29 replies to this topic

[Katrine]

Hi
I recently purchase Malwarebytes and all was going well.
On tuesday a small Malwarebytes box appeared on my laptop, the message was as follows
"Malwarebytes Anti-Malware has detected a malicious process attempting to start and has blocked all execution attempts from this process"
Then I had three options to choose from - Disable Protection, Ignore and Quarantine.
Trojan.VunD1 was named, and this location was given - C/windows/system32/wtsapi32.dll

However, my laptop was already frozen and I was unable to Quarantine the trojan, open Malwarebytes, or indeed perform any function at all. I had to manually close the laptop. I've reopened several times hoping to click on Quarantine before the freeze up but have been unable to do so. Essentially I no longer have a computer. This post is being sent from my brother's computer. I contacted Malwarebytes but have recieved no answer.

Please help, I'm terminally ill and need access to my computer to order meds.
Many Thanks, Katrine

[GT500]

Please follow the instructions at the link below to start your computer in Safe Mode With Networking:
http://www.computerh...sues/chsafe.htm

After starting your computer in Safe Mode With Networking, please update Malwarebytes' Anti-Malware, run a Quick Scan, delete anything it finds, and then copy and paste the log into a reply.

[Katrine]

GT500, on Nov 3 2009, 04:33 AM, said:

Please follow the instructions at the link below to start your computer in Safe Mode With Networking:
http://www.computerh...sues/chsafe.htm

After starting your computer in Safe Mode With Networking, please update Malwarebytes' Anti-Malware, run a Quick Scan, delete anything it finds, and then copy and paste the log into a reply.

Hi
Thanks for your advice.
It took many tries to get booted as you suggested, but finally suceeded. I then tried to open Malwarebytes to update and got this message
"Error Code 703(0,13) and was told to report it to the support team.

What do I do now?
Katrine

[GT500]

Restart your computer normally, and then download ComboFix from the link below, save it on your desktop, run it, and copy and paste the log into a reply:
http://download.blee...Bs/ComboFix.exe

[Katrine]

GT500, on Nov 3 2009, 08:18 AM, said:

Restart your computer normally, and then download ComboFix from the link below, save it on your desktop, run it, and copy and paste the log into a reply:
http://download.blee...Bs/ComboFix.exe

Hi
Things aren't going well.
When I first opened the computer on normal mode, a small box appeared saying that Malwarebyte's had been terminated unexpectedly [I don't know when this message was referring to], but I had the option of pressing OK to get a log of the events. I thought that would be helpful and pressed OK. But no log appeared and nothing happened except the computer froze up again. I manually closed down.
Tried to restart normally, and was back to the message from my first post, re the trojan, and the computer was totally frozen again. Closed down manually.
Then returned to your initial instruction about starting in Safe Mode with Networking. That seemed successful. Then tried to start in normal mode to download Combofix. That seemed to work too, and no Malware messages appeared this time. ComboFix is saved to my desktop. However when I tried to run Combofix, a small message appeared saying not all pages could be installed, and to reboot the computer to complete installation. Did that, and went straight back to the orginal message about the trojan and a frozen computer. Sigh.
Now been through the restart in Safe Mode, then restart in normal mode cycle 6 times now - with NO success. Sorry, but I'm back where I started when I first posted - Malware message re trojan and a frozen computer.

Any advice?
Thanks, Katrine

[Katrine]

Hi
Could I please have some assistance with this problem.
Due to health issues, time is of the essence.

[GT500]

Please start your computer in Safe Mode, run Malwarebytes' Anti-Malware, click on the 'Protection' tab, uncheck the box that says "Start with Windows", and then restart your computer. Once your computer is running normally, download a new copy of ComboFix from the link below, run it, and then copy and paste the log into a reply:
http://download.blee...Bs/ComboFix.exe

[Katrine]

GT500, on Nov 5 2009, 07:04 AM, said:

Please start your computer in Safe Mode, run Malwarebytes' Anti-Malware, click on the 'Protection' tab, uncheck the box that says "Start with Windows", and then restart your computer. Once your computer is running normally, download a new copy of ComboFix from the link below, run it, and then copy and paste the log into a reply:
http://download.blee...Bs/ComboFix.exe

Started up in safe mode, but Malwarebytes WILL NOT OPEN as before, same error code given, 703(0.13)
I really need this problem fixed, I can't wait 48 for replies.
Could you possibly post several suggestions should the first one fail.

