28 replies to this topic

[SouthPark]

Malwarebytes' Anti-Malware 1.36
Database version: 1970
Windows 5.1.2600 Service Pack 3

15/04/2009 19:58:41
mbam-log-2009-04-15 (19-58-41).txt

Scan type: Quick Scan
Objects scanned: 69398
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\port135sik (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\port135sik.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Annie\Local Settings\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Annie\Local Settings\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Annie\Local Settings\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Annie\Local Settings\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

That was Mbam scan, first time i scanned i had 500+ viruses, seconds time around 300 and so on. Now I have 5-10 viruses which never leave; Rootkit.Agent and Trojan.Agent. And in the pinned subjects it said i had to run a Trend Micro scan and should post the log aswell.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:39:41, on 15/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Annie\Annie.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blinde-kuh.de/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Annie] C:\Documents and Settings\Annie\Annie.exe /i
O4 - HKCU\..\Run: [] C:\Documents and Settings\Annie\.exe /i
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155926468247
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmmccsor.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6955 bytes

Thanks in advance

[miekiemoes]

Hi,

Quote

Database version: 1970

First of all, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  
• Once the updates are downloaded, perform a full scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Also, please disable adwatch since it will interfere with the changes.

[SouthPark]

Now something weird happened, full scan and not a single problem...

Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 3

15/04/2009 23:16:20
mbam-log-2009-04-15 (23-16-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 15907
Time elapsed: 3 hour(s), 33 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And HijackThis,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:46:23, on 16/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Annie\Annie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blinde-kuh.de/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Annie] C:\Documents and Settings\Annie\Annie.exe /i
O4 - HKCU\..\Run: [] C:\Documents and Settings\Annie\.exe /i
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155926468247
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmmccsor.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6038 bytes

Thanks!! So, if I run another scan will i find some malware again, or are they gone?

[miekiemoes]

Hi,

I need some more logs and files (if still present) to verify if the infection is gone or not...

First of all, Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Documents and Settings\Annie\Annie.exe

Select it and click ok:
Then click the Send File button below.

Do the same for the following file:

C:\WINDOWS\system32\mmmccsor.dll

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Also, is there any reason why you don't have an Antivirus installed?

[miekiemoes]

Hi,

Thank you for the file. Detection will be present in next update. Open your taskmanager and select the tab processes.
Search for Annie.exe in there, select it and choose to end the process. Then you will be able to delete the file
C:\Documents and Settings\Annie\Annie.exe, because it needs to go. This will prevent that it downloads/spreads more malware while we deal with the rest (using combofix)

[SouthPark]

Hi,
I've done everything you said in your previous post. Now I've "installed" Combofix, and the icon is on my desktop. However, when I click on it, a blue terminal window opens, and I've left it for ages, but nothing happens. I have disabled all of my antivirus (and etc.) softwares... but still, it doesn't run. Should I try to delete them all completly, and then try again?

Oh, and after I scanned my laptop using Malwarebytes anti-malware, and I got 0, I've rescanned it. I got 23 infected objects, but an error occured, I think it said 714 (0,14) or something like that.

What should I do about ComboFix?

Thanks

[miekiemoes]

Hi,

Have you read my previous post?

Quote

Open your taskmanager and select the tab processes.
Search for Annie.exe in there, select it and choose to end the process. Then you will be able to delete the file
C:\Documents and Settings\Annie\Annie.exe, because it needs to go. This will prevent that it downloads/spreads more malware while we deal with the rest (using combofix)

It could be possible that this Annie.exe is preventing it.

Also, if that still fails, try to run Combofix from Windows safe mode.
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

[SouthPark]

Hey,
I deleted Annie.exe, and then combofix worked. here is the log:

ComboFix 09-04-17.05 - Annie 17/04/2009 15:27.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.495.194 [GMT 2:00]
Running from: c:\documents and settings\Annie\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Annie\Annie.exe

.
(((((((((((((((((((((((((   Files Created from 2009-03-17 to 2009-04-17  )))))))))))))))))))))))))))))))
.

