Another IDP.Trojan.1C8D1A13 and Crypt.AQLW infection...please help

[JonDou]

Hi oldman960

The computer is filling better now . It didn't freez when rebooted in normal mode

I did all as You requested... ComboFix detected rootkit activity:

"You are infected with Rootkit.ZeroAccess! It has inserted itself into the tep/ip stack. This is a particularly difficult infection."... etc.

It rebooted and started scanning again, but when it completed all the stages and started deleting files it has stuck at

Deleting files:

H:\Autorun.inf

What do I do next ? Please help

[oldman960]

Hi JonDou,

If there isn't the slightest bit of hard drive activity, reboot the computer and run combofix again.

[JonDou]

Hi oldman960
I may have done it wrong. I have restarted computer and let it run through out the night, cause it seemed it has been stuck at the same point, but in the morning the log-in screen was waiting for me like it has finished the scan and rebooted. The thing is... after yesterday's reboot (when CF was stuck), I didn't start the CF again by draging the CFscript.txt onto the ComboFix.exe icon. I have just double clicked it . Was that OK, or do You want me to do it again, but this time with draging the CFscript.txt ?
And another thing... I can't find the log from the last scan. I checked it in C:

Thanks again and sry if I made a mistake here.

[oldman960]

Hi JonDou,

Just run combofix again by double clicking. Please post the log that is produced.

[JonDou]

Hi oldman960
It's been 4 hours since I double clicked CF to do the scan and it is stuck at the same position as before:



I ran it last night again and it didn't produce any log. The same login window was on screen when I woke up. I did another scan when I came back from work and that one is still running (4hours so far and it didn't move from H:\Autorun.inf). I don't know what to do
If it matters, hard drive H: I beleive is an external hard drive, which I can disconnect if you want me to.

Thanks for staying with my problem oldman960

[oldman960]

Hi

Let's try it this way. Reboot the computer, disconnect the external drive.

After the computer restarts give it a bit to see if combofix will finish. If it doesn't, locate combofix.exe which you've renamed, right click it and click delete.

Download a new copy and try it again by double clicking it.

[JonDou]

Hi oldman960
I've done the thing You've asked and the same thing happened there, just this time it has finished stage 50 and that was it. It didn't start deleting the files like before. I left it running for 3 hours and it didn't move from that stage, so I went to bad. In the morning, a windows login window was there and no log report in C:
Am I doing something wrong here?
On top of that... I can't get rid off "HPProductAssistance" popup window that keeps poping up .

and when I click cancel:

then after OK it starts installing it again and repeats the proces all over again with the same pics ??!!


You said at the beginning not to install any program without your knoledge or instructions. Shall I find that disc and give it a go or just uninstall that crap ? And yeah... what to do next with my problem
Thanks oldman960 for your answers... I really appreciate it

[JonDou]

I DID IT
Finaly ... I thought I could try CF scan one more time so I deleted the icon and downloaded the fresh one (again )like you sugested it and ComboFix has finished it with the log report at the end . It reported this as well, just before it restarted computer:



The log follows .

[JonDou]

Here is the log ComboFix.txt:



ComboFix 12-05-12.01 - Goran 2-May-2012 16:49:39.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2907 [GMT 8:00]
Running from: c:\documents and settings\Goran\Desktop\jgh.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_2WIREPCP
-------\Legacy_AMDIDE
-------\Legacy_AR5211
-------\Legacy_ARCSOFTVIRTUALCAPTURE
-------\Legacy_ASMMAP
-------\Legacy_ATIMPAB
-------\Legacy_AVG7UPDSVC
-------\Legacy_AVIDSTARTUP
-------\Legacy_BDFSFLTR
-------\Legacy_BDRSDRV
-------\Legacy_BLUELETSCOAUDIO
-------\Legacy_BSHELPCS
-------\Legacy_BTFIRST
-------\Legacy_CCCREDMGR
-------\Legacy_CFOSSPEEDS
-------\Legacy_CICS.REGION2
-------\Legacy_CMPCI
-------\Legacy_CWCSPUD
-------\Legacy_DB2NTSECSERVER
-------\Legacy_DCAMUSBSQTECH
-------\Legacy_DELLDMI
-------\Legacy_DLAIFS_M
-------\Legacy_DM1SERVICE
-------\Legacy_DOT4UFD
-------\Legacy_FSRAMDSK
-------\Legacy_GHOSTSTARTSERVICE
-------\Legacy_GIVEIO
-------\Legacy_GV600_4
-------\Legacy_HPFECP20
-------\Legacy_HSFHWALI
-------\Legacy_IBM_LLC2
-------\Legacy_IFP800
-------\Legacy_IFXTCS
-------\Legacy_IPASSP
-------\Legacy_IPSSVC
-------\Legacy_IXIAENDPOINT
-------\Legacy_K750MGMT
-------\Legacy_KERIOMAILSERVER
-------\Legacy_L1E
-------\Legacy_L6POD
-------\Legacy_LICENSEMANAGERSOCKET
-------\Legacy_MAXBACKSERVICEINT
-------\Legacy_MCODS
-------\Legacy_MCPROMGR
-------\Legacy_MHNDRV
-------\Legacy_MI-RAYSAT_3DSMAX8
-------\Legacy_MPFILTER
-------\Legacy_MPFIREWL
-------\Legacy_MPS9
-------\Legacy_MSGAME
-------\Legacy_MSSQL$SONY_MEDIAMGR
-------\Legacy_NVRD64
-------\Legacy_NWFILTER
-------\Legacy_NXSYSMON
-------\Legacy_OMNIUSBL
-------\Legacy_ORACLEORADB10G_HOME1ISQL*PLUS
-------\Legacy_ORACLEORAHOMEMANAGEMENTSERVER
-------\Legacy_ORACLEWEBASSISTANT
-------\Legacy_PCTINDIS5
-------\Legacy_PDLNDLDL
-------\Legacy_PIVOT
-------\Legacy_RT2870
-------\Legacy_S3SAVAGEMX
-------\Legacy_S716BUS
-------\Legacy_SE2END5
-------\Legacy_SE58MGMT
-------\Legacy_SE59ND5
-------\Legacy_SERIALKEYS
-------\Legacy_SETUPSYS
-------\Legacy_SFDRV01
-------\Legacy_SI3114R5
-------\Legacy_SLSERVICE
-------\Legacy_SUSBSER
-------\Legacy_TMHIDSRV
-------\Legacy_TODDSRV
-------\Legacy_TOSHIBASOFTMODEM
-------\Legacy_TPKMPSVC
-------\Legacy_USBSER
-------\Legacy_USIUDF
-------\Legacy_UTILMAN
-------\Legacy_V0080DEV
-------\Legacy_VAIOMEDIAPLATFORM-INTEGRATEDSERVER-APPSERVER
-------\Legacy_VRADFIL
-------\Legacy_WEBCOMPSERVER
-------\Legacy_WEBSENSECPMCOMMUNICATIONAGENT
-------\Legacy_WG5N
-------\Legacy_WNCPKT
-------\Legacy_YUKONWLH
-------\Legacy_ZENOS1
-------\Legacy_ZNTPORT
-------\Service_2wirepcp
-------\Service_AmdIde
-------\Service_ar5211
-------\Service_ARCSOFTVIRTUALCAPTURE
-------\Service_ASMMAP
-------\Service_atimpab
-------\Service_avg7updsvc
-------\Service_avidstartup
-------\Service_bdfsfltr
-------\Service_bdrsdrv
-------\Service_blueletscoaudio
-------\Service_BsHelpCS
-------\Service_btfirst
-------\Service_cccredmgr
-------\Service_cfosspeeds
-------\Service_cics.region2
-------\Service_cmpci
-------\Service_cwcspud
-------\Service_db2ntsecserver
-------\Service_DCamUSBSQTECH
-------\Service_delldmi
-------\Service_dlaifs_m
-------\Service_dm1service
-------\Service_dot4ufd
-------\Service_fsRamDsk
-------\Service_ghoststartservice
-------\Service_giveio
-------\Service_GV600_4
-------\Service_HPFECP20
-------\Service_HSFHWALI
-------\Service_IBM_LLC2
-------\Service_ifp800
-------\Service_ifxtcs
-------\Service_iPassP
-------\Service_ipssvc
-------\Service_ixiaendpoint
-------\Service_k750mgmt
-------\Service_keriomailserver
-------\Service_L1e
-------\Service_L6POD
-------\Service_licensemanagersocket
-------\Service_maxbackserviceint
-------\Service_mcods
-------\Service_mcpromgr
-------\Service_mhndrv
-------\Service_mi-raysat_3dsmax8
-------\Service_MpFilter
-------\Service_mpfirewl
-------\Service_mps9
-------\Service_msgame
-------\Service_mssql$sony_mediamgr
-------\Service_nvrd64
-------\Service_NWFILTER
-------\Service_NxSysMon
-------\Service_omniusbl
-------\Service_oracleoradb10g_home1isql*plus
-------\Service_oracleorahomemanagementserver
-------\Service_oraclewebassistant
-------\Service_PCTINDIS5
-------\Service_pdlndldl
-------\Service_pivot
-------\Service_rt2870
-------\Service_s3savagemx
-------\Service_s716bus
-------\Service_se2End5
-------\Service_se58mgmt
-------\Service_se59nd5
-------\Service_serialkeys
-------\Service_SetupSys
-------\Service_sfdrv01
-------\Service_Si3114r5
-------\Service_slservice
-------\Service_susbser
-------\Service_TMHIDSRV
-------\Service_toddsrv
-------\Service_TOSHIBASoftModem
-------\Service_tpkmpsvc
-------\Service_usbser
-------\Service_USIUDF
-------\Service_utilman
-------\Service_V0080Dev
-------\Service_vaiomediaplatform-integratedserver-appserver
-------\Service_VRADFIL
-------\Service_webcompserver
-------\Service_websensecpmcommunicationagent
-------\Service_wg5n
-------\Service_WNCPKT
-------\Service_yukonwlh
-------\Service_zenos1
-------\Service_zntport
.
.
((((((((((((((((((((((((( Files Created from 2012-04-12 to 2012-05-12 )))))))))))))))))))))))))))))))
.
.
2012-05-08 15:43 . 2010-07-09 21:38 10604128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-05-04 16:18 . 2012-05-04 16:19 -------- d-----w- c:\program files\ERUNT
2012-05-04 15:02 . 2012-05-04 15:02 -------- d-----w- c:\program files\Common Files\Java
2012-05-04 15:01 . 2012-05-04 15:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 15:01 . 2012-05-04 15:01 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-30 03:14 . 2012-04-30 03:18 -------- d-----w- c:\documents and settings\Goran\Application Data\ooVoo Details