[GT500]

Katrine said:

Started up in safe mode, but Malwarebytes WILL NOT OPEN as before, same error code given, 703(0.13)
I really need this problem fixed, I can't wait 48 for replies.
Could you possibly post several suggestions should the first one fail.

Was ComboFix also not able to run?

If not, then please download Rkill from one of the following four links:

Rkill EXE:
http://download.blee...inler/rkill.exe

Rkill COM:
http://download.blee...inler/rkill.com

Rkill SCR:
http://download.blee...inler/rkill.scr

Rkill PIF:
http://download.blee...inler/rkill.pif


Save one of those 4 onto your desktop and try to run it. If the infection blocks it, then try one of the others. After running it, please try to launch ComboFix, let it run through a scan, and send me the log file that it produces when it's done.


If you are unable to launch ComboFix, even after running Rkill, then please download RSIT from the link below, run it with the default options, and attach the 'log' and 'info' files to a reply:
http://images.malwar...random/RSIT.exe

[Katrine]

Hi
Thanks for your reply and suggestions
Got started in safe mode and launched Combofix, it looked like it was going to run this time, but immediately detected AVG free 9 . Combofix instructed me to disable AVG protection before proceeding, but I've been unable to do so. I launched AVG and a box appeared saying "You can use AVG 9.0 Anti-Virus command line scanner only in Windows Safe Mode". Can't find any disable options. Then tried to uninstall AVG, and it won't uninstall.
Stuck at this point - unable to disable or remove AVG, and unable to run Combofix because of AVG.
What should I do?
Many thanks for your help
Katrine

[GT500]

Attached to this message is a ZIP archive. There is a file inside the ZIP archive which is a simple fix to turn off the protection that is causing your computer to freeze on startup, and thus you will be able to start your computer normally, turn off AVG, and run ComboFix. Open the ZIP archive, and then double-click on the file inside it. It will ask you if you are sure you want to import it into your registry, so be sure to answer 'Yes', and then restart your computer after it says it's done. Your computer should start up normally without freezing. Turn off AVG, and run ComboFix. If all goes well, then copy and paste the contents of the log it shows you at the end into a reply.

Attached Files

•  disable_protection.zip   302bytes   19 downloads

[Katrine]

Hi
I got your message with the zip file. Obviously, I'm reading it from my brothers computer. This is a HUGE problem.
Obviously I need to be able to download and install the zip file on my own computer, which is the one with the trojan.

Tried starting up in normal mode:
No malwarebytes warning message this time - seemed good.
No Combofix warning message this time - seemed good.
But no internet connection showing either - not good.
When cursor is moved around screen it is displaying as an arrow, but when it moves over the area of the screen where the original malwarebytes warning was, it becomes an egg-timer!!! Yep, the computer was frozen again. Will perform no functions, including launching Opera.

Tried starting up in Safe Mode:
No Malwarebytes warning message showed - seemed good.
No Combofix warning message showed - seemed good.
But, NO INTERNET CONNECTION.

I can't get onto this forum from the infected computer!!!! So I can't access or install the zip file you recommend!!!

This is driving me nuts!!!

Tried starting up again in normal mode, this time the original Malwarebytes warning message re the trojan appeared and the computer immediately froze up.
How do we get around this problem?

Thanks, Katrine

[GT500]

Just try running ComboFix from Safe Mode, even though it says AVG is on. It should work OK.

[Katrine]

Hi there
I managed to run combofix in safe mode, ignoring the AVG warnings as instructed. This is what happened:
Combofix warning appeared saying "This machine does not have Microsoft Windows Recovery Console installed. Without it Combofix shall not attempt the fixing of some serious infections" Click Yes to have Combofix download and install it. NOTE this requires an active internet connection.

Had to Click No, as I have no internet connection in safe mode [or normal mode].
However, Combofix Autoscan continued, and I now have a log.
How on earth do I get the log to you???? Still no internet connection remember.

Is there a way to establish an internet connection in safe mode?