2009-04-16 02:51 . 2009-04-16 02:51	197	----a-w	c:\windows\system32\MRT.INI
2009-04-15 17:05 . 2009-03-06 14:22	284160	-c----w	c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:05 . 2009-02-09 12:10	401408	-c----w	c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:05 . 2009-02-06 11:11	110592	-c----w	c:\windows\system32\dllcache\services.exe
2009-04-15 17:05 . 2009-02-09 12:10	473600	-c----w	c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:05 . 2009-02-09 12:10	729088	-c----w	c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:05 . 2009-02-09 12:10	617472	-c----w	c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:05 . 2009-02-09 12:10	453120	-c----w	c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 17:05 . 2009-02-06 10:10	227840	-c----w	c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 17:05 . 2009-02-09 12:10	714752	-c----w	c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:02 . 2009-03-27 06:58	1203922	-c----w	c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 17:02 . 2008-05-03 11:55	2560	------w	c:\windows\system32\xpsp4res.dll
2009-04-15 17:02 . 2008-04-21 12:08	215552	-c----w	c:\windows\system32\dllcache\wordpad.exe
2009-04-14 15:48 . 2009-04-15 21:17	--------	dc----w	c:\windows\system32\DRVSTORE
2009-04-14 15:45 . 2009-04-15 21:18	--------	d-----w	c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-14 14:55 . 2008-12-11 06:38	159600	----a-w	c:\windows\system32\drivers\pctgntdi.sys
2009-04-14 14:54 . 2009-03-06 14:45	130424	----a-w	c:\windows\system32\drivers\PCTCore.sys
2009-04-14 14:54 . 2008-12-18 10:16	73840	----a-w	c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-14 14:54 . 2009-04-17 13:16	--------	d---a-w	c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 14:54 . 2008-12-10 10:36	64392	----a-w	c:\windows\system32\drivers\pctplsg.sys
2009-04-14 14:54 . 2009-04-14 14:54	--------	d-----w	c:\documents and settings\Annie\Application Data\PC Tools
2009-04-14 14:54 . 2009-04-14 14:54	--------	d-----w	c:\documents and settings\All Users\Application Data\PC Tools
2009-04-13 17:10 . 2009-04-13 17:12	5760	----a-w	c:\windows\system32\mmmtnqjb.dll
2009-04-13 09:52 . 2009-04-13 10:01	17920	----a-w	c:\windows\system32\mmmiwxzz.dll
2009-04-13 06:30 . 2009-04-13 06:39	17920	----a-w	c:\windows\system32\mmmoesip.dll
2009-04-13 05:18 . 2009-04-13 05:23	17920	----a-w	c:\windows\system32\mmmukdlk.dll
2009-04-12 19:46 . 2009-04-12 19:46	--------	d-----w	c:\documents and settings\Annie\Application Data\Malwarebytes
2009-04-12 19:46 . 2009-04-06 13:32	15504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-04-12 19:46 . 2009-04-06 13:32	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-12 19:46 . 2009-04-12 19:46	--------	d-----w	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-12 19:40 . 2009-04-12 19:40	--------	d-----w	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-12 19:40 . 2009-04-12 19:40	--------	d-----w	c:\documents and settings\Annie\Application Data\SUPERAntiSpyware.com
2009-04-12 19:33 . 2009-04-12 19:35	17920	----a-w	c:\windows\system32\mmmuvkuv.dll
2009-04-12 12:32 . 2009-04-12 12:38	17920	----a-w	c:\windows\system32\mmmgbawb.dll
2009-04-12 07:49 . 2009-04-12 08:00	12800	----a-w	c:\windows\system32\mmmdicqg.dll
2009-04-12 06:42 . 2009-04-12 07:07	17920	----a-w	c:\windows\system32\mmmlrsre.dll
2009-04-11 18:33 . 2009-04-11 18:38	3200	----a-w	c:\windows\system32\mmmvenlx.dll
2009-04-11 17:44 . 2009-04-11 18:12	17920	----a-w	c:\windows\system32\mmmjfvjf.dll
2009-03-21 14:06 . 2009-03-21 14:06	989696	-c----w	c:\windows\system32\dllcache\kernel32.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 18:58 . 2009-04-14 14:54	--------	d-----w	c:\program files\Spyware Doctor
2009-04-16 01:38 . 2008-03-11 19:30	--------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-15 18:31 . 2009-04-15 18:31	--------	d-----w	c:\program files\Trend Micro
2009-04-15 17:42 . 2009-04-14 16:52	3515	----a-w	C:\aaw7boot.log
2009-04-14 14:56 . 2009-04-14 14:54	--------	d-----w	c:\program files\Common Files\PC Tools
2009-04-12 19:46 . 2009-04-12 19:46	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2009-04-12 19:40 . 2009-04-12 19:40	--------	d-----w	c:\program files\SUPERAntiSpyware
2009-04-12 19:37 . 2009-04-12 19:37	--------	d-----w	c:\program files\Common Files\Wise Installation Wizard
2009-03-06 14:22 . 2004-08-04 12:00	284160	----a-w	c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-09-29 18:47	666112	----a-w	c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00	81920	----a-w	c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-10-28 01:21	729088	----a-w	c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00	714752	----a-w	c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00	617472	----a-w	c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00	401408	----a-w	c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00	1846784	----a-w	c:\windows\system32\win32k.sys
2009-02-07 17:02 . 2004-08-03 22:59	2066048	----a-w	c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00	110592	----a-w	c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00	2189056	----a-w	c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00	35328	----a-w	c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00	56832	----a-w	c:\windows\system32\secur32.dll
2009-01-03 12:23 . 2006-08-18 19:10	39544	----a-w	c:\documents and settings\Annie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-06 23:10 . 2008-07-22 09:17	23	----a-w	c:\documents and settings\Annie\jagex_runescape_preferences.dat
2008-03-11 19:08 . 2006-08-18 19:09	16862	----a-w	c:\documents and settings\Annie\Application Data\wklnhst.dat
2008-12-19 21:2006-08-18 19:46		30:53 .	c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 21:2006-08-18 19:46		30:53 .	c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 21:2008-01-22 17:50		30:53 .	c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 21:2008-01-22 17:50		30:54 .	c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 21:2006-08-18 19:46		30:54 .	c:\program files\mozilla firefox\components\xpinstal.dll
2006-12-30 14:04 . 2006-12-03 11:35	56	--sh--r	c:\windows\system32\F97EC12BD2.sys
2006-12-30 14:04 . 2006-12-03 11:35	952	--sha-w	c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2006-08-18 36972]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-04-15 708697]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2005-09-21 2807808]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-08-12 552960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Annie\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 09:05	356352	----a-w	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\mmmccsor.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SoundMan.exe"=
"c:\\WINDOWS\\sm56hlpr.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTEM.EXE"=
"c:\\WINDOWS\\system32\\logon.scr"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"=

