19 replies to this topic

[Manick2005]

With the full version of MBAM I got rid of most of the threats that I discovered and monitored except for one left over pest that won't allow me to view any anti-malware related website. It automatically re-directs me somewhere else random and usually prompts me to install antivirus 360 (however I never clicked to install it). Even after several scans it did not detect anything and I made sure to update as well.



Malwarebytes' Anti-Malware 1.34
Database version: 1772
Windows 5.1.2600 Service Pack 2

2/17/2009 10:47:48 PM
mbam-log-2009-02-17 (22-47-48).txt

Scan type: Quick Scan
Objects scanned: 66686
Time elapsed: 2 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:48 PM, on 2/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\RocketDock\ObjectDock\Docklets\KkMenu\KkTrayServer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4chan.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [mspy2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [1A:KkTrayServer] "C:\Program Files\RocketDock\ObjectDock\Docklets\KkMenu\KkTrayServer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Rainlendar2] "C:\Program Files\Rainlendar2\Rainlendar2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - S-1-5-18 Startup: DsktpListView.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: UltraMon.exe.lnk = C:\Program Files\UltraMon\UltraMon.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: DsktpListView.exe (User 'Default user')
O4 - .DEFAULT Startup: UltraMon.exe.lnk = C:\Program Files\UltraMon\UltraMon.exe (User 'Default user')
O4 - Startup: DsktpListView.exe
O4 - Startup: UltraMon.exe.lnk = C:\Program Files\UltraMon\UltraMon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalga...ffyLauncher.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7823 bytes


Thank you in advance for all of your hard work. This great program has saved me from infections 3 time in the past and almost a 4th time but I just need this one last trace off and I think i'll be clear.

[AdvancedSetup]

Well it's a little disconcerting that this is your 4th time back here. Doesn't sound like you practice safe surfing or you're not paying attention to keeping your Security software up to date as evidenced by XP SP2 - it has been at SP3 now for a long time.

Please run this tool, make sure you disable your Anti-Virus so that it does not stop or interfere with the scan process.

[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[Manick2005]

Hey I'm worried too, however, I don't think its anything out of the ordinary that can't be fixed. I think you misunderstood something though. I have been resourceful enough on my own to rid myself of the majority of the previous infections up till this point, which would include me practicing safe surfing as you say. So its not like I've come to this forum asking for help 3 times previously and am still infected.

I do not know how or if this is really why I was initially infected yesterday, but I can only make the connection through this correlation.. The infection probably happened because I had my windows firewall off, my live-scanners off, and my popup blocker off while being idle online. However, doing all of that was necessary for reasons I won't bother you with the details of. The initial infection happened while I was merely afk, with two trusted websites opened on my browser, because when I came back I saw half a dozen new popup windows opened, including a installation window for a rogue antispyware program (which may have finished automatically installing, without my consent or knowledge, unfortunately). And I can't be sure if I ever got it off 100% the previous 3 times even though I followed many self-help steps.

But my point is that I could, if you want, provide even further information about the current and previous infections if it will be helpful in the diagnosis. After all, I would like to be able to do what I can on my own so I can know what to do for future cases and have countermeasures readily available. Before I posted my first message the last thing I did was actually do a combofix scan (I've had it installed for awhile now), and have the log from yesterday, if you want to see it.

However, after I came back this evening from classes, the infection grew worse even though I had all of my protection on, logged off windows, and presumably quarantined most of the problem from last night. As a result, my MBAM log obviously looks quite a bit different now, as well as my HJT and Combofix log.

------------------------------------------------------------------------------------------------------------------------------------
Here are the new results of the most recent quick MBAM scan after re-infection

Malwarebytes' Anti-Malware 1.34
Database version: 1778
Windows 5.1.2600 Service Pack 2

2/18/2009 7:13:12 PM
mbam-log-2009-02-18 (19-13-12).txt

Scan type: Quick Scan
Objects scanned: 67554
Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlmocmxc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vxvwopod.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Charles\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\xlmocmxc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\vxvwopod.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\jzbrbmbq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.



------------------------------------------------------------------------------------------------------------------------------------
New HJTlog after MBAM scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:51 PM, on 2/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\RocketDock\ObjectDock\Docklets\KkMenu\KkTrayServer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4chan.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [mspy2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [1A:KkTrayServer] "C:\Program Files\RocketDock\ObjectDock\Docklets\KkMenu\KkTrayServer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Rainlendar2] "C:\Program Files\Rainlendar2\Rainlendar2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Charles\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Charles\reader_s.exe (User 'Default user')
O4 - S-1-5-18 Startup: DsktpListView.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: UltraMon.exe.lnk = C:\Program Files\UltraMon\UltraMon.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: DsktpListView.exe (User 'Default user')
O4 - .DEFAULT Startup: UltraMon.exe.lnk = C:\Program Files\UltraMon\UltraMon.exe (User 'Default user')
O4 - Startup: DsktpListView.exe
O4 - Startup: UltraMon.exe.lnk = C:\Program Files\UltraMon\UltraMon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalga...ffyLauncher.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7731 bytes



------------------------------------------------------------------------------------------------------------------------------------
New Combofix log after MBAM scan

ComboFix 09-02-17.02 - Charles 2009-02-18 19:23:53.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2814.2339 [GMT -6:00]
Running from: c:\documents and settings\Charles\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\d3d8caps.dat
c:\windows\system32\drivers\ntndis.sys

