I hope it's ok to ask you this. I didn't see anywhere else I could post. I finally got to a point where I could run Malwarebytes after several days.
Upon running the software several times I noticed it kept coming up with two repeat offenders. Trojan.agent and some type of registry issue.
I kept trying to remove them over a period of several days after getting rid of System Security 2009. My computer ran fine for a few days but then rebooted itself two days ago and although I have run several pieces of recommended software I still seem to be infected.
Now the browser won't open or when it does I still get the virus software pop ups and redirects. There also seemed to be another search bar at
the top of the browser with a little Microsoft symbol but it was never there before.

I don't know what else to do. I still cannot boot to safe mode, I can't even reinstall Windows. Can you help me?

Thanks so much!

Hi ya,

I have snipped PM advice as would be confusing

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.
• When the tool is finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Sorry for the confusion. I loaded Combofix on my Desktop, clicked on it, hit run....nothing happened for over 15 minutes.....I tried it again. Nothing. Any more suggestions? Everything is running but I know that Trojan.agent and Rootkit.trace are still there. My browser is running fine at this moment because before I turned everything off to run Combofix it had blocked something trying to get on my computer and I elected to have it permanantly blocked in the future. I have not rebooted though since then. That's the latest I can tell you. Any more suggestions? Thanks so much.

Hi ya,

Please boot into safe mode and attempt to run ComboFix from there.

I'm actually not sure I can boot in to safe mode. I haven't been able to but I will give it a try this evening.

Again, my thanks.

I tried to boot to safe mode but as I thought my computer won't do that. I have updated Malwarebytes and still the only two things to show up are Trojan.agent and Rootkit.trace.

Sometimes my computer boots, sometimes it locks up on the desktop and I need to reboot. Sometimes the browser will close by it's self.

I'm open to suggestions. Thanks so much for the help.

PS. I read some of the articles your forums point to. I know how I got this virus. Through a codec. What an idiot i was. :-(

Forgot to add this...

Malwarebytes' Anti-Malware 1.39
Database version: 2523
Windows 5.1.2600 Service Pack 3

7/28/2009 4:26:56 PM
mbam-log-2009-07-28 (16-26-56).txt

Scan type: Quick Scan
Objects scanned: 97312
Time elapsed: 1 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
I:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Ok RootRepeal has just been updated so would like to try that angle of attack again to see if we can attack the rootkit with that.

Download Rootrepeal 1.3.3>>>
http://rootrepeal.googlepages.com/

Extract the file and run rootrepeal.exe

Click on report tab on the bottom right of the software then press scan

Put at check(Tick) in all box's except the 2 SSDT option's then press OK

Place a check(Tick) in drive to be scanned(Usually you will only have to select C).

Please save the logfile generated and copy and paste the contents of that log into your next reply.

It worked

Here is what I came up with.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/28 17:37
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: I:\WINDOWS\system32\UACbqbrfwofmxdulhbxv.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACetjmukeshaxivrtnk.db
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UAChqipyiuwykltuqrdh.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACllrvxvkbwjpnbgpwy.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACndjitmairulteppjw.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACpyqbitltmoiopjqga.dat
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACuniorjihvmwidjary.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\Temp\UACaf5a.tmp
Status: Invisible to the Windows API!

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\uActivate.dll
Status: Invisible to the Windows API!

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\uActivate.SET
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys
Status: Invisible to the Windows API!

Path: i:\documents and settings\admin\local settings\temp\~df41d9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\uActivate.dll
Status: Invisible to the Windows API!

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\uActivate.SET
Status: Invisible to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgldr.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log
Status: Locked to the Windows API!

Path: i:\documents and settings\admin\local settings\application data\ahead\nero home\is2.db-journal
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: I:\Documents and Settings\Billy\Local Settings\Apps\2.0\389B0ZLN.GK6\PNKEV4VA.MLG\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: I:\Documents and Settings\Billy\Local Settings\Apps\2.0\389B0ZLN.GK6\PNKEV4VA.MLG\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Great here come's the bomb

Run Rootrepeal file scan only.

