7 replies to this topic

[ChuckL]

NOTE: mbam.exe will not run unless I change the name. Also, from my original post:

I scanned my computer 10 times yesterday and it keep showing "UAC" in the registry and uacinit.dll in the windows/system32 folder. I click remove, the computer restarts, I perform a new search and they are still there.

When I search for the registry key or the file, neither of them are found? I am doing this before I perform the FIX in Malwarebytes - it's like they are invisible.

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/2/2009 10:25:16 PM
mbam-log-2009-06-02 (22-25-16).txt

Scan type: Quick Scan
Objects scanned: 79675
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:18 PM, on 6/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wudfhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {EF9FDE2E-EF00-4952-A0FA-4AAA872594B3} - (no file)
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://zone.msn.com
O15 - Trusted Zone: http://www.pcpitstop.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166333742281
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valu...ashax/iefax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF2B44AE-AAB6-4518-91F5-14966D0E9F3D}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6260 bytes

[ChuckL]

Attached are the other files being requested by the pinned messages.

Thanks

Attached Files

•  Gmerlog.zip   8.15K   10 downloads
•  DDS.txt   9.99K   14 downloads
•  Attach.txt   13.3K   10 downloads
•  ntbtlog.txt   14.43K   19 downloads

[miekiemoes]

Hi,
* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[ChuckL]

miekiemoes, on Jun 6 2009, 06:48 AM, said:

Hi,
* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Thanks for your help, below is the combofix log file:

ComboFix 09-06-05.07 - Dinah J. Lackman 06/06/2009 9:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1085 [GMT -7:00]
Running from: c:\documents and settings\Dinah J. Lackman\Desktop\ComboBroke.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\CJmmlnmp.ini
c:\windows\system32\CJmmlnmp.ini2
c:\windows\system32\clxivqcv.ini
c:\windows\system32\drivers\UACftbsibpenciqhjv.sys
c:\windows\system32\qodlytcy.ini
c:\windows\system32\UACccblqciksniywcy.log
c:\windows\system32\UACcqottwsrvmexisl.dll
c:\windows\system32\UACdaavvfghosaqxjt.log
c:\windows\system32\UACdwgathkusquygdl.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClfcigeyudgxxyhl.dat
c:\windows\system32\UAClhurkqjaffdwkcp.dll
c:\windows\system32\UACloyqhvifjewdxtt.dll
c:\windows\system32\UACnexswbjicpkoxvq.dll
c:\windows\system32\UACnggkblvbyatsxws.db
c:\windows\system32\UAColyssgoumskvoky.dll
c:\windows\system32\UACuatoosushgkkhhy.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))))))
.