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-18 19:00 . 2009-02-18 19:00 0 --a------ c:\windows\system32\12.tmp
2009-02-18 19:00 . 2009-02-18 19:00 0 --a------ c:\windows\system32\11.tmp
2009-02-18 18:59 . 2009-02-18 18:59 0 --a------ c:\windows\system32\10.tmp
2009-02-18 16:04 . 2006-02-14 18:22 142,464 --a------ c:\windows\system32\drivers\aec.sys.bak
2009-02-18 12:12 . 2009-02-18 12:14 163,748 --a------ c:\windows\system32\19.tmp
2009-02-18 12:11 . 2009-02-18 12:12 24,577 --a------ c:\windows\system32\17.tmp
2009-02-18 12:11 . 2009-02-18 12:11 128 --a------ c:\windows\system32\16.tmp
2009-02-17 22:21 . 2009-02-17 22:27 <DIR> d-------- c:\program files\Enigma Software Group
2009-02-17 17:58 . 2009-02-17 17:58 <DIR> d-------- C:\VundoFix Backups
2009-02-17 15:59 . 2007-05-02 03:01 49,265 --a------ c:\windows\system32\jpicpl32.cpl
2009-02-17 15:24 . 2009-02-17 15:24 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 18:00 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-16 17:59 . 2009-02-16 18:28 <DIR> d-------- c:\windows\system32\inf
2009-02-14 20:52 . 2009-02-14 20:52 <DIR> d--hs---- C:\found.000
2009-02-10 18:50 . 2009-02-10 18:50 <DIR> d-------- c:\program files\Rainlendar2
2009-02-10 18:50 . 2009-02-18 19:35 <DIR> d-------- c:\documents and settings\Charles\.rainlendar2
2009-02-08 22:11 . 2009-02-08 22:11 <DIR> d-------- c:\program files\Steinberg
2009-02-08 13:56 . 2009-02-08 22:15 <DIR> d-------- c:\program files\VOCALOID2
2009-02-08 13:08 . 2009-02-08 13:08 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-02-07 12:04 . 2009-02-13 18:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-07 12:04 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-07 12:04 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-05 21:19 . 2008-07-10 18:28 79,896 --a------ c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-02-05 21:19 . 2008-07-10 18:28 50,200 --a------ c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-02-05 21:18 . 2009-02-05 21:18 <DIR> d-------- c:\windows\system32\RsFx
2009-02-05 20:06 . 2009-02-05 21:18 <DIR> d-------- c:\program files\Microsoft SQL Server
2009-02-05 20:04 . 2009-02-05 21:17 <DIR> d-------- c:\program files\Microsoft.NET
2009-02-05 20:04 . 2009-02-05 20:05 <DIR> d-------- c:\program files\Microsoft Visual Studio 9.0
2009-02-05 20:04 . 2009-02-05 20:04 <DIR> d-------- c:\program files\Common Files\Merge Modules
2009-02-05 20:04 . 2009-02-05 20:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-05 20:03 . 2009-02-05 20:03 <DIR> d-------- c:\program files\Microsoft SDKs
2009-02-04 19:54 . 2009-02-04 19:54 <DIR> d-------- C:\Dell
2009-02-03 17:23 . 2009-02-06 20:04 <DIR> d-------- c:\documents and settings\Charles\Application Data\foobar2000
2009-02-03 17:22 . 2009-02-03 17:22 <DIR> d-------- c:\program files\foobar2000
2009-02-02 08:50 . 2009-02-02 08:50 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-29 22:47 . 2009-01-29 22:47 <DIR> d-------- c:\program files\Adobe Media Player
2009-01-29 22:43 . 2009-01-29 22:43 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-26 08:01 . 2009-01-26 08:07 <DIR> d-------- c:\program files\ComboFix
2009-01-25 20:28 . 2009-01-25 20:28 <DIR> d-------- c:\program files\Alwil Software
2009-01-25 20:27 . 2009-01-25 20:27 <DIR> d-------- c:\program files\Tools
2009-01-25 20:27 . 2009-02-04 19:37 <DIR> d-------- c:\program files\Setup
2009-01-20 21:21 . 2009-01-20 22:36 136 --a------ c:\windows\TrayServerData.ini
2009-01-19 23:33 . 2009-01-19 23:33 <DIR> d-------- c:\documents and settings\Charles\Application Data\DonationCoder
2009-01-19 23:33 . 2009-01-19 23:33 46 --a------ c:\windows\system32\DonationCoder_desktopcoral_InstallInfo.dat
2009-01-19 15:38 . 2009-01-19 15:41 27 --a------ c:\windows\SDAddressBox16827d0561119.ini
2009-01-19 15:37 . 2009-01-19 15:37 7,852 --a------ c:\windows\system32\mcdmsg7.dll
2009-01-19 14:18 . 2009-01-19 14:18 7,840 --a------ c:\windows\system32\mcdmsg5.dll
2009-01-19 11:24 . 2009-01-19 11:30 <DIR> d-------- c:\documents and settings\Charles\Application Data\Stardock
2009-01-19 11:24 . 2009-01-19 11:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Stardock
2009-01-19 11:24 . 2009-01-19 11:24 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{CC8D4389-E989-40EE-AF09-2330B1EE8BF7}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 01:35 --------- d-----w c:\program files\DNA