R0 ddIkcxx;ddIkcxx; [x]
R0 jlhsv;jlhsv; [x]
R0 vwbesnvg;vwbesnvg; [x]
R2 ati64si;ati64si;c:\windows\system32\drivers\ati64si.sys [2008-04-13 30464]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Annie - c:\documents and settings\Annie\Annie.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.blinde-kuh.de/
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Annie\Application Data\Mozilla\Firefox\Profiles\r2dfbd09.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 15:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-17 15:32
ComboFix-quarantined-files.txt  2009-04-17 13:32

Pre-Run: 50,909,204,480 bytes free
Post-Run: 50,932,129,792 bytes free

187	--- E O F ---	2009-04-16 03:54

Thanks

[miekiemoes]

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\drivers\ati64si.sys
c:\windows\system32\mmmtnqjb.dll
c:\windows\system32\mmmiwxzz.dll
c:\windows\system32\mmmoesip.dll
c:\windows\system32\mmmuvkuv.dll
c:\windows\system32\mmmgbawb.dll
c:\windows\system32\mmmlrsre.dll
c:\windows\system32\mmmjfvjf.dll
Collect::[8]
c:\windows\system32\mmmccsor.dll
c:\windows\system32\mmmukdlk.dll
c:\windows\system32\mmmdicqg.dll
c:\windows\system32\mmmvenlx.dll
Driver::
ati64si
vwbesnvg
jlhsv
ddIkcxx
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\userinit.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingc...e.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[SouthPark]

it asked me to restart, and here is the log.

ComboFix 09-04-17.05 - Annie 17/04/2009 16:03.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.495.177 [GMT 2:00]
Running from: c:\documents and settings\Annie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Annie\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
c:\windows\system32\drivers\ati64si.sys
c:\windows\system32\mmmgbawb.dll
c:\windows\system32\mmmiwxzz.dll
c:\windows\system32\mmmjfvjf.dll
c:\windows\system32\mmmlrsre.dll
c:\windows\system32\mmmoesip.dll
c:\windows\system32\mmmtnqjb.dll
c:\windows\system32\mmmuvkuv.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ati64si.sys
c:\windows\system32\mmmdicqg.dll
c:\windows\system32\mmmgbawb.dll
c:\windows\system32\mmmiwxzz.dll
c:\windows\system32\mmmjfvjf.dll
c:\windows\system32\mmmlrsre.dll
c:\windows\system32\mmmoesip.dll
c:\windows\system32\mmmtnqjb.dll
c:\windows\system32\mmmukdlk.dll
c:\windows\system32\mmmuvkuv.dll
c:\windows\system32\mmmvenlx.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI64SI
-------\Service_ati64si
-------\Service_ddIkcxx
-------\Service_jlhsv
-------\Service_vwbesnvg


(((((((((((((((((((((((((   Files Created from 2009-03-17 to 2009-04-17  )))))))))))))))))))))))))))))))
.

