Major malware problem that will not go away

[vict0r]

By popups do you mean random browser windows opening and me being directed to some dodgy site? In which case they have stopped thank goodness.

Good.


Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

• Double click on OTL.exe to run it.
• Copy and Paste the following code into the
  
  textbox. Do not include the word Code
  

  :files
  %userprofile%\Application Data\Loyb
  %userprofile%\Application Data\Dyqios
  %userprofile%\Application Data\Ufuhi
  %userprofile%\Application Data\Fehiz
  %userprofile%\Application Data\Beilr
  %userprofile%\Application Data\Biiv

• Then click the Run Fix button at the top.
• Click
  
  .
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad. Copy and Paste that report in your next reply.

Run Eset online scanner.

Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.

1. Press the "ESET Online Scanner" button.
2. Check the box next to "YES, I accept the Terms of Use."
3. Click "Start"... a window will open... it may appear nothing is happening... please be patient.
4. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
   Once installed, the scanner will be initialized.
5. Click "Start". Make sure that the options:
   • Remove found threats is checked
   • Leave the "default" settings under Advanced as they are, if not set , please check:
     • Scan for potentially unwanted applications
     • Scan for potentially unsafe applications
     • Enable Anti-Stealth Technology
6. Click "Start"... ESET scanner will begin to download the virus signatures database.
   When the signatures have been downloaded, the scan will start automatically.
7. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
8. Use Notepad to open the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt
9. Copy and paste the contents of log.txt in your next reply.

 

[AndyUK]

OTL OldTimer log:


========== FILES ==========
C:\Documents and Settings\OWNER\Application Data\Loyb folder moved successfully.
C:\Documents and Settings\OWNER\Application Data\Dyqios folder moved successfully.
C:\Documents and Settings\OWNER\Application Data\Ufuhi folder moved successfully.
C:\Documents and Settings\OWNER\Application Data\Fehiz folder moved successfully.
C:\Documents and Settings\OWNER\Application Data\Beilr folder moved successfully.
C:\Documents and Settings\OWNER\Application Data\Biiv folder moved successfully.

OTL by OldTimer - Version 3.2.9.0 log created on 07162010_135238

 

[AndyUK]

Log ONE for ESET Online Scan:


--------------------------------------------------------------


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=858b95a541cbe842a8454104058faa85
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-16 01:56:31
# local_time=2010-07-16 02:56:31 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=256 16777215 100 0 98573233 98573233 0 0
# compatibility_mode=512 16777215 100 0 177784 177784 0 0
# compatibility_mode=1031 16777189 100 92 982855 3571751 0 0
# compatibility_mode=8192 67108863 100 0 193 193 0 0
# scanned=120822
# found=1
# cleaned=1
# scan_time=3316
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

 

[vict0r]

Hi

Is your computer still free from symptoms of malware?

Please also post a fresh set of DDS logs.

 

[vict0r]

Hello...

It has been 2 days since my last post to you.

• Do you still need help with this problem?

After 24 hrs., if you have not replied to this thread... it will be closed!

 

[AndyUK]

It has been two days? Sorry, I did not know that (normally your replies have been at a different time!).


I have a concern with regards to this:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Was this malware present on my pc, hidden in Spybot or detected by Spybot and stored in it? And has it been removed by ESET?

 

[AndyUK]

DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by OWNER at 13:52:01.50 on 18/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.349 [GMT 1:00]

AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\sony\vaio media music server\SSSvr.exe
C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
C:\Program Files\sony\giga pocket\GPVSvr.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
C:\Program Files\sony\giga pocket\RM_SV.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Documents and Settings\OWNER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.lefigaro.fr/
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.sony-europe.com/
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\OWNER\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\OWNER\startm~1\programs\startup\firewa~1.lnk - c:\windows\system32\net.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093807566890
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\common files\microsoft shared\information retrieval\itss51.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-6-5 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-6-5 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-10 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-25 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-10 243024]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-4-26 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-4-26 72624]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-21 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-21 2331032]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-6-5 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-6-5 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-6-5 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-6-5 26192]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-21 5897808]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-26 135664]
S2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\kpf4ss.exe [2007-4-26 1234480]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-5 430152]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-6-5 30104]

