A couple of days ago, while visiting a forum I never usually have any problems with, AVG Resident Shield lit up with warnings for Win32/Zbot.A, VBS/generic and SHeur3.AQRA. It seems like it came from an infected flash advert on the forum. So I ran AVG and found a massive infection of all three. I've purged my temp files to try and limit the spread, and backed up my registry with Erunt. Below is the DDS log, and I've attached the other file as requested.

------

DDS (Ver_10-10-05.01) - NTFSx86
Run by user at 8:45:44.46 on 07/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.767.343 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/Documents/Links_07.htm
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TP4EX] tp4ex.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\micros~1.lnk - c:\msoffice\office\FASTBOOT.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\802.11 wireless lan\802.11g wireless adapter hw.15 v.1.00\WlanCU.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\qypa2ozn.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents/Links_07.htm
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-10-9 20520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-22 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-22 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-22 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-22 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-22 308136]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2002-10-2 13532]

=============== Created Last 30 ================

2010-10-05 23:39:25 -------- d--h--w- C:\$AVG
2010-10-05 23:31:16 -------- d-----w- c:\program files\Microsoft

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-23 14:09:57 167424 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 11:56:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-22 11:56:49 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-22 10:38:18 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 8:45:57.53 ===============


About 18 months ago, you guys helped me out with a Virtumonde infection on my old machine, so I'm hoping you can do the same again here.

Hi lather

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006

Hi, and thanks for the help.

Here's the ComboFix log:


ComboFix 10-10-11.03 - user 12/10/2010 7:50.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.767.375 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
.

2010-10-07 07:36 . 2010-10-07 07:37 -------- d-----w- c:\program files\ERUNT
2010-10-05 23:39 . 2010-10-05 23:39 -------- d-----w- C:\$AVG
2010-10-05 23:31 . 2010-10-06 00:48 -------- d-----w- c:\program files\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2010-10-07 425984]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-03 1594664]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2010-10-06 950272]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"TpShocks"="TpShocks.exe" [2009-12-11 337256]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-05 2067808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\user\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Microsoft Office Fast Start.lnk - c:\msoffice\Office\FASTBOOT.EXE [1995-7-20 14848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-19 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-19 51984]
Wireless Configuration Utility HW.15.lnk - c:\program files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe [2006-11-19 634880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-22 10:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 22:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 19:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Replay Converter 3\\ReplayConverter.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [09/10/2009 12:10 20520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/07/2010 11:38 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/07/2010 11:38 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [22/07/2010 11:37 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [22/07/2010 11:37 308136]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [02/10/2002 09:57 13532]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SJYPKT
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents/Links_07.htm
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\qypa2ozn.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents/Links_07.htm
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2010-10-12 07:58:11
ComboFix-quarantined-files.txt 2010-10-12 06:58

Pre-Run: 19,405,127,680 bytes free
Post-Run: 19,546,886,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8D269DC91D7CC7E6FA6A8C4436742F33

Hi lather

Please go here: http://virusscan.jotti.org/ (http://virusscan.jotti.org/)


When the jotti page has finished loading, click the "Browse" button and navigate to the following file and click Submit:

c:\windows\system32\drivers\SjyPkt.sys



Copy the results and paste them here



Thanks peku006

Done that, and here's the results:

-------
This file has been scanned before. The results for this previous scan are listed below.

Filename: SjyPkt.sys
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Sun 21 Feb 2010 21:42:50 (CET)

File size: 13532 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 3d7ef286e806f9bd9339aa52e28dcd67
SHA1: 431d2dd1c273a1bbf59fd50fa277fc0c1ebfb29f
--------


When I booted up the computer again, I got a pop-up Windows security alert about IE connections being blocked - I clicked on "Ask me later", rather than "Keep blocking" or "approve" as I wasn't sure exactly what was happening - Hope I did the right thing there!!

Need to add that AVG Resident Shield, which I've just re-enabled, has lit up with a whole load of new detections.....

Hi lather

thanks for the information

Malwarebytes' Anti-Malware


Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please reply with

Malwarebytes' Anti-Malware Log

Thanks peku006

Mbam run successfully - I've been slightly delayed in replying as I had to walk the dogs!

Nothing turned up in System Volume Info folder, although AVG Resident Shield had shown infection in a restore point.

Here's the Mbam log:

---------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4799

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/10/2010 14:12:18
mbam-log-2010-10-12 (14-12-18).txt

Scan type: Full scan (C:\|)
Objects scanned: 184834
Time elapsed: 1 hour(s), 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{c9da71eb-b0c5-82f7-4082-13d5825a6296} (Heuristics.Shuriken) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Heuristics.Shuriken) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\user\Application Data\Payr\eser.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\temp\tmpaa49a2dd\kill.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

----------

Hi lather

Nothing turned up in System Volume Info folder, although AVG Resident Shield had shown infection in a restore point.
We will take care of the System Volume Information items later :)

TFC (Temp File Cleaner)


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.


Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

Thanks peku006

Sorry for the delay - The download took a while, and the scan took just over four hours! Seems like it found a very widespread infection, with almost 3,000 files affected! (And it looks like quite a few of them are device drivers...)

Due to the huge length of the report file, I've zipped and attached it - Hope that's OK...

Here's the summary section of the report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, October 12, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, October 12, 2010 08:47:44
Records in database: 4202236
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 58834
Threats found: 1
Infected objects found: 2873
Suspicious objects found: 0
Scan duration: 04:07:56


The whole of it is in the zip file...

Hi lather

I'm very sorry but I have to give you some bad news. :sad:

You have a "file infector" infection!
The last scan confirmed the depth of the infection. This kind of infection changes file contents, creates new versions of files and spreads itself internally throughout your system. Unfortunately, the scans available could possible delete files that are needed by the system and cause more harm than good. The safest way to remove the infection you have, is to reformat your hard drive and reinstall your operating system.
I can not in good conscience, recommend any other approach as these type of infections spread exponentially and the machine could be so infected that it could not be trusted again.

As this forum is set up for malware removal only, I can provide some links to other forums where you can ask and obtain answers to reformatting and reinstallation questions you may have.

Here are just a few PC forums, that can assist with reformatting and reinstall questions.
These sites have a variety of experts, that are better equipped to investigate and resolve these kinds of issues.
Registration is free, it only takes a few minutes. :)
BleepingComputer.com (http://www.bleepingcomputer.com/forums/)
The Elder Geek on Windows (http://www.theeldergeek.com/forum/)
WhattheTech...formerly TomCoyote (http://forums.whatthetech.com/forums.html)

I'm sorry that I can not offer you more assistance. Please let me know that you have seen this post.

Thanks and good luck

peku006

OK, I understand - Fortunately, I've got an OEM recovery partition on the drive, which I hope will do the job.

I know this may be off-topic for this forum, but do you know if I'll be able to rescue important data files that show as clean in the scans by burning them to CD? The infection hit a few days before my regular monthly back-up, and I'd hate to lose the files!

Hi lather

Yes you can copy but,Do NOT backup/copy any system files (anything in C:\windows; *.DLL, *.SYS) or program files (*.EXE, *.COM, *.PIF, *.BAT, *.SCR, *.PIF, *.DLL).

Reformatting is the ultimate solution. Don't just do a 'repair' install of windows, but make sure to reformat. A 'custom' or 'clean' install of Windows is a reformat; or you can use a third party tool to format first.

peku006

OK, that's what I thought - And none of them are system files or programs, just data and pictures.

Thanks for your help with this, and I'll have a word with the folks on one of the other forums and see if they can get me sorted out.

As this issue appears to be resolved, this topic is now closed

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)