2009-02-19 01:35 --------- d-----w c:\documents and settings\Charles\Application Data\DNA
2009-02-18 18:21 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-18 18:13 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-18 02:42 --------- d-----w c:\documents and settings\Charles\Application Data\Hamachi
2009-02-17 21:59 --------- d-----w c:\program files\Java
2009-02-16 21:12 --------- d-----w c:\documents and settings\Charles\Application Data\BitTorrent
2009-02-09 04:14 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-07 17:58 --------- d-----w c:\program files\Common Files\Adobe
2009-02-07 17:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-07 17:52 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-06 23:20 --------- d-----w c:\program files\RocketDock
2009-02-06 02:16 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-02-05 01:37 --------- d-----w c:\program files\polytrans
2009-02-05 01:37 --------- d-----w c:\program files\pebuilder3110a
2009-02-05 01:37 --------- d-----w c:\program files\Metaseq
2009-02-05 01:37 --------- d-----w c:\program files\DivX
2009-02-02 06:05 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-30 13:24 --------- d-----w c:\program files\NCH Swift Sound
2009-01-26 02:28 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-25 20:45 --------- d-----w c:\program files\TEATIME
2009-01-23 04:54 --------- d-----w c:\documents and settings\Charles\Application Data\Winamp
2009-01-22 04:52 --------- d-----w c:\program files\AutoCAD 2008
2009-01-21 04:38 --------- d-----w c:\program files\Common Files\Stardock
2009-01-19 18:25 --------- d-----w c:\program files\Rainmeter
2009-01-19 17:29 --------- d-----w c:\program files\Stardock
2009-01-18 02:04 --------- d-----w c:\program files\Vstplugins
2009-01-17 21:22 --------- d-----w c:\program files\Autodesk
2009-01-16 17:20 6,216,032 ----a-w C:\windowsupdateagent30-x86.exe
2009-01-16 17:20 3,038 ----a-w C:\fix_svchost.bat
2009-01-16 17:20 1,266,056 ----a-w C:\WindowsXP-KB927891.exe
2009-01-16 05:41 --------- d-----w c:\program files\CCleaner
2009-01-15 02:42 90,112 ----a-w c:\windows\ST6UNST.EXE
2009-01-15 02:42 270,336 ------w c:\windows\Setup1.exe
2009-01-14 22:58 --------- d-----w c:\documents and settings\Charles\Application Data\360desktop
2009-01-14 20:43 --------- d-----w c:\documents and settings\Charles\Application Data\OtakuSoftware
2009-01-14 06:03 --------- d-----w c:\program files\UltraMon
2009-01-14 05:41 34,760 ----a-w c:\windows\system32\drivers\Partizan.sys
2009-01-14 02:12 --------- d-----w c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com
2009-01-14 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-09 03:55 --------- d-----w c:\program files\Common Files\Nero
2009-01-09 03:53 --------- d-----w c:\program files\Common Files\Ahead
2009-01-09 03:53 --------- d-----w c:\program files\Ahead
2009-01-07 14:55 --------- d-----w c:\program files\Western Digital Technologies
2009-01-07 14:55 --------- d-----w c:\program files\Western Digital
2009-01-06 03:52 --------- d-----w c:\program files\Unlocker
2009-01-04 18:24 --------- d-----w c:\program files\Combined Community Codec Pack
2009-01-04 15:07 --------- d-----w c:\documents and settings\Charles\Application Data\cucusoft
2009-01-03 20:17 --------- d-----w c:\documents and settings\Charles\Application Data\Uniblue
2009-01-01 15:27 --------- d-----w c:\program files\Logitech
2009-01-01 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-31 03:53 --------- d-----w c:\program files\Samurize
2008-12-30 23:39 1,266,056 ----a-w c:\program files\WindowsXP-KB927891.exe
2008-12-30 23:28 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-29 15:13 --------- d-----w c:\program files\7-Zip
2008-12-29 01:28 78,240 ----a-w c:\windows\system32\drivers\FILEM701.SYS
2008-12-27 22:47 --------- d-----w c:\program files\Common Files\BitDefender
2008-12-27 01:32 --------- d-----w c:\documents and settings\Charles\Application Data\Styler
2008-12-26 02:06 --------- d-----w c:\program files\Tunatic
2008-12-26 02:03 --------- d-----w c:\program files\Sony
2008-12-26 02:03 --------- d-----w c:\program files\Fraps
2008-12-26 02:00 --------- d-----w c:\program files\Ventrilo
2008-12-26 01:58 --------- d-----w c:\program files\Winamp
2008-04-13 05:54 22,328 ----a-r c:\documents and settings\Charles\Application Data\PnkBstrK.sys
2008-02-18 20:07 16,825 ----a-w c:\program files\Readme.txt
.