=============== Created Last 30 ================

2010-07-16 12:58:06 0 d-----w- c:\program files\ESET
2010-07-16 12:52:38 0 d-----w- C:\_OTL
2010-07-14 11:37:55 0 d-----w- c:\program files\trend micro
2010-07-14 04:50:09 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 21:37:54 0 d-sha-r- C:\cmdcons
2010-07-12 21:33:48 98816 ----a-w- c:\windows\sed.exe
2010-07-12 21:33:48 77312 ----a-w- c:\windows\MBR.exe
2010-07-12 21:33:48 256512 ----a-w- c:\windows\PEV.exe
2010-07-12 21:33:48 161792 ----a-w- c:\windows\SWREG.exe
2010-07-12 02:15:16 0 d-sh--w- c:\documents and settings\OWNER\UserData
2010-07-12 01:21:07 0 d---a-r- C:\autorun.inf
2010-06-26 06:41:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-26 05:43:50 378 ----a-w- c:\windows\system32\.crusader
2010-06-26 05:36:18 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-26 05:35:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-26 05:35:51 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-26 03:24:36 0 d-----w- c:\windows\system32\NtmsData
2010-06-26 00:04:39 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-25 02:53:05 0 d-----w- c:\docume~1\OWNER\applic~1\Malwarebytes
2010-06-25 02:52:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-25 02:52:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-25 02:52:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-25 02:52:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 03:04:36 52864 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-23 23:04:42 0 d-----w- c:\program files\Bonjour
2010-06-21 16:25:54 12536 ----a-w- c:\windows\system32\avgrsstx.dll

==================== Find3M ====================

2010-07-18 11:21:27 27053585 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-06-21 16:26:06 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-21 16:24:55 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-06-21 16:20:23 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-05 04:55:04 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-06-05 04:51:30 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-06-05 04:51:30 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-05-18 15:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 15:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 13:53:37.60 ===============

 

[AndyUK]

Attach log:



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 29/08/2004 20:52:53
System Uptime: 16/07/2010 13:26:20 (48 hours ago)

Motherboard: ASUSTek Computer Inc. | | P4SD-VL
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU 1 | 3192/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 28 GiB total, 9.524 GiB free.
D: is FIXED (NTFS) - 158 GiB total, 127.147 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2108: 21/06/2010 17:27:01 - Avg Update
RP2109: 21/06/2010 22:55:22 - Cleaned registry with Windows Live OneCare safety scanner
RP2110: 23/06/2010 06:36:17 - System Checkpoint
RP2111: 24/06/2010 09:00:51 - System Checkpoint
RP2112: 25/06/2010 09:06:20 - System Checkpoint
RP2113: 25/06/2010 13:14:21 - Installed Windows Defender
RP2114: 26/06/2010 13:27:24 - System Checkpoint
RP2115: 26/06/2010 16:58:31 - Cleaned registry with Windows Live OneCare safety scanner
RP2116: 26/06/2010 18:11:22 - Software Distribution Service 3.0
RP2117: 27/06/2010 21:22:04 - System Checkpoint
RP2118: 28/06/2010 22:18:04 - System Checkpoint
RP2119: 29/06/2010 09:29:43 - Avg Update
RP2120: 29/06/2010 09:32:29 - Avg Update
RP2121: 30/06/2010 09:32:45 - System Checkpoint
RP2122: 01/07/2010 09:56:45 - System Checkpoint
RP2123: 02/07/2010 10:20:47 - System Checkpoint
RP2124: 03/07/2010 10:56:44 - System Checkpoint
RP2125: 04/07/2010 04:04:44 - Removed Java 2 Runtime Environment, SE v1.4.2_01
RP2126: 04/07/2010 04:06:25 - Removed Java(TM) 6 Update 3
RP2127: 04/07/2010 04:07:27 - Removed Java(TM) 6 Update 5
RP2128: 05/07/2010 05:57:12 - System Checkpoint
RP2129: 06/07/2010 15:20:13 - System Checkpoint
RP2130: 07/07/2010 15:58:50 - System Checkpoint
RP2131: 08/07/2010 17:49:24 - Removed Windows Defender
RP2132: 08/07/2010 17:52:13 - Removed Norton WMI Update
RP2133: 09/07/2010 23:45:42 - System Checkpoint
RP2134: 11/07/2010 00:36:27 - System Checkpoint
RP2135: 12/07/2010 01:00:35 - System Checkpoint
RP2136: 13/07/2010 02:27:08 - System Checkpoint
RP2137: 14/07/2010 03:37:10 - System Checkpoint
RP2138: 15/07/2010 03:00:26 - Software Distribution Service 3.0
RP2139: 16/07/2010 03:18:44 - System Checkpoint
RP2140: 17/07/2010 03:31:07 - System Checkpoint
RP2141: 18/07/2010 03:43:07 - System Checkpoint