Highlight the following line and right click on it.Select *wipe file*

Path: I:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys
Status: Invisible to the Windows API!

Then reboot immediately!!

After rebooting please run MBAM quick scan.Allow it to delete what if inds and reboot again.

Please post back the log from that MBAM quickscan

Success!!!!! You are the bomb! I ran Rootrepeal and the culprit was exposed.

Here is the log. (I must add that when I rebooted Avira started killing files as Malwarebytes was finding them. I forgot to turn it off first. So this log might be incomplete.) I ran a second log after I rebooted. I thought you might want to see it as well. It had the Trojan.TDSS. I guess to be expected? I am running a deep scan right now with Malwarebytes.

Malwarebytes' Anti-Malware 1.39
Database version: 2524
Windows 5.1.2600 Service Pack 3

7/28/2009 8:05:10 PM
mbam-log-2009-07-28 (20-04-23).txt

Scan type: Full Scan (I:\|)
Objects scanned: 128550
Time elapsed: 20 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\rp2\A0001009.dll (Trojan.TDSS) -> No action taken.
i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\RP2\A0001010.dll (Trojan.TDSS) -> No action taken.
i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\RP2\A0001012.dll (Trojan.TDSS) -> No action taken.






Malwarebytes' Anti-Malware 1.39
Database version: 2523
Windows 5.1.2600 Service Pack 3

7/28/2009 7:33:17 PM
mbam-log-2009-07-28 (19-32-59).txt

Scan type: Quick Scan
Objects scanned: 97520
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
i:\WINDOWS\system32\UACllrvxvkbwjpnbgpwy.dll (Trojan.TDSS) -> No action taken.
i:\WINDOWS\system32\UACndjitmairulteppjw.dll (Trojan.TDSS) -> No action taken.
i:\WINDOWS\system32\UACuniorjihvmwidjary.dll (Trojan.TDSS) -> No action taken.
i:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys (Trojan.Agent) -> No action taken.

If I have any major problems I will let you know. No more codecs for me. Hard lesson learned.

My wife and I would like to contribute to your hard work. Where can we do that?

Hi ya,

Works like a charm when the tech works,the trouble with these very advanced malwares is they know they cant hide from our tech so they have to result to dirty tricks to take us out the equation.

Victim of our own sucess unfortunetly,ok would like to see a couple more logs before i sound the all clear.

Can you please run ComboFix from regular mode as directed earliar.Now the rootkit is nuked it should be working again

Also can yopu post a HijackThis log.

Thanks in advance

Will do.

I have a few questions for you. Now I'm scared to death of fake viruses, etc. Where can I download HijackThis?

Also, Combo fix is still resident on my desktop. It is ok to use that one?

Hi yeah,

Yes that CF is good to use,run that routine first.

HiJackThis
[*]Please download this program Trend Micro HijackThis to your desktop.
[*]Double-click on it to run and install it.
[*]Then launch the program and click on Do a system scan and save a logfile. This log file will open in Notepad.
[*]Do not do anything with HJT at this point except copy and paste the contents of the log generated into a reply.

I will give you heaps of support info after we have finished cleaning your PC but first of all lets make sure it's clean then i can point you in the direction of how to secure and avoid malware etc

Awesome. Look forward to the advice and tips. Will run tonight. Heading out of town on business so if not tonight next week when I return. Very impressed with the professional help here.

