8 replies to this topic

[monbie]

I ran a system scan and it returned with with 2 hits, an infected file and registry value which were supposed to be deleted upon a reboot, but after the computer restarted and another (and another and another etc) scan the files still persist. I've also tried to delete them both in and out of safe mode, but they were having none of it, so I've decided to just throw my hands up and seek council from a computer magician(s). Thanks in advance !

Malwarebytes' Anti-Malware 1.35
Database version: 1942
Windows 5.1.2600 Service Pack 3

4/6/2009 1:42:35 AM
mbam-log-2009-04-06 (01-42-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 279633
Time elapsed: 46 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rpucuhuqerofib (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ididopuvonejec.dll (Trojan.Agent) -> Delete on reboot.


------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:26 AM, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Documents and Settings\Steph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Rpucuhuqerofib] rundll32.exe "C:\WINDOWS\ididopuvonejec.dll",e
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Steph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/gs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238550114015
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8309 bytes

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[monbie]

ComboFix 09-04-04.01 - Steph 2009-04-06 12:41:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2837 [GMT -4:00]
Running from: c:\documents and settings\Steph\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-05 20:38 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-04-05 20:24 . 2009-04-05 20:24 <DIR> d-------- c:\program files\Trend Micro
2009-04-05 19:33 . 2009-04-05 19:33 <DIR> d-------- c:\documents and settings\Administrator
2009-04-05 00:26 . 2009-04-06 12:16 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-04-05 00:26 . 2009-04-06 12:13 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-04-05 00:26 . 2009-04-06 12:13 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-04-05 00:26 . 2009-04-06 12:13 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-04-05 00:14 . 2009-04-05 00:14 <DIR> d-------- c:\documents and settings\Steph\usrusmt2.tmp
2009-04-05 00:08 . 2008-04-14 07:39 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-04-05 00:07 . 2008-04-14 07:42 221,184 --a------ c:\windows\system32\wmpns.dll
2009-04-05 00:07 . 2009-04-05 00:07 749 -rah----- c:\windows\WindowsShell.Manifest
2009-04-05 00:07 . 2009-04-05 00:07 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-04-05 00:07 . 2009-04-05 00:07 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-04-05 00:07 . 2009-04-05 00:07 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-04-05 00:07 . 2009-04-05 00:07 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-04-05 00:07 . 2009-04-05 00:07 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-04-05 00:05 . 2008-04-14 05:42 151,552 --a------ c:\windows\system32\irftp.exe
2009-04-05 00:05 . 2008-04-14 00:24 88,192 --a------ c:\windows\system32\drivers\irda.sys
2009-04-05 00:05 . 2008-04-14 05:41 28,160 --a------ c:\windows\system32\irmon.dll
2009-04-05 00:05 . 2008-04-14 05:42 8,192 --a------ c:\windows\system32\wshirda.dll
2009-04-04 23:59 . 2001-08-17 13:51 18,688 --a------ c:\windows\system32\drivers\irsir.sys
2009-04-04 23:57 . 2009-04-05 00:10 <DIR> d-------- c:\windows\NV9522016.TMP
2009-04-04 23:55 . 2001-08-17 13:51 19,584 --a------ c:\windows\system32\drivers\rasirda.sys
2009-04-04 23:52 . 2004-08-04 07:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2009-04-04 23:52 . 2004-08-04 07:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2009-04-04 23:52 . 2004-08-04 07:00 13,312 --a------ c:\windows\system32\irclass.dll
2009-04-04 23:52 . 2004-08-04 07:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2009-04-04 23:51 . 2009-04-04 23:51 <DIR> d---s---- c:\windows\system32\config\systemprofile\History
2009-04-04 02:00 . 2009-04-04 02:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-04-04 00:34 . 2009-04-04 01:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\PassMark
2009-04-04 00:34 . 2009-03-09 15:27 4,178,264 --a------ c:\windows\system32\D3DX9_41.dll
2009-04-04 00:14 . 2009-04-04 00:14 <DIR> d-------- c:\documents and settings\Steph\Application Data\ImgBurn
2009-04-04 00:13 . 2009-04-04 01:56 <DIR> d-------- c:\program files\ImgBurn
2009-04-03 19:02 . 2009-04-06 00:23 1,318 --a------ c:\windows\Jkayuk.dat
2009-04-03 19:02 . 2009-04-06 00:23 16 --a------ c:\windows\Ovuxaloqet.bin
2009-04-03 19:00 . 2009-04-03 19:00 727,150 --a------ C:\bookmarks.html
2009-03-31 21:43 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-03-31 21:43 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-03-31 21:43 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-03-31 21:43 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-03-29 20:04 . 2009-03-29 20:04 <DIR> d-------- c:\program files\TechSmith
2009-03-29 20:04 . 2009-03-29 20:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\TechSmith
2009-03-24 14:52 . 2006-07-21 10:08 561,152 --a------ c:\windows\system32\snapapi32.dll
2009-03-20 15:41 . 2009-03-20 15:41 <DIR> d-------- c:\program files\PictureCode