------- Sigcheck -------

2008-04-13 13:20 182656 558635d3af1c7546d26067d5d9b6959e c:\windows\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\ndis.sys
2008-04-13 13:20 182656 558635d3af1c7546d26067d5d9b6959e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2009-02-18 12:13 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2009-02-18 12:13 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2007-06-13 04:23 1050112 75e9b5067c2158f85f42c379412520c7 c:\windows\explorer.exe
2007-06-13 05:26 1050624 3d10ddc9dd0cbf7a881d0a7aa1c93a33 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2008-04-13 18:12 1050624 6ed9cba80bbebeb3854e0b85cfc0bb98 c:\windows\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\explorer.exe
2008-04-13 18:12 1050624 0424d1da981f357aa946de2a17e80839 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2007-06-13 04:23 1050112 c28d240b09a6394cb068037d68fdd877 c:\windows\system32\dllcache\explorer.exe

2008-04-13 18:12 32256 e1031847a9066a97a5c99596d5f5b71b c:\windows\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\ctfmon.exe
2008-04-13 18:12 32256 477199118b01885b775324b188ccdeb2 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2004-08-04 06:00 32256 9794af585920b47a0051a23fd1975fce c:\windows\system32\ctfmon.exe
2004-08-04 06:00 32768 876f114181d174cc6e07888100b678e5 c:\windows\system32\dllcache\ctfmon.exe

2005-06-10 18:17 74752 1a22d3d48a37889f260e56373a4e7826 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2008-04-13 18:12 74752 d4f57c08fd0b6b5071f6a8d375f4092a c:\windows\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\spoolsv.exe
2008-04-13 18:12 74752 d71ec8adf5f8a924f0e53bab3ac3d237 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2005-06-10 17:53 74752 c75b8721a32b78ef59291f6239898c9e c:\windows\system32\spoolsv.exe
2005-06-10 17:53 75264 399e8717d8ba18041a108cd5be8c22c7 c:\windows\system32\dllcache\spoolsv.exe

2008-04-13 18:12 43008 f193cd3ad0d2f1dc0f97125dd7f23b98 c:\windows\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\userinit.exe
2008-04-13 18:12 43008 0ffadb5813f953038aab6e432c58aa78 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2004-08-04 06:00 41472 a8c080c9bdaed994bf56f63920789921 c:\windows\system32\userinit.exe
2004-08-04 06:00 41984 869877499acf1b4a3d4bc6ea533364e2 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-02-17_18.32.46.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 02:02:28 184,320 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 02:02:28 183,808 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 14:00:00 97,308 ----a-w c:\windows\grep.exe
+ 2000-08-31 14:00:00 97,820 ----a-w c:\windows\grep.exe
- 2000-08-31 14:00:00 116,224 ----a-w c:\windows\sed.exe
+ 2000-08-31 14:00:00 115,712 ----a-w c:\windows\sed.exe
+ 2001-07-14 23:32:24 69,632 ----a-w c:\windows\setupupd\temp\wsdueng.dll
- 2000-08-31 14:00:00 179,200 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 14:00:00 179,712 ----a-w c:\windows\SWREG.exe
- 2000-08-31 14:00:00 155,136 ----a-w c:\windows\SWSC.exe
+ 2000-08-31 14:00:00 154,624 ----a-w c:\windows\SWSC.exe
- 2000-08-31 14:00:00 229,888 ----a-w c:\windows\SWXCACLS.exe
+ 2000-08-31 14:00:00 229,376 ----a-w c:\windows\SWXCACLS.exe
- 2009-02-18 00:28:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-19 01:34:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-18 18:13:14 16,384 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
- 2009-02-18 00:28:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-19 01:34:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-18 22:01:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009021820090219\index.dat
- 2009-02-18 00:28:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-19 01:34:02 180,224 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2000-08-31 14:00:00 73,284 ----a-w c:\windows\VFIND.exe
+ 2000-08-31 14:00:00 72,548 ----a-w c:\windows\VFIND.exe
- 2000-08-31 14:00:00 84,992 ----a-w c:\windows\zip.exe
+ 2000-08-31 14:00:00 85,504 ----a-w c:\windows\zip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 516096]
"1A:KkTrayServer"="c:\program files\RocketDock\ObjectDock\Docklets\KkMenu\KkTrayServer.exe" [2006-03-28 125440]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32256]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 221184]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4087808]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1711616]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 507336]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-02 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"nwiz"="c:\windows\system32\nwiz.exe" [2008-05-16 1650688]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-02-11 399504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 472064]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 472064]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 176128]
"mspy2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 84408]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 229432]
"Kernel and Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2008-02-29 76304]

c:\documents and settings\Charles\Start Menu\Programs\Startup\
DsktpListView.exe [2001-04-23 33792]
UltraMon.exe.lnk - c:\program files\UltraMon\UltraMon.exe [2008-09-29 749056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-29 805392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-13 23:04 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\SINS_Launcher.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\NVIDIA Corporation\\nTune\\nTuneService.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"86:TCP"= 86:TCP:BroadCam Web Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-02-07 179856]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2008-09-14 10496]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-02-07 15504]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-01-13 34760]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-02-19 c:\windows\Tasks\iklmlnts.job
- c:\windows\system32\jkkIYpoP.dll []

2009-02-18 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Charles.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-02-11 10:19]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-reader_s - c:\documents and settings\Charles\reader_s.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.4chan.org
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
FF - ProfilePath - c:\documents and settings\Charles\Application Data\Mozilla\Firefox\Profiles\0qrhfdmb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.4chan.org/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 19:35:06
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-839522115-725345543-1003\Software\KISS-MA\K0Y0_0€0&W0Y0_0A0 *-*J0Œ0a0“0n0D0D0j0Š0-*]
"InstallPath"="c:\\Program Files\\KISS-MA\\????????\\"
"DskSht"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1104)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\vssvc.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-02-18 19:38:59 - machine was rebooted [Charles]
ComboFix-quarantined-files.txt 2009-02-19 01:38:52
ComboFix2.txt 2009-02-18 03:52:21
ComboFix3.txt 2009-02-18 00:33:43
ComboFix4.txt 2009-01-26 14:07:24
ComboFix5.txt 2009-02-19 01:18:30