2009-04-16 02:51 . 2009-04-16 02:51	197	----a-w	c:\windows\system32\MRT.INI
2009-04-15 17:05 . 2009-03-06 14:22	284160	-c----w	c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:05 . 2009-02-09 12:10	401408	-c----w	c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:05 . 2009-02-06 11:11	110592	-c----w	c:\windows\system32\dllcache\services.exe
2009-04-15 17:05 . 2009-02-09 12:10	473600	-c----w	c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:05 . 2009-02-09 12:10	729088	-c----w	c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:05 . 2009-02-09 12:10	617472	-c----w	c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:05 . 2009-02-09 12:10	453120	-c----w	c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 17:05 . 2009-02-06 10:10	227840	-c----w	c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 17:05 . 2009-02-09 12:10	714752	-c----w	c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:02 . 2009-03-27 06:58	1203922	-c----w	c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 17:02 . 2008-05-03 11:55	2560	------w	c:\windows\system32\xpsp4res.dll
2009-04-15 17:02 . 2008-04-21 12:08	215552	-c----w	c:\windows\system32\dllcache\wordpad.exe
2009-04-14 15:48 . 2009-04-15 21:17	--------	dc----w	c:\windows\system32\DRVSTORE
2009-04-14 15:45 . 2009-04-15 21:18	--------	d-----w	c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-14 14:55 . 2008-12-11 06:38	159600	----a-w	c:\windows\system32\drivers\pctgntdi.sys
2009-04-14 14:54 . 2009-03-06 14:45	130424	----a-w	c:\windows\system32\drivers\PCTCore.sys
2009-04-14 14:54 . 2008-12-18 10:16	73840	----a-w	c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-14 14:54 . 2009-04-17 14:09	--------	d---a-w	c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 14:54 . 2008-12-10 10:36	64392	----a-w	c:\windows\system32\drivers\pctplsg.sys
2009-04-14 14:54 . 2009-04-14 14:54	--------	d-----w	c:\documents and settings\Annie\Application Data\PC Tools
2009-04-14 14:54 . 2009-04-14 14:54	--------	d-----w	c:\documents and settings\All Users\Application Data\PC Tools
2009-04-12 19:46 . 2009-04-12 19:46	--------	d-----w	c:\documents and settings\Annie\Application Data\Malwarebytes
2009-04-12 19:46 . 2009-04-06 13:32	15504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-04-12 19:46 . 2009-04-06 13:32	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-12 19:46 . 2009-04-12 19:46	--------	d-----w	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-12 19:40 . 2009-04-12 19:40	--------	d-----w	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-12 19:40 . 2009-04-12 19:40	--------	d-----w	c:\documents and settings\Annie\Application Data\SUPERAntiSpyware.com
2009-03-21 14:06 . 2009-03-21 14:06	989696	-c----w	c:\windows\system32\dllcache\kernel32.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 13:33 . 2009-04-14 14:54	--------	d-----w	c:\program files\Spyware Doctor
2009-04-16 01:38 . 2008-03-11 19:30	--------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-15 18:31 . 2009-04-15 18:31	--------	d-----w	c:\program files\Trend Micro
2009-04-15 17:42 . 2009-04-14 16:52	3515	----a-w	C:\aaw7boot.log
2009-04-14 14:56 . 2009-04-14 14:54	--------	d-----w	c:\program files\Common Files\PC Tools
2009-04-12 19:46 . 2009-04-12 19:46	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2009-04-12 19:40 . 2009-04-12 19:40	--------	d-----w	c:\program files\SUPERAntiSpyware
2009-04-12 19:37 . 2009-04-12 19:37	--------	d-----w	c:\program files\Common Files\Wise Installation Wizard
2009-03-06 14:22 . 2004-08-04 12:00	284160	----a-w	c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-09-29 18:47	666112	----a-w	c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00	81920	----a-w	c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-10-28 01:21	729088	----a-w	c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00	714752	----a-w	c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00	617472	----a-w	c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00	401408	----a-w	c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00	1846784	----a-w	c:\windows\system32\win32k.sys
2009-02-07 17:02 . 2004-08-03 22:59	2066048	----a-w	c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00	110592	----a-w	c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00	2189056	----a-w	c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00	35328	----a-w	c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00	56832	----a-w	c:\windows\system32\secur32.dll
2009-01-03 12:23 . 2006-08-18 19:10	39544	----a-w	c:\documents and settings\Annie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-06 23:10 . 2008-07-22 09:17	23	----a-w	c:\documents and settings\Annie\jagex_runescape_preferences.dat
2008-03-11 19:08 . 2006-08-18 19:09	16862	----a-w	c:\documents and settings\Annie\Application Data\wklnhst.dat
2008-12-19 21:2006-08-18 19:46		30:53 .	c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 21:2006-08-18 19:46		30:53 .	c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 21:2008-01-22 17:50		30:53 .	c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 21:2008-01-22 17:50		30:54 .	c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 21:2006-08-18 19:46		30:54 .	c:\program files\mozilla firefox\components\xpinstal.dll
2006-12-30 14:04 . 2006-12-03 11:35	56	--sh--r	c:\windows\system32\F97EC12BD2.sys
2006-12-30 14:04 . 2006-12-03 11:35	952	--sha-w	c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((   SnapShot@2009-04-17_13.30.29   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 14:08 . 2009-04-17 14:08	16384			  c:\windows\temp\Perflib_Perfdata_1f8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2006-08-18 36972]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-04-15 708697]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2005-09-21 2807808]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-08-12 552960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Annie\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 09:05	356352	----a-w	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SoundMan.exe"=
"c:\\WINDOWS\\sm56hlpr.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTEM.EXE"=
"c:\\WINDOWS\\system32\\logon.scr"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.blinde-kuh.de/
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Annie\Application Data\Mozilla\Firefox\Profiles\r2dfbd09.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 16:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3572)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\progra~2\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Spyware Doctor\pctsSvc.exe
.
**************************************************************************
.
Completion time: 2009-04-17 16:12 - machine was rebooted
ComboFix-quarantined-files.txt  2009-04-17 14:11
ComboFix2.txt  2009-04-17 13:32