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 16:45 --------- d-----w c:\program files\lg_fwupdate
2009-04-06 16:12 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-06 03:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-05 20:44 --------- d-----w c:\program files\Mozilla Thunderbird
2009-04-03 23:03 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 04:03 --------- d-----w c:\documents and settings\Steph\Application Data\FileZilla
2009-03-30 00:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-30 00:02 --------- d-----w c:\documents and settings\Steph\Application Data\uTorrent
2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-22 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-19 04:49 --------- d-----w c:\program files\MagicISO
2009-02-18 05:48 --------- d-----w c:\documents and settings\Steph\Application Data\HDRsoft
2009-02-18 05:43 --------- d-----w c:\program files\PhotomatixPro3
2009-02-11 18:40 --------- d-----w c:\documents and settings\Steph\Application Data\dvdcss
2008-12-17 21:59 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-06_ 0.16.21.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-05 04:26:52 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2009-04-06 16:13:32 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-04-14 11:42:10 159,232 ----a-w c:\windows\uwudanapiqifep.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Steph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-12-01 548864]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-08-15 378224]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-06 1932568]
"Rpucuhuqerofib"="c:\windows\uwudanapiqifep.dll" [2008-04-14 159232]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-28 c:\windows\RTHDCPL.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-06 12:13 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli sctenvc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, msnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutParadise.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"4719:TCP"= 4719:TCP:4719
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-05 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-05 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-05 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-05 298264]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-02-18 266240]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-01-10 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-01-10 3072]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a68c3b4-f7f4-11dd-8437-001fe2534e96}]
\shell\play\command - c:\program files\VideoLAN\VLC\vlc.exe --started-from-file dvd://%1
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-308236825-682003330-1003.job
- c:\documents and settings\Steph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 20:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
FF - ProfilePath - c:\documents and settings\Steph\Application Data\Mozilla\Firefox\Profiles\t4eijsxk.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 12:45:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(888)
c:\windows\sctenvc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-06 12:48:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 16:48:33
ComboFix2.txt 2009-04-06 04:16:49

Pre-Run: 460,368,863,232 bytes free
Post-Run: 460,571,041,792 bytes free

211 --- E O F --- 2009-04-04 06:01:57

[miekiemoes]

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\sctenvc.dll
c:\windows\uwudanapiqifep.dll
c:\windows\Ovuxaloqet.bin
c:\windows\Jkayuk.dat
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rpucuhuqerofib"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[monbie]

