.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-17 15:05 . 2011-08-17 15:05 16384 c:\windows\Temp\Perflib_Perfdata_7b4.dat
+ 2007-09-26 09:39 . 2011-08-17 12:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-09-26 09:39 . 2011-08-11 09:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-08-16 16:19 . 2011-08-17 12:52 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-08-15 15:47 . 2011-08-15 15:47 219648 c:\windows\Installer\7b9cc.msi
+ 2007-09-28 09:27 . 2011-08-17 04:38 52390856 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UqaRyapt"="c:\documents and settings\graeme mackenzie\Local Settings\Application Data\mkifowgd\uqaryapt.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\graeme mackenzie\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\graeme mackenzie\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-05-10 09:12 90112 ------w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\graeme mackenzie\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [30/08/2007 09:22 3456]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [15/08/2011 16:47 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [15/08/2011 16:47 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/08/2011 16:47 19544]
S1 sewbmfhb;sewbmfhb;\??\c:\windows\system32\drivers\sewbmfhb.sys --> c:\windows\system32\drivers\sewbmfhb.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2011 14:05 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2011 14:05 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-03 13:05]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-03 13:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.euro.dell.com
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\graeme mackenzie\Application Data\Mozilla\Firefox\Profiles\r4bys7q3.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b3d2cf0&i=23&tp=ab&ychte=uk&nt=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
HKLM_ActiveSetup-{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-17 16:59
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2052)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-17 17:05:20
ComboFix-quarantined-files.txt 2011-08-17 16:05
ComboFix2.txt 2011-08-11 12:29
.
Pre-Run: 28,962,197,504 bytes free
Post-Run: 28,887,212,032 bytes free
.
- - End Of File - - 9F5A41A917AEF065F57FF4EF06E0B252

Bobbye · Aug 18, 2011

I'd like you to run catchme again: But with a slight difference:
How to delete malware files

Click on Script tab
Paste log results in "Files to delete" Command
Click Run button
Files will be deleted and zipped to catchme.zip[ on desktop.
Reboot to complete.

Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format. Then paste the log in your next reply.

Are you having another problem other than can't get into Safe Mode? Describe what happens when you try. Are you doing this?

Boot into Safe Mode

Restart your computer and start pressing the F8 key on your keyboard.
Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Please describe the sounds you're hearing. Are these beep codes? There are 2 correct? Exactly when you they come.

tcmasterx · Aug 19, 2011

I will do that now.

I can get into Safe Mode now no problem. That is a new thing. Up until the last move you told me (I think) It would look like it was going into Safe Mode but would come up with the blue screen as mentione before ("A problem has been detected and windows has been shut down to prevent damage to your computer")

The noise is CRITICAL STOP. I'll double check but I think they happen very soon after my desktop appears. One straight after the other. I don't think there are any other noises (beeps especially). I have the PC connected to speakers and The Critical Stop noises are coming out of them.

Back to you soon.

Thanks again.

tcmasterx · Aug 19, 2011

OK. Did what you said. Catchme log below.
In the SCRIPT box there was no "Files to Kill" prompt.

Into safe mode ok. Searched for "uqarypt.exe" but not there.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-19 11:29:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\## aswSnx private storage
C:\## aswSnx private storage\snx_rhive 262144 bytes
C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes
C:\## aswSnx private storage\webStorage
C:\## aswSnx private storage\webStorage\attrib
C:\## aswSnx private storage\webStorage\image
C:\## aswSnx private storage\webStorage\snx_fs.dat 180 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 7

tcmasterx · Aug 19, 2011

Next one.

I manually typed FILES TO KILL and got this result:

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-19 11:29:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\## aswSnx private storage
C:\## aswSnx private storage\snx_rhive 262144 bytes
C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes
C:\## aswSnx private storage\webStorage
C:\## aswSnx private storage\webStorage\attrib
C:\## aswSnx private storage\webStorage\image
C:\## aswSnx private storage\webStorage\snx_fs.dat 180 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 7

Processing "Files to kill:"

read file error: C:\## aswSnx private storage, Access is denied.
read file error: C:\## aswSnx private storage\snx_rhive 262144 bytes, The system cannot find the file specified.
read file error: C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes, The system cannot find the file specified.
read file error: C:\## aswSnx private storage\webStorage, Access is denied.
read file error: C:\## aswSnx private storage\webStorage\attrib, Access is denied.
read file error: C:\## aswSnx private storage\webStorage\image, Access is denied.
read file error: C:\## aswSnx private storage\webStorage\snx_fs.dat 180 bytes, The system cannot find the file specified.

Bobbye · Aug 19, 2011

Just because a file comes up hidden does not mean it's malware. And you should not take it further unless I instruct you too. Research done at bleeping computer shows that these files are related to Avast.

I'd like to run an error check. What you are describing sounds like a system problem

Starting through Windows Explorer:
Right click on Start> Explore> My Computer> Right click on Local Drive (usually C)> Properties> Tools> Error Check> check both boxes on the screen that comes up> Apply> Close the message and reboot for the Error Checking to start.

The nag message is just asking if you want to schedule chkdsk for next reboot. Closing the message and rebooting will start the checking in a few seconds.

There is no logs for this for me. After the checking has finished, try running the system for a while and see how it does. Sometimes an improper shutdown (aka as a crash') can cause problems like you describe.

Go out for coffee while it runs. You have nothing else to do except wait for the system to reboot after the Error Checking has finished.

Solved Zbot is giving me pain

Posts: 46 +0

Posts: 16,313 +36

Posts: 16,313 +36

Posts: 46 +0

Posts: 16,313 +36

Posts: 46 +0

Posts: 46 +0

Posts: 16,313 +36

Posts: 46 +0

Posts: 16,313 +36

Posts: 46 +0

Posts: 46 +0

Posts: 46 +0

Posts: 16,313 +36

Posts: 46 +0

Posts: 16,313 +36

Posts: 46 +0

Posts: 16,313 +36

Posts: 46 +0

Posts: 46 +0

Posts: 16,313 +36

Posts: 46 +0

Posts: 46 +0

Posts: 46 +0

Posts: 16,313 +36

Similar threads