Pre-Run: 50,918,539,264 bytes free
Post-Run: 50,851,418,112 bytes free

209	--- E O F ---	2009-04-16 03:54

[miekiemoes]

Hi,

What you submitted is 0 bytes. This doesn't make sense. Can you resubmit the zipfile again? Please verify first it's no 0 bytes, so navigate to the zipfile, make sure it contains the files mmmukdlk.dll, mmmdicqg.dll and mmmvenlx.dll and then resubmit. (don't copy and paste the path, but use the browse button to navigate, because I guess you did that previously as well which explains why the other one was also 0 bytes)
If not present, then submit one of these files:

C:\Qoobox\quarantine\c\windows\system32\mmmlrsre.dll.vir and C:\Qoobox\quarantine\c\windows\system32\mmmoesip.dll.vir - anyway, at least 2 of these mmm files present there.

Let me know once you've submitted them

[SouthPark]

i submitted it, but i think i might have done so twice... sorry.

should i submit the other two aswell?

[SouthPark]

i forgot to ask, should i delete Annie.exe from Documents and Settings manually? Because it's still there, even after ive run combofix.

[miekiemoes]

Hi,

Quote

i forgot to ask, should i delete Annie.exe from Documents and Settings manually? Because it's still there, even after ive run combofix.

Yes, is it still present? Because according to Combofix, it's deleted, unless it was recreated again. So, please delete it manually and let me know if it recreates. If so, then I have the feeling that you're also dealing with a File infector, because too many legitimate exe files were modified lately. I really hope this is not the case here though...

Quote

Also, is there any reason why you don't have an Antivirus installed?

That was my previous question which you never answered. The files you've submitted are actually detected by almost every Antivirus, so this means, if you had an Antivirus installed, you wouldn't get infected with this one in the first place.

That's why.... * Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

Fingers crossed that you're not dealing with a file patcher here...

[miekiemoes]

By the way, after analysing the files, please change ALL your passwords once we are done here, because all your passwords are known. Do not change them now, because as long as the malware is still present, it will gather them again.

[SouthPark]

fingers are crossed
i have always thought that antivirus programs slow down your computer a lot, but this isnt the case? i have installed and scanned my computer with Avira antivir. here is the log:

Avira AntiVir Personal
Report file date: 17 April 2009  19:03

Scanning for 1284893 virus strains and unwanted programs.

Licensee		: Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform		: Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode	   : Normally booted
Username		: SYSTEM
Computer name   : ANNI