2012-04-30 03:13 . 2012-04-30 03:13 -------- d-----w- c:\documents and settings\Goran\Local Settings\Application Data\APN
2012-04-29 16:13 . 2012-04-29 16:13 118318 ----a-w- c:\windows\Photo Pos Pro Collage Templates Pack Uninstaller.exe
2012-04-29 16:09 . 2012-04-29 16:11 -------- d-----w- c:\documents and settings\Goran\Application Data\Photopos
2012-04-29 16:09 . 2012-04-29 16:09 -------- d-----w- c:\program files\PhotoposComTbr
2012-04-24 11:57 . 2012-04-24 11:57 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2012-04-24 11:57 . 2012-04-24 11:57 -------- d-----w- c:\program files\Hewlett-Packard
2012-04-22 10:18 . 2012-04-22 10:18 -------- d-----w- c:\program files\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 15:01 . 2011-05-31 12:43 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-29 07:12 . 2012-03-31 05:41 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-29 07:12 . 2011-06-09 14:06 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 07:56 . 2010-11-29 14:02 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-01 11:01 . 2007-07-27 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2007-07-27 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2007-07-27 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2007-07-27 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2007-07-27 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2007-07-27 12:00 385024 ------w- c:\windows\system32\html.iec
2012-02-15 13:02 . 2008-04-07 09:54 139488 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-02-15 13:02 . 2009-04-04 03:20 270776 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-02-15 13:02 . 2008-04-07 09:54 270776 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-02-15 12:51 . 2008-04-07 09:54 270776 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-02-14 12:47 . 2008-04-07 09:54 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-02-14 12:20 . 2010-11-29 15:33 682280 ----a-w- c:\windows\system32\pbsvc.exe
2011-12-01 12:06 . 2011-05-12 12:59 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-03-12 12:07 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-03-12 1869152]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-29 17148552]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-02 262144]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SAOB Monitor"="c:\program files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe" [2010-11-15 2536448]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-02-01 5546376]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-02-01 390720]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-03-12 982880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-19 928096]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-11-25 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\Goran\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk.disabled [2011-5-15 951]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
HP Digital Imaging Monitor.lnk.disabled [2008-3-12 1812]
Kodak EasyShare software.lnk.disabled [2011-9-10 1841]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-15 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0auto_reactivate \\?\Volume{26BD304E-C934-11DC-B644-806D6172696F}\bootwiz\asrm.bin\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Uniblue SpeedUpMyPC"=
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"DriverScanner"="c:\program files\Uniblue\DriverScanner\launcher.exe" delay 20000
"ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" "sleep"
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe"
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe"
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"PeerBlock"=c:\program files\PeerBlock\peerblock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Alcmtr"=ALCMTR.EXE
"36X Raid Configurer"=c:\windows\system32\xRaidSetup.exe boot
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"JMB36X IDE Setup"=c:\windows\RaidTool\xInsIDE.exe
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /installquiet
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"RTHDCPL"=RTHDCPL.EXE
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe"
"<NO NAME>"=
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"LogitechVideo[inspector]"=c:\program files\Logitech\Video\InstallHelper.exe /inspect
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"McAfee Backup"=c:\program files\McAfee\MBK\McAfeeDataBackup.exe
"mcagent_exe"=c:\program files\McAfee.com\Agent\mcagent.exe /runkey
"McENUI"=c:\progra~1\McAfee\MHN\McENUI.exe /hide
"MBkLogOnHook"=c:\program files\McAfee\MBK\LogOnHook.exe
"GameFace Messenger"=c:\program files\GameFace Messenger\GameFace.exe
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\program files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0"
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Xfire\\xfire_exception.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\Codemasters\\OF Dragon Rising\\OFDR.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\wow-4.2.1.2736-enUS-tools-downloader.exe"=
"c:\\Documents and Settings\\Goran\\Local Settings\\Apps\\2.0\\NNZXODTC.Z36\\L0EJW5YD.ZPE\\curs..tion_eee711038731a406_0004.0000_2bd39706d04e72c8\\CurseClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:*:Disabled:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"25999:TCP"= 25999:TCP:*:Disabled:cs.xfire.com