Pre-Run: 55,330,648,064 bytes free
Post-Run: 55,321,743,360 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
387



-------------------------------------------------------------------------------------------------------------------------------------


PS

I am without SP3 still because of the bad feedback it got after initial release, and because someone close to me had his computer's performance greatly reduced since the service pack failed to fully install. If you say updating to SP3 for security updates will be crucial to the removal and future safety however, I will update. Also, the new infection was so bad, that just by being connected to the router, everyone in the household would lose connection. Not just that, but I had to re-install Combofix to the desktop because it could not find all the necessary files to load.

[AdvancedSetup]

No problem, I took it that you meant you'd been here for log scan/remove 3 times before.

Okay #1 DO NOT, I repeat DO NOT run Combofix on your own without knowing when and why to run it. It can potentially remove all the files and folder in your System32 folder which would render the box completely useless.

I'm sure you noticed in the CF log that these files are infected.
c:\windows\system32\userinit.exe . . . is infected!!
c:\windows\system32\spoolsv.exe . . . is infected!!
c:\windows\explorer.exe . . . is infected!!

Normally CF would attempt to replace them if it could find a clean copy of them on the box, in this case that was not to be.

So, you're now stuck and we'll have to try a couple other methods to try to fix this.
NOTE: You should remove this computer from the network and don't allow other computers to be on a network with it until it's cleaned.
If you've been using a USB drive to move files back and forth you need to scan and verify any other system is clean as some Malware/Virus target USB drives on purpose. If the other system is clean you should scan the USB drive as well.

Okay, back to the infected system. Please download and burn this CD and run it on the infected one.


Avira AntiVir Rescue System
[indent]Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
  
• Place a blank CD in your burner and double-click on the downloaded file.
  
• The program will automatically burn the CD for you.
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
• Click on the Configuration button.
  
  • Select Scan all files
    
  • Select Try to repair infected files and Rename files, if they cannot be removed
    
  • Select Scan for dialers
    
  • Select Scan for joke programs (Jokes)
    
  • Select Scan for games
    
  • Select Scan for spyware (SPR)
• Click on Virus scanner
  
• Click on Start scanner at the bottom of the screen
  
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems
Please see the post here if you're unable to view the entire screen of Avira.[/indent]

[Manick2005]

Records: 104
Warnings: 254
Suspect Files: 0 (however it said 2 were suspicious above that which I don't get)

Everything that was detected was renamed instead of deleted.

[AdvancedSetup]

Yes, but unless it was able to REPAIR those files then you're still not set. Can you still log on to the system?

If you can still logon please try to run this AV scanner.

Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click on the Complete scan radio button.
  
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  
• On the File types tab ensure you select All files
  
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
    
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    
  • Do not change the Rename extension - default is: #??
    
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    
  • Leave prompt on Action checked
• On the Log file tab leave the Log to file checked.
  
• Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
  
• Log mode = Append
  
• Encoding = ANSI
  
• Details Leave Names of file packers and Statistics checked.
  
• Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
  
• On the General tab leave the Scan Priority on High
  
• Click the Apply button at the bottom, and then the OK button.
  
• On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
  
• In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
  
• The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
  
• When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
  
• Click 'Yes to all' if it asks if you want to cure/move the files.
  
• This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.
  [indent][/indent]

[Manick2005]