Many Thank, Katrine

[Katrine]

YAY Success:)

Managed to start up in Safe Mode with Networking and got and internet connection.
so at last here is the Combofix log

ComboFix 09-11-03.01 - User 06/11/2009 19:32.1.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.723 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-10-27 17:24 . 2009-10-27 17:24 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2009-10-26 19:51 . 2009-10-26 19:55 -------- d-----w- C:\$AVG
2009-10-26 19:49 . 2009-11-05 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 17:58 . 2008-08-29 19:55 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2009-10-27 17:34 . 2007-11-04 02:27 -------- d-----w- c:\program files\Lavasoft
2009-10-27 17:13 . 2007-11-04 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-26 20:07 . 2008-08-27 19:24 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-26 19:50 . 2008-08-27 19:24 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-26 19:50 . 2008-08-27 19:24 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-26 19:50 . 2008-08-27 19:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-26 19:49 . 2008-08-06 18:52 -------- d-----w- c:\program files\AVG
2009-10-17 21:09 . 2007-08-22 11:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-28 16:34 . 2009-09-09 19:04 -------- d-----w- c:\documents and settings\User\Application Data\eBookPro6
2009-09-11 19:09 . 2009-07-23 07:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 13:54 . 2009-07-23 07:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-07-23 07:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-05 18:05 . 2007-08-30 14:41 47224 -c--a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-26 2010904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-26 19:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R2 MTC0005_MTCDIO;Wireless HotKey Driver;c:\windows\system32\drivers\MTCDIO.sys [22/09/2003 09:04 11316]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [22/08/2007 11:36 68224]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/08/2008 19:24 333192]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/08/2008 19:24 360584]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [26/10/2009 19:49 906520]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [26/10/2009 19:49 285392]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [23/07/2009 07:12 269648]
S2 MTCDIO;MTCDIO;c:\windows\system32\drivers\MTCDIO.sys [22/09/2003 09:04 11316]
S3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys --> c:\windows\system32\Drivers\ov550i.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [23/07/2009 07:12 19160]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\Malwarebytes' Scheduled Update for User.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-07-23 13:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.f271.mail.yahoo.com/dc/launch?.rand=cr7pbc9qsprvi
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
DPF: PackageCab - hxxp://www.imgag.com/cp/install/AxCtp2.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Device Detector - DevDetect.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 19:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1592)
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-06 19:42
ComboFix-quarantined-files.txt 2009-11-06 19:41

Pre-Run: 4,354,539,520 bytes free
Post-Run: 8,018,272,256 bytes free

[Katrine]

Hmmm.........I'm totally confused. I posted the Combofix log from the problematic computer, and it shows up on the forum when veiwed from this computer, BUT when I look on the forum from my brother's computer [which I usually have to use] the post of the log doesn't show up!!!!!
Have I actually managed to post the Combofix log? Can anyone other than me see it???

Thanks Katrine

[GT500]

I can see the log. Probably just a cache issue on your brother's computer.

[GT500]

OK, this should allow you to start your computer without it freezing:
[indent]
I have attached a file to this message called CFScript.txt which will tell ComboFix how to remove some of the bad things I saw in your ComboFix log. Please save CFScript onto your desktop, and then download a fresh copy of ComboFix from the link below, and make sure to save it on your desktop as well. Once you have both CFScript and ComboFix saved to your desktop, hold down the left mouse button on top of the icon for CFScript, and drag it on top of the ComboFix icon, and then let go. This should start ComboFix again. Make sure, when it finishes, to attach the new log to a reply so that I can verify that it deleted what it was supposed to.
http://download.blee...Bs/ComboFix.exe

 CFScript.txt   176bytes   35 downloads
[/indent]

After running that, your computer should restart, and then start up normally. If it does not freeze, then you need to perform the following steps:

• Disable AVG for the time being.
  
  
  
• Run Malwarebytes' Anti-Malware.
  
  
  
• Click on the 'Update' tab.
  
  
  
• Click the button to check for updates.
  
  
  
• Once it's done getting updates, run a Quick Scan.
  
  
  
• Remove anything it finds.
  
  
  
• Copy and paste the log into a reply.
  
  
  
• You can turn AVG back on after sending me the log.