==== Installed Programs ======================


Adobe Acrobat Elements 6.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop CS2
Adobe Photoshop Elements 2.0
Adobe Premiere 6 LE
Adobe Stock Photos 1.0
Agere Systems AC'97 Modem
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
AVG 9.0
Bonjour
Click to DVD 1.3
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Drag'n Drop CD+DVD
DVgate Plus
Empire: Total War Demo
ESET Online Scanner v3
Giga Pocket 5.5
Giga Pocket Demo Movie
Giga Pocket Hardware Library 5.5
Google Chrome
Google Update Helper
Half-Life 2
Half-Life 2: Deathmatch
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD 5 for VAIO
ISP Selector
ISP Selector (English)
Java Auto Updater
Java(TM) 6 Update 20
Malwarebytes' Anti-Malware
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MoodLogic
Mozilla Thunderbird (2.0.0.21)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Visualizer Library 1.4.00
Natural Selection 3.2
OpenMG Secure Module 3.3.01
PictureGear Studio 2.0
Portal
QuickTime
QuickTime for Windows (32-bit)
RealPlayer
Rome - Total War(TM)
Rotor-Gene 6000 1.7.87
Safari
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Segoe UI
SonicStage 1.6.00
Sony Ericsson PC Suite
Sony USB Mouse
Sony Video Shared Library
SPSS 16.0 for Windows
Steam
Sunbelt Personal Firewall
Sven Co-op 4.0B
Team Fortress 2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VAIO BrightColor Wallpaper
VAIO Clock Screen Saver
VAIO DeepSea Wallpaper
VAIO Edit Components
VAIO Media 2.5
VAIO Media Music Server 2.5
VAIO Media Photo Server 2.5
VAIO Media Platform 2.5
VAIO Media Redistribution 2.5
VAIO Media Setup 2.5
VAIO Media Video Server 2.5
VAIO Online Registration (English)
VAIO Product Survey (English)
VAIO Remote Commander Utility 6.2
VAIO System Information
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VOR
VPS
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3
World Book Multimedia Encyclopedia 1997

==== End Of File ===========================

 

[vict0r]

It has been two days? Sorry, I did not know that (normally your replies have been at a different time!).

It seems it was only one day. This was 2 AM for me so concentration might not have been the best.

I'll get back to your question in my next post, but please give me an answer to this:

Is your computer still free from symptoms of malware?

 

[AndyUK]

I'll get back to your question in my next post, but please give me an answer to this:

Yeah the malware problems i had seems to have gone.

Things to note:

1) Imbedded youtube videos on various sites now appear. I assumed this was due to me upgrading my browser and something up with that, after running all the fixes they now appear.

2) My desktop does not resort to windows classic hybrid thing

3) Connection works properly and my PC does not randomly re-start.

3) After a re-boot my PC loads much faster, do not need to sit tight for 5 minutes waiting till everything is "go".