Version information:
BUILD.DAT	   : 9.0.0.386	 17962 Bytes  11/03/2009 15:55:00
AVSCAN.EXE	  : 9.0.3.3	  464641 Bytes  24/02/2009 10:13:26
AVSCAN.DLL	  : 9.0.3.0	   40705 Bytes  27/02/2009 08:58:24
LUKE.DLL		: 9.0.3.2	  209665 Bytes  20/02/2009 09:35:49
LUKERES.DLL	 : 9.0.2.0	   12033 Bytes  27/02/2009 08:58:52
ANTIVIR0.VDF	: 7.1.0.0	15603712 Bytes  27/10/2008 10:30:36
ANTIVIR1.VDF	: 7.1.2.12	3336192 Bytes  11/02/2009 18:33:26
ANTIVIR2.VDF	: 7.1.2.105	513536 Bytes  03/03/2009 05:41:14
ANTIVIR3.VDF	: 7.1.2.127	110592 Bytes  05/03/2009 12:58:20
Engineversion   : 8.2.0.100
AEVDF.DLL	   : 8.1.1.0	  106868 Bytes  27/01/2009 15:36:42
AESCRIPT.DLL	: 8.1.1.56	 352634 Bytes  26/02/2009 18:01:56
AESCN.DLL	   : 8.1.1.7	  127347 Bytes  12/02/2009 09:44:25
AERDL.DLL	   : 8.1.1.3	  438645 Bytes  29/10/2008 16:24:41
AEPACK.DLL	  : 8.1.3.10	 397686 Bytes  04/03/2009 11:06:10
AEOFFICE.DLL	: 8.1.0.36	 196987 Bytes  26/02/2009 18:01:56
AEHEUR.DLL	  : 8.1.0.100   1618295 Bytes  25/02/2009 13:49:16
AEHELP.DLL	  : 8.1.2.2	  119158 Bytes  26/02/2009 18:01:56
AEGEN.DLL	   : 8.1.1.24	 336244 Bytes  04/03/2009 11:06:10
AEEMU.DLL	   : 8.1.0.9	  393588 Bytes  09/10/2008 12:32:40
AECORE.DLL	  : 8.1.6.6	  176501 Bytes  17/02/2009 12:22:44
AEBB.DLL		: 8.1.0.3	   53618 Bytes  09/10/2008 12:32:40
AVWINLL.DLL	 : 9.0.0.3	   18177 Bytes  12/12/2008 06:47:59
AVPREF.DLL	  : 9.0.0.1	   43777 Bytes  05/12/2008 08:32:15
AVREP.DLL	   : 8.0.0.3	  155905 Bytes  20/01/2009 12:34:28
AVREG.DLL	   : 9.0.0.0	   36609 Bytes  05/12/2008 08:32:09
AVARKT.DLL	  : 9.0.0.1	  292609 Bytes  09/02/2009 05:52:24
AVEVTLOG.DLL	: 9.0.0.7	  167169 Bytes  30/01/2009 08:37:08
SQLITE3.DLL	 : 3.6.1.0	  326401 Bytes  28/01/2009 13:03:49
SMTPLIB.DLL	 : 9.2.0.25	  28417 Bytes  02/02/2009 06:21:33
NETNT.DLL	   : 9.0.0.0	   11521 Bytes  05/12/2008 08:32:10
RCIMAGE.DLL	 : 9.0.0.21	2438401 Bytes  09/02/2009 09:45:45
RCTEXT.DLL	  : 9.0.35.0	  87297 Bytes  11/03/2009 13:55:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, 
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 17 April 2009  19:03

Initiating scan of system files:
Signed -> 'C:\WINDOWS\system32\svchost.exe'
Signed -> 'C:\WINDOWS\system32\winlogon.exe'
Signed -> 'C:\WINDOWS\explorer.exe'
Signed -> 'C:\WINDOWS\system32\smss.exe'
Signed -> 'C:\WINDOWS\system32\wininet.DLL'
Signed -> 'C:\WINDOWS\system32\wsock32.DLL'
Signed -> 'C:\WINDOWS\system32\ws2_32.DLL'
Signed -> 'C:\WINDOWS\system32\services.exe'
Signed -> 'C:\WINDOWS\system32\lsass.exe'
Signed -> 'C:\WINDOWS\system32\csrss.exe'
Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys'
Signed -> 'C:\WINDOWS\system32\spoolsv.exe'
Signed -> 'C:\WINDOWS\system32\alg.exe'
Signed -> 'C:\WINDOWS\system32\wuauclt.exe'
Signed -> 'C:\WINDOWS\system32\advapi32.DLL'
Signed -> 'C:\WINDOWS\system32\user32.DLL'
Signed -> 'C:\WINDOWS\system32\gdi32.DLL'
Signed -> 'C:\WINDOWS\system32\kernel32.DLL'
Signed -> 'C:\WINDOWS\system32\ntdll.DLL'
Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe'
Signed -> 'C:\WINDOWS\system32\ctfmon.exe'
The system files were scanned ('21' files)

Starting search for hidden objects.
'42035' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ONENOTEM.EXE' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'sm56hlpr.exe' - '1' Module(s) have been scanned
Scan process 'SoundMan.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'pctsTray.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'pctsSvc.exe' - '1' Module(s) have been scanned
Scan process 'pctsAuxs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
36 processes with 36 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '65' files ).


Starting the file scan:

Begin scan in 'C:\' <444564>
C:\pagefile.sys
	[WARNING]   The file could not be opened!
	[NOTE]	  This file is a Windows system file.
	[NOTE]	  This file cannot be opened for scanning.
C:\Program Files\Common Files\Enterbrain\RGSS\Standard\Graphics.exe
  [0] Archive type: CAB SFX (self extracting)
	--> Graphics\Animations\002-Action02.png
	  [WARNING]   No further files can be extracted from this archive. The archive will be closed
	[WARNING]   No further files can be extracted from this archive. The archive will be closed
C:\Qoobox\Quarantine\[8]-Submit_2009-04-17@16.03.zip
  [0] Archive type: ZIP
	--> mmmukdlk.dll
	  [DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmdicqg.dll.vir
	[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmgbawb.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmiwxzz.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmjfvjf.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmlrsre.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmoesip.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmukdlk.dll.vir
	[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmuvkuv.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmvenlx.dll.vir
	[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ati64si.sys.vir
	[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001229.sys
	[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001230.dll
	[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001231.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001232.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001233.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001234.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001235.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001237.dll
	[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001238.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001239.dll
	[DETECTION] Is the TR/Trash.Gen Trojan