ComboFix 09-04-04.01 - Steph 2009-04-06 14:47:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2802 [GMT -4:00]
Running from: c:\documents and settings\Steph\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steph\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\Jkayuk.dat
c:\windows\Ovuxaloqet.bin
c:\windows\sctenvc.dll
c:\windows\uwudanapiqifep.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Jkayuk.dat
c:\windows\Ovuxaloqet.bin
c:\windows\sctenvc.dll
c:\windows\uwudanapiqifep.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-05 20:38 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-04-05 20:24 . 2009-04-05 20:24 <DIR> d-------- c:\program files\Trend Micro
2009-04-05 19:33 . 2009-04-05 19:33 <DIR> d-------- c:\documents and settings\Administrator
2009-04-05 00:26 . 2009-04-06 12:16 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-04-05 00:26 . 2009-04-06 12:13 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-04-05 00:26 . 2009-04-06 12:13 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-04-05 00:26 . 2009-04-06 12:13 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-04-05 00:14 . 2009-04-05 00:14 <DIR> d-------- c:\documents and settings\Steph\usrusmt2.tmp
2009-04-05 00:08 . 2008-04-14 07:39 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-04-05 00:07 . 2008-04-14 07:42 221,184 --a------ c:\windows\system32\wmpns.dll
2009-04-05 00:07 . 2009-04-05 00:07 749 -rah----- c:\windows\WindowsShell.Manifest
2009-04-05 00:07 . 2009-04-05 00:07 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-04-05 00:07 . 2009-04-05 00:07 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-04-05 00:07 . 2009-04-05 00:07 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-04-05 00:07 . 2009-04-05 00:07 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-04-05 00:07 . 2009-04-05 00:07 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-04-05 00:05 . 2008-04-14 05:42 151,552 --a------ c:\windows\system32\irftp.exe
2009-04-05 00:05 . 2008-04-14 00:24 88,192 --a------ c:\windows\system32\drivers\irda.sys
2009-04-05 00:05 . 2008-04-14 05:41 28,160 --a------ c:\windows\system32\irmon.dll
2009-04-05 00:05 . 2008-04-14 05:42 8,192 --a------ c:\windows\system32\wshirda.dll
2009-04-04 23:59 . 2001-08-17 13:51 18,688 --a------ c:\windows\system32\drivers\irsir.sys
2009-04-04 23:57 . 2009-04-05 00:10 <DIR> d-------- c:\windows\NV9522016.TMP
2009-04-04 23:55 . 2001-08-17 13:51 19,584 --a------ c:\windows\system32\drivers\rasirda.sys
2009-04-04 23:52 . 2004-08-04 07:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2009-04-04 23:52 . 2004-08-04 07:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2009-04-04 23:52 . 2004-08-04 07:00 13,312 --a------ c:\windows\system32\irclass.dll
2009-04-04 23:52 . 2004-08-04 07:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2009-04-04 23:51 . 2009-04-04 23:51 <DIR> d---s---- c:\windows\system32\config\systemprofile\History
2009-04-04 02:00 . 2009-04-04 02:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-04-04 00:34 . 2009-04-04 01:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\PassMark
2009-04-04 00:34 . 2009-03-09 15:27 4,178,264 --a------ c:\windows\system32\D3DX9_41.dll
2009-04-04 00:14 . 2009-04-04 00:14 <DIR> d-------- c:\documents and settings\Steph\Application Data\ImgBurn
2009-04-04 00:13 . 2009-04-04 01:56 <DIR> d-------- c:\program files\ImgBurn
2009-04-03 19:00 . 2009-04-03 19:00 727,150 --a------ C:\bookmarks.html
2009-03-31 21:43 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-03-31 21:43 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-03-31 21:43 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-03-31 21:43 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-03-29 20:04 . 2009-03-29 20:04 <DIR> d-------- c:\program files\TechSmith
2009-03-29 20:04 . 2009-03-29 20:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\TechSmith
2009-03-24 14:52 . 2006-07-21 10:08 561,152 --a------ c:\windows\system32\snapapi32.dll
2009-03-20 15:41 . 2009-03-20 15:41 <DIR> d-------- c:\program files\PictureCode

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 18:49 --------- d-----w c:\program files\lg_fwupdate
2009-04-06 16:12 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-06 03:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-05 20:44 --------- d-----w c:\program files\Mozilla Thunderbird
2009-04-03 23:03 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 04:03 --------- d-----w c:\documents and settings\Steph\Application Data\FileZilla
2009-03-30 00:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-30 00:02 --------- d-----w c:\documents and settings\Steph\Application Data\uTorrent
2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-22 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-19 04:49 --------- d-----w c:\program files\MagicISO
2009-02-18 05:48 --------- d-----w c:\documents and settings\Steph\Application Data\HDRsoft
2009-02-18 05:43 --------- d-----w c:\program files\PhotomatixPro3
2009-02-11 18:40 --------- d-----w c:\documents and settings\Steph\Application Data\dvdcss
2008-12-17 21:59 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-06_ 0.16.21.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-05 04:26:52 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2009-04-06 16:13:32 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Steph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-12-01 548864]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-08-15 378224]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-06 1932568]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-28 c:\windows\RTHDCPL.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-06 12:13 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutParadise.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"4719:TCP"= 4719:TCP:4719
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-05 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-05 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-05 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-05 298264]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-02-18 266240]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-01-10 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-01-10 3072]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a68c3b4-f7f4-11dd-8437-001fe2534e96}]
\shell\play\command - c:\program files\VideoLAN\VLC\vlc.exe --started-from-file dvd://%1
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-308236825-682003330-1003.job
- c:\documents and settings\Steph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 20:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
FF - ProfilePath - c:\documents and settings\Steph\Application Data\Mozilla\Firefox\Profiles\t4eijsxk.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 14:49:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-06 14:53:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 18:53:12
ComboFix2.txt 2009-04-06 16:48:35
ComboFix3.txt 2009-04-06 04:16:49

Pre-Run: 460,588,761,088 bytes free
Post-Run: 460,574,289,920 bytes free

214 --- E O F --- 2009-04-04 06:01:57

[miekiemoes]

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[monbie]

Ran a scan again and it came back clear, thanks so much for your help!

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.