Thanks for all the help and time Victor.

One concern though is my firewall (sunbelet) does not load on start up.

 

[vict0r]

Was this malware present on my pc, hidden in Spybot or detected by Spybot and stored in it? And has it been removed by ESET?

This malware was once detected by Spybot and quarantined, then quarantined by ESET.


Random Access Memory Advice

Total RAM: 511 MB

Though Microsoft claims XP will run with this amount of system memory installed, it will run far better far better with 1-2 GB which are pretty cheap nowadays.

If you wish to upgrade the installed memory in your system, Crucial have a small scanner (Crucial System Scanner tool) which is perfectly safe to download and run. It will advise if your system can support any upgraded memory modules. They cater for the US/UK and Europe.

This may solve the problem you reported when copying webpages into MS Office.


AVG

AVG Anti Virus with 512 MB memory or less might be a problem. You can try the more lightweight Avast or Avira if you experience any problems.

Note: Never run more than one anti virus on a computer, it will seriously impact system performance and can lead to conflicts between the programs.

Removing AVG may solve the problem with your Sunbelt Firewall as there are report of compatibility issues between these.

To safely change the installed anti virus software, I recommend that you follow this procedure:

1. Download the installer for the new anti virus
2. Download and save AVG Removal Tool to your desktop
3. Disconnect the computer from the internet/network.
4. Uninstall the existing AV from Add/Remove programs, then run the removal tool and reboot your computer.
5. Then install the new AV, reboot your computer and immediately update the newly installed software (connect to the internet).

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  RDPCDD.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Combofix

Disable your anti virus.

Open notepad and copy/paste the text in the codebox below into it:

SkipFix::

DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

Save the file as "CFScript.txt", and as Type: All Files (*.*) on your desktop.

Refer to the picture above, then save all work and close all programs including any open browsers(!) and drag CFScript onto ComboFix.exe.

If Combofix prompts you to upgrade, please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt.


You can now enable your anti virus.


To post:

• the SystemLook log
• the Combofix log
• Did any problems occur while following the instructions?

 

[AndyUK]

System look log:

-----------------------------------------------

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 04:02 on 22/07/2010 by OWNER (Administrator - Elevation successful)

========== filefind ==========

Searching for "RDPCDD.sys"
C:\WINDOWS\system32\dllcache\rdpcdd.sys --a--c 4224 bytes [15:30 01/12/2003] [12:00 31/03/2003] 4912D5B403614CE99C28420F75353332
C:\WINDOWS\system32\drivers\rdpcdd.sys --a--- 4224 bytes [15:30 01/12/2003] [12:00 31/03/2003] 4912D5B403614CE99C28420F75353332

-=End Of File=-

 

[AndyUK]

ComboFix log:


------------------------------------------------------------

ComboFix 10-07-21.01 - OWNER 22/07/2010 4:14.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.256 [GMT 1:00]
Running from: c:\documents and settings\OWNER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\OWNER\Desktop\CFScript.txt.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Sunbelt Personal Firewall *disabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-16 12:58 . 2010-07-16 12:58 -------- d-----w- c:\program files\ESET
2010-07-16 12:52 . 2010-07-16 12:52 -------- d-----w- C:\_OTL
2010-07-14 11:37 . 2010-07-14 11:38 -------- d-----w- c:\program files\trend micro
2010-07-14 11:37 . 2010-07-14 11:38 -------- d-----w- C:\rsit
2010-07-14 04:50 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 02:15 . 2010-07-12 02:15 -------- d-sh--w- c:\documents and settings\OWNER\UserData
2010-07-04 10:11 . 2010-07-04 10:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-06-29 08:29 . 2010-06-29 08:29 1039712 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-06-26 06:41 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-26 05:36 . 2010-07-12 01:29 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-26 05:35 . 2010-06-26 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-26 05:35 . 2010-06-26 05:35 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-26 03:24 . 2010-06-26 03:24 -------- d-----w- c:\windows\system32\NtmsData
2010-06-26 01:37 . 2010-06-26 01:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-26 01:27 . 2010-06-26 01:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-26 00:04 . 2010-06-26 00:04 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-25 23:58 . 2010-06-25 23:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-06-25 23:57 . 2010-07-02 16:02 -------- d-----w- c:\documents and settings\OWNER\Local Settings\Application Data\Temp
2010-06-25 23:56 . 2010-06-26 00:00 -------- d-----w- c:\program files\Google
2010-06-25 23:55 . 2010-07-08 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-25 02:53 . 2010-06-25 02:53 -------- d-----w- c:\documents and settings\OWNER\Application Data\Malwarebytes
2010-06-25 02:52 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-25 02:52 . 2010-06-25 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-25 02:52 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-25 02:52 . 2010-06-25 02:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 03:04 . 2010-06-24 03:04 52864 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-24 03:04 . 2010-06-24 03:04 -------- d-----w- c:\documents and settings\OWNER\Application Data\Apple Computer
2010-06-23 23:04 . 2010-06-23 23:04 -------- d-----w- c:\program files\Bonjour
2010-06-23 22:57 . 2010-06-23 22:58 -------- d-----w- c:\program files\Safari
2010-06-23 22:53 . 2010-06-23 22:53 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-23 22:37 . 2010-06-24 00:42 -------- d-----w- c:\program files\Common Files\Apple
2010-06-23 22:32 . 2010-06-23 22:34 -------- d-----w- c:\program files\QuickTime
2010-06-23 22:32 . 2010-06-23 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-21 22:42 . 2004-08-30 00:55 27081490 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-07-14 11:24 . 2003-12-02 09:23 -------- d-----w- c:\program files\Norton Internet Security
2010-07-08 16:48 . 2006-05-01 20:06 -------- d-----w- c:\documents and settings\OWNER\Application Data\Lavasoft
2010-07-04 03:30 . 2006-05-01 19:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-04 03:09 . 2006-05-01 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-04 03:07 . 2003-12-02 09:13 -------- d-----w- c:\program files\Common Files\Java
2010-06-27 22:40 . 2009-06-07 14:15 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-26 05:59 . 2010-06-21 19:10 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-25 12:15 . 2004-08-29 20:44 69976 ----a-w- c:\documents and settings\OWNER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-23 04:53 . 2010-05-20 03:25 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-21 16:27 . 2010-06-21 16:27 74760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\UniversalDD.sys
2010-06-21 16:27 . 2010-06-21 16:27 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-06-21 16:27 . 2010-06-21 16:27 30216 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSFilter.sys
2010-06-21 16:27 . 2010-06-21 16:27 26120 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSShim.sys
2010-06-21 16:27 . 2010-06-21 16:27 25096 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSxx.sys
2010-06-21 16:27 . 2010-06-21 16:27 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-06-21 16:27 . 2010-06-21 16:27 122376 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSDriver.sys
2010-06-21 16:26 . 2009-04-10 14:29 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-21 16:25 . 2010-06-21 16:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-21 16:24 . 2010-06-05 04:55 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-06-21 16:20 . 2009-04-10 14:29 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-21 16:18 . 2010-06-21 16:18 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-06-21 16:18 . 2010-06-21 16:18 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-06-21 16:18 . 2010-06-21 16:18 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-06-20 04:25 . 2010-06-05 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-14 14:31 . 2003-12-01 16:43 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-07 14:59 . 2010-06-07 14:59 -------- d-----w- c:\documents and settings\OWNER\Application Data\AVG9
2010-06-06 00:17 . 2010-06-06 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-06-06 00:09 . 2003-12-23 13:44 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-06 00:06 . 2010-06-06 00:06 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-06-05 05:18 . 2010-06-05 05:18 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-05 05:17 . 2006-11-25 18:38 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-05 04:58 . 2010-06-05 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-06-05 04:55 . 2010-06-05 04:55 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-06-05 04:51 . 2010-06-05 04:51 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-06-05 04:51 . 2010-06-05 04:51 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-06-05 04:49 . 2009-04-10 14:28 -------- d-----w- c:\program files\AVG
2010-06-04 21:39 . 2010-06-04 21:39 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-06-04 21:39 . 2010-06-04 21:39 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-06-04 21:39 . 2010-06-04 21:39 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-06-04 21:39 . 2010-06-04 21:39 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-05-24 16:49 . 2010-05-24 16:49 503808 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5a3a6380-n\msvcp71.dll
2010-05-24 16:49 . 2010-05-24 16:49 499712 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5a3a6380-n\jmc.dll
2010-05-24 16:49 . 2010-05-24 16:49 348160 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5a3a6380-n\msvcr71.dll
2010-05-24 16:49 . 2010-05-24 16:49 61440 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64651902-n\decora-sse.dll
2010-05-24 16:49 . 2010-05-24 16:49 12800 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64651902-n\decora-d3d.dll
2010-05-24 16:49 . 2003-12-02 09:13 -------- d-----w- c:\program files\Java
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2003-12-01 15:30 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-12-01 15:30 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 335872]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 88361]
"Mouse Suite 98 Daemon"="ICO.EXE" [2001-08-23 45056]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-21 2065760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\OWNER\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-12-23 113664]
Firewall Engine.lnk - c:\windows\system32\net.exe [2003-12-1 42496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-7-30 217195]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-21 16:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\empire total war demo\\Empire.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSSInc\\SPSS16\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Games\\Steam\\SteamApps\\romulansnitch\\half-life\\hl.exe"=
"d:\\Games\\Steam\\SteamApps\\romulansnitch\\counter-strike source\\hl2.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [05/06/2010 05:55 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [05/06/2010 05:55 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/04/2009 15:29 216400]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/04/2009 15:29 243024]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26/04/2007 10:21 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26/04/2007 10:21 72624]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [21/06/2010 17:25 308136]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [21/06/2010 17:20 2331032]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26/04/2007 10:21 1234480]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [05/06/2010 05:51 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [05/06/2010 05:52 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [05/06/2010 05:52 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [05/06/2010 05:52 26192]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [21/06/2010 17:24 5897808]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/06/2010 00:57 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [05/06/2010 05:54 430152]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [05/06/2010 05:51 30104]
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 23:56]