2009-06-03 19:16 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 19:16 . 2009-06-03 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 19:16 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 19:01 . 2009-06-03 19:01 -------- d-----w- c:\program files\Trend Micro
2009-06-03 18:50 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-03 18:50 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-03 18:50 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-03 18:50 . 2009-06-03 18:50 -------- d-----w- c:\program files\Avira
2009-06-03 18:50 . 2009-06-03 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-03 07:27 . 2009-06-03 07:27 -------- d-----w- c:\documents and settings\Dinah J. Lackman\Application Data\My Battle for Middle-earth™ II Files
2009-06-03 06:50 . 2009-06-03 06:50 -------- d-----w- c:\program files\Electronic Arts
2009-06-03 02:19 . 2009-06-03 02:19 -------- d-----w- c:\documents and settings\Dinah J. Lackman\Application Data\Malwarebytes
2009-06-03 02:09 . 2009-06-03 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-02 18:56 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-01 19:28 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-01 19:28 . 2009-04-03 18:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-01 19:28 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-01 19:28 . 2009-06-01 19:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-01 19:28 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-01 19:28 . 2009-06-01 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-01 19:28 . 2009-06-05 18:55 -------- d-----w- c:\program files\Spyware Doctor
2009-06-01 19:28 . 2009-06-01 19:28 -------- d-----w- c:\documents and settings\Dinah J. Lackman\Application Data\PC Tools
2009-06-01 18:54 . 2009-06-01 18:54 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-01 18:54 . 2009-06-01 18:54 -------- d-----w- c:\program files\MSBuild
2009-06-01 18:54 . 2009-06-01 18:54 -------- d-----w- c:\program files\Reference Assemblies
2009-06-01 18:53 . 2009-06-01 18:54 -------- d-----w- C:\35b7bd3dd9ef74cba0a4b04792b2
2009-06-01 18:53 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-01 18:53 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-01 18:53 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-01 18:53 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-01 18:53 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-01 18:53 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-01 18:53 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-01 18:53 . 2009-06-01 19:13 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-01 18:29 . 2009-06-01 18:29 -------- d-sh--w- c:\documents and settings\Dinah J. Lackman\PrivacIE
2009-06-01 18:29 . 2009-06-01 18:29 -------- d-sh--w- c:\documents and settings\Dinah J. Lackman\IECompatCache
2009-06-01 18:26 . 2009-06-01 18:26 -------- d-sh--w- c:\documents and settings\Dinah J. Lackman\IETldCache
2009-06-01 18:25 . 2009-06-01 18:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-01 18:20 . 2009-06-01 18:20 -------- d-----w- c:\windows\ie8updates
2009-06-01 18:18 . 2009-06-01 18:19 -------- dc-h--w- c:\windows\ie8
2009-06-01 18:16 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-01 05:23 . 2009-06-01 05:23 -------- d-----w- c:\program files\AVG
2009-06-01 02:51 . 2009-06-01 02:51 -------- d-----w- c:\program files\CCleaner
2009-06-01 02:37 . 2009-06-01 02:37 -------- d-----w- c:\documents and settings\Dinah J. Lackman\Application Data\RegClean
2009-05-14 20:15 . 2009-05-14 20:15 -------- d-----w- c:\documents and settings\Dinah J. Lackman\Saved Games
2009-05-14 20:15 . 2009-05-14 20:15 -------- d-----w- c:\documents and settings\Dinah J. Lackman\Local Settings\Application Data\Oberon Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 16:50 . 2006-12-29 01:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-01 02:35 . 2006-12-29 01:54 -------- d-----w- c:\program files\MSN Games
2009-05-14 21:17 . 2009-03-07 06:57 -------- d-----w- c:\program files\Oberon Media
2009-05-10 18:28 . 2008-07-04 00:36 -------- d-----w- c:\documents and settings\Dinah J. Lackman\Application Data\My Battle for Middle-earth Files
2009-04-14 21:09 . 2009-04-14 21:09 380928 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\p\pickuntilcollectbonus_tggg.e66cbfaf93bc06e345be6dacdf926516.dll
2009-04-14 21:09 . 2009-04-14 21:09 499984 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\greatgalaxycasinobonus.55dde164a6c32cf7a5be1bb8e3746043.dll
2009-04-14 20:57 . 2009-04-14 20:57 483600 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\h\hilowbonus_tggg.10cdcb3e64c301c60db4d11d2d7781a4.dll
2009-04-14 20:57 . 2009-04-14 20:57 561424 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickuntilbonus_tggg.ca9a61a09a35dc0843cc68f532694746.dll
2009-04-14 20:56 . 2009-04-14 20:56 266512 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_tggg.399218aff849d2e187d4554dd62a73b6.dll
2009-04-14 20:56 . 2009-04-14 20:56 524560 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_tggg.f8ba0ccac248b6026b2705996790640a.dll
2009-04-14 20:56 . 2009-04-14 20:56 1904753 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_tggg.6e62948f458013fa99694cc031068e8a.dll
2009-04-14 20:56 . 2009-04-14 20:56 1249399 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_tggg.a33335318f7b89139ecd4652b6e8c4b9.dll
2009-04-14 20:56 . 2009-04-14 20:56 307472 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_tggg.436ea9e59e2a2b9a2106e598920cba26.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-11-23 1060864]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG311v3 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311v3 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG311v3 Smart Wizard.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebClient"=2 (0x2)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"idsvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\patchget.dat"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\patchget.dat"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:Real VNC

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/1/2009 12:28 PM 130936]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/3/2009 11:50 AM 108289]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/1/2009 12:28 PM 348752]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

BHO-{EF9FDE2E-EF00-4952-A0FA-4AAA872594B3} - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: aol.com\free
Trusted Zone: msn.com\zone
Trusted Zone: pcpitstop.com\www
TCP: {DF2B44AE-AAB6-4518-91F5-14966D0E9F3D} = 205.171.3.65,205.171.2.65
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-06 09:50
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\MrvGINA.dll

- - - - - - - > 'Explorer.exe'(3172)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NETGEAR\WG311v3\WinDomainlogon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\NETGEAR\WG311v3\WinDomainlogon.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-06 9:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-06 16:56

Pre-Run: 10,267,136,000 bytes free
Post-Run: 10,318,991,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

221 --- E O F --- 2009-06-01 18:58

[miekiemoes]

Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[ChuckL]

Hello,

I believe this fixed the problem.

Thank You VERY MUCH for you assistance.

Chuck

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.