"6112:TCP"= 6112:TCP:Blizzard Downloader
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"585:TCP"= 585:TCP:outlook send
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13-Sep-2010 4:27 PM 23120]
R0 AvgRkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07-Sep-2010 3:48 AM 32592]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [26-Apr-2011 4:09 PM 752128]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07-Sep-2010 3:48 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07-Sep-2010 3:49 AM 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [18-Feb-2010 2:25 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11-May-2010 2:41 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [30-Jun-2010 1:48 AM 116608]
R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [26-Apr-2011 4:09 PM 3246040]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12-Oct-2011 6:25 AM 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02-Aug-2011 6:09 AM 192776]
R2 GS In-Game Service;GS In-Game Service;c:\program files\GameTracker\GSInGameService.exe [10-Nov-2011 7:49 AM 1677072]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [22-Apr-2011 8:21 PM 92592]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [12-Mar-2012 8:07 PM 918880]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [26-Apr-2011 4:09 PM 167968]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [13-Feb-2012 6:57 PM 101904]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19-Aug-2010 9:42 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19-Aug-2010 9:42 PM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19-Aug-2010 9:42 PM 16720]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 SpyEmrg;Spy Emergency Driver;c:\windows\system32\Drivers\spyemrg.sys --> c:\windows\system32\Drivers\spyemrg.sys [?]
S2 gupdate1c9891f144d5a58;Google Update Service (gupdate1c9891f144d5a58);c:\program files\Google\Update\GoogleUpdate.exe [07-Feb-2009 8:24 PM 133104]
S2 KMService;KMService;c:\windows\system32\srvany.exe [10-May-2011 8:30 PM 8192]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [29-Feb-2012 8:50 AM 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [31-Mar-2012 1:41 PM 253088]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [03-Sep-2009 11:41 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [03-Sep-2009 11:41 PM 3072]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [07-Feb-2009 8:24 PM 133104]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14-Jan-2008 6:06 PM 21632]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [27-Jul-2007 8:00 PM 14336]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [18-Jan-2010 7:53 AM 19056]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [18-May-2011 10:34 PM 25088]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [17-Jul-2008 10:01 PM 716272]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 07:12]
.
2012-05-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:57]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-07 12:24]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-07 12:24]
.
2010-04-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 07:07]
.
2012-05-12 c:\windows\Tasks\User_Feed_Synchronization-{BC336FD9-D90D-4E58-9AC1-660635137860}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 20:31]
.
2009-04-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 14:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: &Enviar para o OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki...
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Goran\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
Trusted Zone: windowslivehelp.com\www
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{5D7EA95F-613D-4920-A9D9-744B04D456C7}: NameServer = 192.168.1.1,198.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Goran\Application Data\Mozilla\Firefox\Profiles\io5uagfw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4c9dba95&v=6.010.023.001&i=23&tp=ab&iy=&ychte=au&lng=en-US&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-12 17:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{488B7D68-9D12-06B4-21B5-4586810284C2}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1356)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(6152)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mslbui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2012-05-12 17:58:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-12 09:58
ComboFix2.txt 2012-05-08 16:17
.
Pre-Run: 46,176,477,184 bytes free
Post-Run: 46,182,801,408 bytes free
.
- - End Of File - - 361ABA1800A736E86A76AF979BFD482E


Thank You oldman960

[oldman960]

Hi JonDou,

Good job.

How's the computer?

uTorrent
You have uTorrent, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it. It's not the program itself that is the problem but what can be downloaded with it usually from an unknown source.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm

I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove this programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.



You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

• Click the Update tab
• Click Check for Updates
• If an update is found, it will download and install the latest version.
• The program will close to update and reopen.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back with

• MBAM log