Dr.Web Cureit Log

dsktplistview.exe;c:\documents and settings\charles\start menu\programs\startup;Win32.Virut.56;Cured.;
raysat_3dsmax9_32server.exe;c:\program files\autodesk\3ds max 9\mentalray\satellite;Win32.Virut.56;Cured.;
mdnsresponder.exe;c:\program files\bonjour;Win32.Virut.56;Cured.;
daemon.exe;c:\program files\daemon tools lite;Win32.Virut.56;Cured.;
mbam.exe;c:\program files\malwarebytes' anti-malware;Win32.Virut.56;Cured.;
msmsgs.exe;c:\program files\messenger;Win32.Virut.56;Cured.;
nsvcappflt.exe;c:\program files\nvidia corporation\networkaccessmanager\bin;Win32.Virut.56;Cured.;
nsvcip.exe;c:\program files\nvidia corporation\networkaccessmanager\bin;Win32.Virut.56;Cured.;
ntuneservice.exe;c:\program files\nvidia corporation\ntune;Win32.Virut.56;Cured.;
setup50.exe;c:\program files\outlook express;Win32.Virut.56;Cured.;
rainlendar2.exe;c:\program files\rainlendar2;Win32.Virut.56;Cured.;
kktrayserver.exe;c:\program files\rocketdock\objectdock\docklets\kkmenu;Win32.Virut.56;Cured.;
rocketdock.exe;c:\program files\rocketdock;Win32.Virut.56;Cured.;
ultramon.exe;c:\program files\ultramon;Win32.Virut.56;Cured.;
ultramontaskbar.exe;c:\program files\ultramon;Win32.Virut.56;Cured.;
wmpnetwk.exe;c:\program files\windows media player;Win32.Virut.56;Cured.;
explorer.exe;c:\windows;Win32.Virut.56;Cured.;
imjpmig.exe;c:\windows\ime\imjp8_1;Win32.Virut.56;Cured.;
unregmp2.exe;c:\windows\inf;Win32.Virut.56;Cured.;
alg.exe;c:\windows\system32;Win32.Virut.56;Cured.;
cisvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
clipsrv.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ctfmon.exe;c:\windows\system32;Win32.Virut.56;Cured.;
dllhost.exe;c:\windows\system32;Win32.Virut.56;Cured.;
dmadmin.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ie4uinit.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ieudinit.exe;c:\windows\system32;Win32.Virut.56;Cured.;
imapi.exe;c:\windows\system32;Win32.Virut.56;Cured.;
imscinst.exe;c:\windows\system32\ime\pintlgnt;Win32.Virut.56;Cured.;
tintsetp.exe;c:\windows\system32\ime\tintlgnt;Win32.Virut.56;Cured.;
locator.exe;c:\windows\system32;Win32.Virut.56;Cured.;
logon.scr;c:\windows\system32;Win32.Virut.56;Cured.;
logonuix.exe;c:\windows\system32;Win32.Virut.56;Cured.;
mnmsrvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
msdtc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
msiexec.exe;c:\windows\system32;Win32.Virut.56;Cured.;
nerocheck.exe;c:\windows\system32;Win32.Virut.56;Cured.;
netdde.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ntsd.exe;c:\windows\system32;Win32.Virut.56;Cured.;
nvsvc32.exe;c:\windows\system32;Win32.Virut.56;Cured.;
nwiz.exe;c:\windows\system32;Win32.Virut.56;Cured.;
regsvr32.exe;c:\windows\system32;Win32.Virut.56;Cured.;
rsvp.exe;c:\windows\system32;Win32.Virut.56;Cured.;
rundll32.exe;c:\windows\system32;Win32.Virut.56;Cured.;
scardsvr.exe;c:\windows\system32;Win32.Virut.56;Cured.;
sessmgr.exe;c:\windows\system32;Win32.Virut.56;Cured.;
shmgrate.exe;c:\windows\system32;Win32.Virut.56;Cured.;
smlogsvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
spoolsv.exe;c:\windows\system32;Win32.Virut.56;Cured.;
tlntsvr.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ups.exe;c:\windows\system32;Win32.Virut.56;Cured.;
vssvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
winmgmt.exe;c:\windows\system32\wbem;Win32.Virut.56;Cured.;
wmiapsrv.exe;c:\windows\system32\wbem;Win32.Virut.56;Cured.;
wscntfy.exe;c:\windows\system32;Win32.Virut.56;Cured.;
Setup.exe;C:\3dsmax9Trial;Win32.Virut.56;Cured.;
demo32.exe;C:\3dsmax9Trial\Bin;Win32.Virut.56;Cured.;
Rftmp.exe;C:\3dsmax9Trial\Bin;Win32.Virut.56;Cured.;
setup.exe;C:\3dsmax9Trial\Installs\3dsmax;Win32.Virut.56;Cured.;
backburner.exe;C:\3dsmax9Trial\Installs\support\backburner;Win32.Virut.56;Cured.;
shutdown.exe.XXX;C:\Documents and Settings\All Users\Documents\KKMENU\KKMENU\UTILS;Win32.Virut.56;Cured.;
reader_s.exe.XXX;C:\Documents and Settings\Charles;Trojan.Packed.2352;Deleted.;
WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe;C:\Documents and Settings\Charles\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B};Win32.Virut.56;Cured.;
ARPPRODUCTICON.exe;C:\Documents and Settings\Charles\Application Data\Microsoft\Installer\{6746BEC6-EE67-4173-A2FF-D9A21D8FF27D};Win32.Virut.56;Cured.;
NewShortcut1_6746BEC6EE674173A2FFD9A21D8FF27D_3.exe;C:\Documents and Settings\Charles\Application Data\Microsoft\Installer\{6746BEC6-EE67-4173-A2FF-D9A21D8FF27D};Win32.Virut.56;Cured.;
ARPPRODUCTICON.exe;C:\Documents and Settings\Charles\Application Data\Microsoft\Installer\{769DE07B-3642-4F3A-9F65-E9ED29275531};Win32.Virut.56;Cured.;
NewShortcut1_769DE07B36424F3A9F65E9ED29275531_2.exe;C:\Documents and Settings\Charles\Application Data\Microsoft\Installer\{769DE07B-3642-4F3A-9F65-E9ED29275531};Win32.Virut.56;Cured.;
NewShortcut2_769DE07B36424F3A9F65E9ED29275531_1.exe;C:\Documents and Settings\Charles\Application Data\Microsoft\Installer\{769DE07B-3642-4F3A-9F65-E9ED29275531};Win32.Virut.56;Cured.;
ComboFix.exe.XXX/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Charles\Desktop\ComboFix.exe.XXX/data002;Probably BATCH.Virus;;
ComboFix.exe.XXX/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Charles\Desktop\ComboFix.exe.XXX/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Charles\Desktop;Archive contains infected objects;;
ComboFix.exe.XXX;C:\Documents and Settings\Charles\Desktop;Container contains infected objects;Moved.;
TAHdecrypt.exe;C:\Documents and Settings\Charles\Desktop\DesktopBackup\All 3dcg links\Currently used TAH-TSOdecrypt;Win32.Virut.56;Cured.;
TSOdecrypt.exe;C:\Documents and Settings\Charles\Desktop\DesktopBackup\All 3dcg links\Currently used TAH-TSOdecrypt;Win32.Virut.56;Cured.;
TAHdecrypt.exe;C:\Documents and Settings\Charles\Desktop\DesktopBackup\All 3dcg links\Currently used TAH-TSOdecrypt\sources\ModResolver\Plugin;Win32.Virut.56;Cured.;