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 23:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lefigaro.fr/
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.sony-europe.com/
uInternet Settings,ProxyOverride = <local>
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 04:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-22 04:23:39
ComboFix-quarantined-files.txt 2010-07-22 03:23
ComboFix2.txt 2010-07-13 18:03
ComboFix3.txt 2010-07-12 22:13

Pre-Run: 10,218,803,200 bytes free
Post-Run: 10,388,586,496 bytes free

- - End Of File - - 724086A887193BD7684C071433A6A4A4

 

[vict0r]

Please post back one more time to confirm that you have read this post or if you have got any malware related questions.


Update Windows and Internet Explorer

Update Windows and Internet Explorer to protect your computer from malware. Please go to the windows update site to get the critical updates. Repeat this update process until no further important updates are offered.


Uninstall ComboFix

Click on Start >> Run..., copy and paste the following line into the run box, then click OK:
ComboFix /Uninstall
Note: there's a space between "ComboFix" and "/Uninstall".


OTL-Cleanup

You should still have this on your desktop, if so, please ignore the download instructions.
Please download OTL ... by Old Timer . Save it to your Desktop.

1. Double click on OTL.exe to run it.
2. Press the CleanUp button.
3. When done, you will be prompted to reboot your system to finish file removal... please select OK to reboot your computer.

Delete tools

TFC is a great tool for you to keep and use on a regular basis. Please delete the following tools:

• DDS
• Norton Removal Tool
• SystemLook
  You can just delete the files (if still present).

Your computer now appears to be malware free. The logs are clean. Good job!

Please follow these simple steps in order to keep your computer clean and secure.