Beginning disinfection:
C:\Qoobox\Quarantine\[8]-Submit_2009-04-17@16.03.zip
	[NOTE]	  The file was moved to '4a45c4cf.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmdicqg.dll.vir
	[DETECTION] Is the TR/Trash.Gen Trojan
	[NOTE]	  The file was moved to '4a55c504.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmgbawb.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '4a55c505.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmiwxzz.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '4bc2b086.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmjfvjf.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '4bfd8916.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmlrsre.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '4bfc96de.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmoesip.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '4bff9ea6.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmukdlk.dll.vir
	[DETECTION] Is the TR/Trash.Gen Trojan
	[NOTE]	  The file was moved to '49f2b6c6.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmuvkuv.dll.vir
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '49fdbe8e.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmmvenlx.dll.vir
	[DETECTION] Is the TR/Trash.Gen Trojan
	[NOTE]	  The file was moved to '49fc4656.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ati64si.sys.vir
	[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
	[NOTE]	  The file was moved to '4a51c50c.qua'!
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001229.sys
	[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
	[NOTE]	  The file was moved to '4a18c4c8.qua'!
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001230.dll
	[DETECTION] Is the TR/Trash.Gen Trojan
	[NOTE]	  The file was moved to '4bb9d151.qua'!
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001231.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '49b24fd1.qua'!
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001232.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '49b45e61.qua'!
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001233.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '49b566b9.qua'!
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001234.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '49b66ef1.qua'!
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001235.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '49b776c9.qua'!
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001237.dll
	[DETECTION] Is the TR/Trash.Gen Trojan
	[NOTE]	  The file was moved to '4c440109.qua'!
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001238.dll
	[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
	[NOTE]	  The file was moved to '4c451109.qua'!
C:\System Volume Information\_restore{F446D89C-9B99-4D2D-8309-734A947EA3F3}\RP4\A0001239.dll
	[DETECTION] Is the TR/Trash.Gen Trojan
	[NOTE]	  The file was moved to '4c417109.qua'!


End of the scan: 17 April 2009  20:04
Used time: 50:43 Minute(s)

The scan has been done completely.

   7282 Scanned directories
 359042 Files were scanned
	 21 Viruses and/or unwanted programs were found
	  0 Files were classified as suspicious
	  0 files were deleted
	  0 Viruses and unwanted programs were repaired
	 21 Files were moved to quarantine
	  0 Files were renamed
	  1 Files cannot be scanned
 359020 Files not concerned
   3245 Archives were scanned
	  3 Warnings
	 22 Notes
  42035 Objects were scanned with rootkit scan
	  0 Hidden objects were found

[miekiemoes]

Quote

i have always thought that antivirus programs slow down your computer a lot, but this isnt the case?

Ehm, so you prefer malware instead? Please read this:

http://miekiemoes.blogspot.com/2008/08/i-d...use-i-have.html
http://miekiemoes.blogspot.com/2008/06/top...nt-want-to.html

Then you'll understand why it is so important to have an Antivirus.

can you also post a new HijackThislog?

[SouthPark]

Of course I don't prefer malware instead...
Here is the HijackThis log: (thanks )

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:33:02, on 17/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blinde-kuh.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155926468247
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6346 bytes

[miekiemoes]

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[SouthPark]

Hey,
I've deleted Combofix. After having done this, I scanned my laptop again using Avira anti-virus.
Here is the log, incase you might need it (unfortunatly still not gone!)

Avira AntiVir Personal
Report file date: 17 April 2009  22:08

Scanning for 1355927 virus strains and unwanted programs.

Licensee		: Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform		: Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode	   : Normally booted
Username		: SYSTEM
Computer name   : ANNI