----------------------------------------------------------------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:26 PM, on 2/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\RocketDock\ObjectDock\Docklets\KkMenu\KkTrayServer.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Charles\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4chan.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [mspy2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [1A:KkTrayServer] "C:\Program Files\RocketDock\ObjectDock\Docklets\KkMenu\KkTrayServer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] "C:\Program Files\Rainlendar2\Rainlendar2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Charles\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Charles\reader_s.exe (User 'Default user')
O4 - S-1-5-18 Startup: DsktpListView.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: UltraMon.exe.lnk = C:\Program Files\UltraMon\UltraMon.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: DsktpListView.exe (User 'Default user')
O4 - .DEFAULT Startup: UltraMon.exe.lnk = C:\Program Files\UltraMon\UltraMon.exe (User 'Default user')
O4 - Startup: DsktpListView.exe
O4 - Startup: UltraMon.exe.lnk = C:\Program Files\UltraMon\UltraMon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalga...ffyLauncher.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8045 bytes



PS

I have been using a USB flash drive to transfer files back and forth. However like you requested I scanned it using MBAM (installed on my infected computer), which showed no results, and later scanned with norton using someone elses PC which also turned up nothing. So it appears to be clean. I have also been downloading the files using a different computer that is on my router, and as you requested I disconnected my PC from the internet.

[AdvancedSetup]

DO NOT allow any other computers to be connected on a network or otherwise with this computer.

Your system has the Virut virus which is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (software) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

I don't feel there is any point in trying to clean this machine. Sorry to be the bearer of bad news.

If you have any questions please let me know.

[Manick2005]

I have planned to reformat anyway so I can install a second hard drive, so this isn't really that big of an issue, but I would like to know if there is anyway for me to be able to rescue exe files that I might need which I cannot replace. I made a backup of my entire My Documents folder about a week ago, presumably before the infection, but is there even a way of telling exactly when my exe files started getting infected?

Also, you said I should not backup compressed files (zip/cab/rar), but what about 7z (7 zip)? And do you mean that the virus can reproduce onto new exe files ONLY if I create them into a compressed folder with an exe in it? What if I just make a direct copy of a folder (to an external, 320gb HD) that doesn't possess an infected executable detected by Dr Web?

[AdvancedSetup]

Basically you can copy any files you want, but there is a chance that it is infected, or damaged.

Yes the virus appears to be able to open, infect, and re-archive certain archives. If they were password protected then no it would not be able to affect the files inside an archive.

All I can say is BE CAREFUL so you don't whack the computer again.

Scan with more than one Anti-Virus scanner too.

[Manick2005]

I don't have too many virus scanners beyond the ones you suggested, but which log is the most likely to provide me with a complete list of all infected/damaged files? If not Combofix, Avira, or Dr. Web, then is there another scanner that can give me a more fully complete/accurate log, even if it can't remove it all?

But regardless, let me get this straight just to be sure. Assuming I don't include the already infected/damaged exe files from the virus in a folder I want to archive, I can archive anything I want with 7zip as long as its password protected, and it won't be able to infect the archive?

And what about my 320gb external HD? Could that have been infected as well, just by being USB connected to my HD?

[AdvancedSetup]

Yes it any drive that was ever connected to that infected box could be infected. You can not safey create any zip file on the infected system now unless you do it from a well protected system as a slaved drive. If you create them ON the box then they will almost certainly be infected.

Avira and Dr Web both should detect the virus. Dr Web though is not a LIVE protection unless you buy the full one. It's a scanner. The installed AVIRA on a PC should easily detect this virus and stop it from attacking the box it's installed on.

I would assume McAfee, Symantec, NOD32, AVG8 will all detect and stop it IF they are up to date with updates. As a precaution make sure any box you do try to use for backing up data is also backed up in case it does get attacked. My Brother was working on one today that was attacked by Virut and his USB drive got attacked and his other system with Avira alerted and blocked it as soon as he plugged the USB into another system.

[Manick2005]

I don't necessarily know if I was thorough enough, but this is what I did to hopefully quarantine my external HD...

I did two full scans on that drive, and found two infected exe files the first time. I deleted them normally, then looked for any hidden files in the drive and noticed that there were still files in the "recycler" directory that were hidden. I had read earlier that viruses are capable of using the recycler and system hidden folders to restore themselves even after deletion. I deleted them using "Unlocker", which acts like the MBAM file assassin function and permanently deletes files without merely moving them to a bin. However, after deleting them using that method, I did another DrWeb scan just to be sure. Unfortunately, it detected Win32.Virut.56 yet again, but this time on a different and completely new .exe application file. I checked the files properties and it said it had been created the moment DrWeb found it. I have no way of knowing for sure if I got the virus off for good after I deleted the new cured file, but I somehow doubt it wasn't that easy. Only seconds after I deleted it I ejected my drive.