[Katrine]

Hi

I've had some success. Managed to download CFScript and followed your instructions for runninng the newly downloaded Combofix.
This is the scan log:

ComboFix 09-11-03.01 - User 07/11/2009 2:02.2.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.786 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MBAMPROTECTOR
-------\Service_MBAMProtector


((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-10-27 17:24 . 2009-10-27 17:24 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2009-10-26 19:51 . 2009-10-26 19:55 -------- d-----w- C:\$AVG
2009-10-26 19:49 . 2009-11-05 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 23:05 . 2008-08-29 19:55 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2009-10-27 17:34 . 2007-11-04 02:27 -------- d-----w- c:\program files\Lavasoft
2009-10-27 17:13 . 2007-11-04 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-26 20:07 . 2008-08-27 19:24 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-26 19:50 . 2008-08-27 19:24 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-26 19:50 . 2008-08-27 19:24 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-26 19:50 . 2008-08-27 19:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-26 19:49 . 2008-08-06 18:52 -------- d-----w- c:\program files\AVG
2009-10-17 21:09 . 2007-08-22 11:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-28 16:34 . 2009-09-09 19:04 -------- d-----w- c:\documents and settings\User\Application Data\eBookPro6
2009-09-11 19:09 . 2009-07-23 07:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 13:54 . 2009-07-23 07:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-07-23 07:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-05 18:05 . 2007-08-30 14:41 47224 -c--a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-06_19.39.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-07 02:11 . 2009-11-07 02:11 16384 c:\windows\temp\Perflib_Perfdata_c9c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-26 2010904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-26 19:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/08/2008 19:24 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/08/2008 19:24 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [26/10/2009 19:49 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [26/10/2009 19:49 285392]
R2 MTC0005_MTCDIO;Wireless HotKey Driver;c:\windows\system32\drivers\MTCDIO.sys [22/09/2003 09:04 11316]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [22/08/2007 11:36 68224]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [23/07/2009 07:12 269648]
S2 MTCDIO;MTCDIO;c:\windows\system32\drivers\MTCDIO.sys [22/09/2003 09:04 11316]
S3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys --> c:\windows\system32\Drivers\ov550i.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\Malwarebytes' Scheduled Update for User.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-07-23 13:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.f271.mail.yahoo.com/dc/launch?.rand=cr7pbc9qsprvi
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
DPF: PackageCab - hxxp://www.imgag.com/cp/install/AxCtp2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 02:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-11-07 2:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-07 02:16
ComboFix2.txt 2009-11-06 19:42

Pre-Run: 8,002,076,672 bytes free
Post-Run: 6,864,814,080 bytes free


At the end of the scan the computer did reboot on it's own, and I tried to follow the rest of your instructions.
AVG is disabled, but Malwarebyte's would not run, I got the same error message I have since this torjan problem started, Error Code 703(0.13)

Hope the new log helps, but I've no idea how to get Malwarebytes open, running and updated.

Many Thanks, Katrine

[GT500]

OK, error code 703 is being caused because AVG broke our software. The ComboFix log isn't showing the file that Malwarebytes' Anti-Malware was complaining about, so I can't say if it is still there or not.

Before we attempt to fix Malwarebytes' Anti-Malware, we need to add some exclusions to AVG. This won't solve all of the issues, as AVG is breaking our database regardless of exclusions, but this will help to cut down on future conflicts once they get this current issue fixed. Here are the files that need to be added to the exclusions list in AVG:

• C:\WINDOWS\system32\drivers\mbam.sys
  
• C:\WINDOWS\system32\drivers\mbamswissarmy.sys
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  
• C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

After adding those exclusions, please run an online virus scan through ESET. Here are the steps:

• Turn off AVG.
  
  
  
• Click on this link.
  
  
  
• Click on the "ESET Online Scanner" button.
  
  
  
• Put a check in the box that says "YES, I accept the Terms of Use."
  
  
  
• Click the 'Start' button just to the right of the checkbox.
  
  
  
• Uncheck the box that says "Remove found threats" (this is very important).
  
  
  
• Click on "Advanced settings".
  
  
  
• Put a check in the box that says "Scan for potentially unsafe applications".
  
  
  
• Verify that "Scan for potentially unwanted applications" is also checked.
  
  
  
• Verify that "Enable Anti-Stealth technology" is also checked.
  
  
  
• Click the 'Start' button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
  
  
  
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  
  
  
• Save that text file on your desktop, and then copy and paste it into a reply for me.
  
  
  
• Close the ESET online scan.

I will take a look at the log, and let you know if anything needs removed.