Keep your system updated:

Make sure automatic updates for Windows XP is enabled to get the latest patches from Microsoft to fix bugs and security holes:

• Go to Start > Control Panel > Automatic Updates
  1. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  2. Select Download updates for me, but let me choose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  3. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Keep your non-Microsoft applications updated as well:

Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it and install the suggested updates at least once a week.


Secure your computer further:

Consider using the following programs to secure your computer further:

• Hosts File
  Please use the following for the added protection: MVPS Hosts, you will find more information regarding hosts files there. A simple explanation of what a Hosts file does is here (includes a description on how to use HostsXpert to easily download and manage your hosts file).
  
  
• Malwarebytes Anti-Malware
  Update Malwarebytes Anti-Malware and perform a quick scan 1-2 times a week.
  
  
• WinPatrol
  As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes a snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

It is ABSOLUTELY ESSENTIAL to keep Windows, Java, Adobe and all of your security programs up to date.


Read these articles to learn more about how to protect yourself while on the internet:

• How Can I Reduce my risk to malware?
• Is it real or is it Scareware?

Safe surfing!

 

[AndyUK]

Hey Victor,

This is to confirm i have read the above post.

I have some quick questions though.

1) Is the Win32/Zbot malware threat now removed from my computer? This was the most terrifiying.

2) I have had difficulty in trying to download AVG free. Is this due to the problems you mentioned below with regards to RAM, and are Avast or Avira just as good as AVG?

Other than that my pc is competently clean?


Thank you so much for all your time and assistance. It is greatly appreciated!

 

[AndyUK]

Hey Victor,

This is to confirm i have read the above post.

I have some quick questions though.

1) Is the Win32/Zbot malware threat now removed from my computer? This was the most terrifiying.

2) I have had difficulty in trying to download AVG free. Is this due to the problems you mentioned below with regards to RAM, and are Avast or Avira just as good as AVG?

3) Do need to re-download spybot?


Other than that my pc is competently clean?

Thank you so much for you time and assistance. It is greatly appreciated!

 

[vict0r]

The logs from the tools that are available and used to fix your computer now show that Win32/Zbot is removed and that your computer was malware free when the final log was generated. However I want to direct your attention to this post: http://forums.spybot.info/showpost.php?p=376516&postcount=11 where I advise a reformat/reinstall and write there's no guarantee that your computer will be secure after the fix. This is due to the functionality of this type of infection. There's no way to tell if the backdoor has been used to make changes to the security settings on your computer and left it vulnerable of reinfection. This can happen within a few days, week(s) or more. Unfortunately there is no way to reset these settings other than a fresh install.

Downloading AVG free should now work (not related to RAM). The free versions of Avast, Avira and AVG are all good anti virus software.

If you are not experiencing any problems with Spybot then there should not be any need to re-download it. Update and re-immunize to verify.

 

[AndyUK]

There is no way to block the backdoors (or find if such still exist) other than reformatting?

Did Malwarebytes delete the altered keys/backdoors?

During google searches about Win32/Zbot and backdoors in general, i found some tools/programs claiming to delete it/block the Win32back doors -is this just some crap? I have no intention of touching any of these but am just curious whether it can be done, or is it due to the nature of the backdoors being different per computer it is impossible?

I just have to ask as the potential effects of Win32/Zbot infection are extremely worrying.

 

[AndyUK]

I have earlier had difficulty in downloading the free AVG, is this because i need to remove the 30 day trial version?

During the clean up process, you requested i uninstall Spybot, my concern was whether i still needed it?

I still have GMER and RSIT, should i keep them?

 

[vict0r]

I have earlier had difficulty in downloading the free AVG, is this because i need to remove the 30 day trial version

No, the download was not blocked because of this. It was probably blocked by the infection.

During the clean up process, you requested i uninstall Spybot, my concern was whether i still needed it?

Ok, please re-download and re-install Spybot S&D, then update and immunize. If you use Teatimer (part of Spybot), then please do not use Winpatrol. They do not work well together.

I still have GMER and RSIT, should i keep them?

These should have been removed by the OTL cleanup. If not please delete them.