So before I re-connect it back to my PC after I reformat I want to be 100% sure it isn't still infected, and to do that, I guess I will have to connect it to a PC that has a live virus scanner on it that can handle it. I have a retail version of spysweeper I can use right now, but are you saying Avira can definately do it? I didn't actually realize the Avira boot CD I made had a live scanner on it, unless you are talking about a different package of Avira. I did not actually copy any files at all over to any of my external HD's btw after I got infected except for that flash drive, which I will likely format anyway. All I've done is primarily delete stuff and make sure my PC never restarted in the past couple of days.

I just did a quick format and im loading windows atm, and then I will then do a full format inside windows. A friend of mine said it would work better than doing it that way.

[AdvancedSetup]

Not sure what to tell you at this point because you're doing a lot of different things. I think as you can see this Virus can propagate very fast and without experience you need to be very cautious of it.

Please review this article: Format USB Thumbdrive to NTFS
Then you should also create a blank autorun.inf file in the root of the drive and set a READ ONLY attribute on it. Then change the permissions on it if you can and set a DENY ACCESS to everyone on it. This will prevent the drive from auto running on it's own.

You can also run this tool: http://download.bleepingcomputer.com/sUBs/...Disinfector.exe for your flash drives.


If you look in my signature you'll see a link for the Avira Anti-Virus. Though most up to date AV products should detect and block this threat.

Bottom line is, be careful if your not sure what you're doing -- you don't want to transfer this Virus to another one of your computers and lose that computer too.

[Manick2005]

Here's an update on my progress...

I fully formatted all my internal HD's, updated windows, turned on firewall, etc...

Then I loaded SAS (pro), MBAM (pro), Webroot Spysweeper with Antivirus (retail), AVG antivirus (free), and started scanning my internal drives. They were mostly clean, except MBAM found an infected registry key (Adaware.MyWebSearch), and deleted it.

Then I downloaded one of the Microsoft PowerTools, TweakUI, for the purpose of turning off autorun on all drives.

After that I plugged in my flash USB and used the disinfector you told me to download on it.

I then plugged in my External HD and started scanning it with Spysweeper Antivirus. It picked up damn near every single exe I had on that drive as W32/Scribble-A. AVG resident shield alerted me of the viruses the moment Spysweeper found and auto-quarantined the viruses, but I figured it would be okay to ignore those warnings. But then it picked up activity in my system folder and blocked it from happening automatically. A little later it detected that the Disinfector I brought over from another computer was infected as well and it deleted it

I then loaded Avira and did a scan on my external drive and it found a couple more infected exe files, and cured/deleted them.

Did one more scan on my C drive and external and found nothing but warnings (confirmed that most warnings were just cookies), and I stopped finding anything at all on all drives.

This is extremely difficult and im not even sure if its completely gone, and theres no indication that my internal drives became re-infected during the quarantine yet. The way this virus is behaving its sounding like I will be forced to format my external HD as well... However, if i can only reformat one HD at a time, it will just keep spreading anyway, won't it?

[Manick2005]

Another thing I forgot to add (sorry for the double post) is that I turned off System Restore on all drives. Maybe that will help, because I remember it helping me fight off a variant of Vundo awhile back because it kept exploiting the system restore to reload itself after restarts until I regained control of it.

[AdvancedSetup]

Just a word of warning. You can not have 2 Anti-Virus products installed at the same time. They conflict with each other and could potentially help to allow something to bypass as they fight over who should watch out for stuff.
Webroot Spysweeper with Antivirus (retail)
AVG antivirus (free)

Just my own personal opinion is that recently AVG has not been as good at staying on top of threats as Avira has in the Free AV market.


If you use JAVA, make sure you only have the latest 6b12 on the system. Make sure you have a firewall that supports both inbound and outbound traffic so you can watch what's happening on your Internet connections. Don't just allow everything because it's annoying.


Yes, turning off the SR for now is probably a good idea until you get it under control for certain.
Delete all your temp locations, do FULL SCANS with 2 or more Anti-Virus products.
Run a Disk Check as well.


Free - Live Online Scanning Sites
[indent]

• Trend Micro™ HouseCall
  
• BitDefender Online Scanner
  
• McAfee FreeScan
  
• F-Secure Online Virus Scanner
  
• ESET NOD32 Online Antivirus Scanner
  
• Kaspersky Online Scanner
  
• Panda ActiveScan
  
• CA Associates Online Scanner

[/indent]

[Manick2005]

I'd like to keep AVG around as an on demand scanner but I'll stop using its live protection over Avira (i'm not even sure how to turn Avira off anyway, can't find an option to merely shut down the program). Reason why I wanted to try AVG is because they released a confident looking article very recently discussing their progress on diagnosing the virut virus specifically. But anyway, so far everything is looking to be in fairly good shape and I will soon have all my personal data back on my main drive from my external backups, which I also sanned multiple times using multiple programs.

I would like to ask for your opinion on what you would see as a good 3rd party firewall, because all I've ever used is windows firewall.
And as far as antiviruses are concerned, is it worth subscribing to any of them or should a free one be good enough?

[AdvancedSetup]

Well you can't really use them as On Demand like that. They all use low level drivers that load and run all the time if you have it installed.

If you want an On Demand try using the Dr Web which is a self contained, or one of the Rescue CD ones, but don't have more than 1 installed.

[AdvancedSetup]

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.