Version information:
BUILD.DAT	   : 9.0.0.387	 17962 Bytes  24/03/2009 11:04:00
AVSCAN.EXE	  : 9.0.3.3	  464641 Bytes  24/02/2009 10:13:26
AVSCAN.DLL	  : 9.0.3.0	   40705 Bytes  27/02/2009 08:58:24
LUKE.DLL		: 9.0.3.2	  209665 Bytes  20/02/2009 09:35:49
LUKERES.DLL	 : 9.0.2.0	   12033 Bytes  27/02/2009 08:58:52
ANTIVIR0.VDF	: 7.1.0.0	15603712 Bytes  27/10/2008 10:30:36
ANTIVIR1.VDF	: 7.1.2.12	3336192 Bytes  11/02/2009 18:33:26
ANTIVIR2.VDF	: 7.1.3.63	1588224 Bytes  16/04/2009 18:13:37
ANTIVIR3.VDF	: 7.1.3.72	  20992 Bytes  17/04/2009 18:13:37
Engineversion   : 8.2.0.148
AEVDF.DLL	   : 8.1.1.0	  106868 Bytes  27/01/2009 15:36:42
AESCRIPT.DLL	: 8.1.1.75	 373113 Bytes  17/04/2009 18:13:51
AESCN.DLL	   : 8.1.1.10	 127348 Bytes  17/04/2009 18:13:48
AERDL.DLL	   : 8.1.1.3	  438645 Bytes  29/10/2008 16:24:41
AEPACK.DLL	  : 8.1.3.14	 397685 Bytes  17/04/2009 18:13:47
AEOFFICE.DLL	: 8.1.0.36	 196987 Bytes  26/02/2009 18:01:56
AEHEUR.DLL	  : 8.1.0.119   1724791 Bytes  17/04/2009 18:13:44
AEHELP.DLL	  : 8.1.2.2	  119158 Bytes  26/02/2009 18:01:56
AEGEN.DLL	   : 8.1.1.36	 340341 Bytes  17/04/2009 18:13:39
AEEMU.DLL	   : 8.1.0.9	  393588 Bytes  09/10/2008 12:32:40
AECORE.DLL	  : 8.1.6.9	  176500 Bytes  17/04/2009 18:13:38
AEBB.DLL		: 8.1.0.3	   53618 Bytes  09/10/2008 12:32:40
AVWINLL.DLL	 : 9.0.0.3	   18177 Bytes  12/12/2008 06:47:59
AVPREF.DLL	  : 9.0.0.1	   43777 Bytes  05/12/2008 08:32:15
AVREP.DLL	   : 8.0.0.3	  155905 Bytes  20/01/2009 12:34:28
AVREG.DLL	   : 9.0.0.0	   36609 Bytes  05/12/2008 08:32:09
AVARKT.DLL	  : 9.0.0.1	  292609 Bytes  09/02/2009 05:52:24
AVEVTLOG.DLL	: 9.0.0.7	  167169 Bytes  30/01/2009 08:37:08
SQLITE3.DLL	 : 3.6.1.0	  326401 Bytes  28/01/2009 13:03:49
SMTPLIB.DLL	 : 9.2.0.25	  28417 Bytes  02/02/2009 06:21:33
NETNT.DLL	   : 9.0.0.0	   11521 Bytes  05/12/2008 08:32:10
RCIMAGE.DLL	 : 9.0.0.21	2438401 Bytes  09/02/2009 09:45:45
RCTEXT.DLL	  : 9.0.35.0	  87297 Bytes  11/03/2009 13:55:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, 
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 17 April 2009  22:08

Starting search for hidden objects.
'41990' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ONENOTEM.EXE' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'pctsTray.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'sm56hlpr.exe' - '1' Module(s) have been scanned
Scan process 'SoundMan.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'pctsSvc.exe' - '1' Module(s) have been scanned
Scan process 'pctsAuxs.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
34 processes with 34 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '65' files ).


Starting the file scan:

Begin scan in 'C:\' <444564>
C:\pagefile.sys
	[WARNING]   The file could not be opened!
	[NOTE]	  This file is a Windows system file.
	[NOTE]	  This file cannot be opened for scanning.
C:\Program Files\Common Files\Enterbrain\RGSS\Standard\Graphics.exe
  [0] Archive type: CAB SFX (self extracting)
	--> Graphics\Animations\002-Action02.png
	  [WARNING]   No further files can be extracted from this archive. The archive will be closed
	[WARNING]   No further files can be extracted from this archive. The archive will be closed
C:\RECYCLER\S-1-5-21-1801674531-2111687655-839522115-1005\Dc1.vir
	[DETECTION] Is the TR/Agent2.hoy Trojan

Beginning disinfection:
C:\RECYCLER\S-1-5-21-1801674531-2111687655-839522115-1005\Dc1.vir
	[DETECTION] Is the TR/Agent2.hoy Trojan
	[NOTE]	  The file was moved to '4a19f00a.qua'!


End of the scan: 17 April 2009  23:07
Used time: 55:06 Minute(s)

The scan has been done completely.

   7252 Scanned directories
 358154 Files were scanned
	  1 Viruses and/or unwanted programs were found
	  0 Files were classified as suspicious
	  0 files were deleted
	  0 Viruses and unwanted programs were repaired
	  1 Files were moved to quarantine
	  0 Files were renamed
	  1 Files cannot be scanned
 358152 Files not concerned
   3229 Archives were scanned
	  3 Warnings
	  2 Notes
  41990 Objects were scanned with rootkit scan
	  0 Hidden objects were found