I didn't have time for the Combofix but Hijackthis went fast. Here's the file. I'll try and check in during my trip.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:32 PM, on 7/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Avira\AntiVir Desktop\sched.exe
I:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
I:\Program Files\Avira\AntiVir Desktop\avguard.exe
I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Common Files\LightScribe\LSSrvc.exe
I:\PROGRA~1\AVG\AVG8\avgrsx.exe
I:\PROGRA~1\AVG\AVG8\avgnsx.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Java\jre6\bin\jusched.exe
I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
I:\WINDOWS\RTHDCPL.EXE
I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
I:\Program Files\MSI\Live Update 3\LMonitor.exe
I:\Program Files\Nero\Nero 7\InCD\InCD.exe
I:\PROGRA~1\AVG\AVG8\avgtray.exe
I:\Program Files\Avira\AntiVir Desktop\avgnt.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Documents and Settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
I:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
I:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
I:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
I:\Program Files\Logitech\SetPoint\KEM.exe
I:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] I:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LiveMonitor] I:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [InCD] I:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG8_TRAY] I:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "I:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SansaDispatch] I:\Documents and Settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] I:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "I:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ccleaner] "I:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [Advanced SystemCare 3] "I:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = I:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://I:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238224748875
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - I:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - I:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - I:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - I:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - I:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6495 bytes

Ok well nothing bad in the HJT log

ComboFix will dig a bit deeper + it will remove the orphaned service load value for the recently evicted Rootkit.So before we give you the green light would rather wait for that report first.

np if you cant do today just post it up when you get around to it

Well that's great news! I will run the other program when I get back in town.

You rock!!!

Hi!
I'm back and ready to run ComboFix but when I run it, it says it may be a tainted version. Can you give me the safest location for the file. It says I should download another copy before I run it.

Thanks

I found it...sorry. Here it is.

ComboFix 09-08-04.02 - Billy 08/04/2009 18:44.1.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2521 [GMT -5:00]
Running from: i:\documents and settings\Billy\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

i:\windows\system32\UACetjmukeshaxivrtnk.db
i:\windows\system32\UACpyqbitltmoiopjqga.dat

i:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_PCMSTUB
-------\Service_6to4
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.

2009-07-29 20:26 . 2009-07-29 20:26 -------- d-----w- i:\program files\Trend Micro
2009-07-28 20:31 . 2009-07-03 17:09 594432 -c----w- i:\windows\system32\dllcache\msfeeds.dll
2009-07-28 20:31 . 2009-07-03 17:09 55296 -c----w- i:\windows\system32\dllcache\msfeedsbs.dll
2009-07-28 20:29 . 2009-07-28 20:29 -------- d-----w- i:\documents and settings\ADMIN\Application Data\Malwarebytes
2009-07-27 21:58 . 2009-07-29 00:21 15 ----a-w- i:\documents and settings\Billy\settings.dat
2009-07-27 00:43 . 2009-07-29 01:25 -------- d---a-w- i:\documents and settings\All Users\Application Data\TEMP
2009-07-25 21:09 . 2009-03-30 15:33 96104 ----a-w- i:\windows\system32\drivers\avipbb.sys
2009-07-25 21:09 . 2009-03-24 21:08 55640 ----a-w- i:\windows\system32\drivers\avgntflt.sys
2009-07-25 21:09 . 2009-02-13 17:29 22360 ----a-w- i:\windows\system32\drivers\avgntmgr.sys
2009-07-25 21:09 . 2009-02-13 17:17 45416 ----a-w- i:\windows\system32\drivers\avgntdd.sys
2009-07-25 21:09 . 2009-07-25 21:09 -------- d-----w- i:\program files\Avira
2009-07-25 21:09 . 2009-07-25 21:09 -------- d-----w- i:\documents and settings\All Users\Application Data\Avira
2009-07-25 13:33 . 2009-07-25 13:33 -------- d-----w- i:\documents and settings\ADMIN\Application Data\IObit
2009-07-25 13:24 . 2009-07-25 13:24 -------- d-sh--w- i:\documents and settings\ADMIN\PrivacIE
2009-07-24 22:00 . 2009-07-24 22:00 3775176 ----a-w- i:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-24 21:31 . 2001-08-23 12:00 4224 -c--a-w- i:\windows\system32\dllcache\beep.sys
2009-07-24 21:31 . 2001-08-23 12:00 4224 ----a-w- i:\windows\system32\drivers\beep.sys
2009-07-22 10:53 . 2009-07-25 22:51 -------- d-----w- i:\documents and settings\Billy\Application Data\IObit
2009-07-22 10:53 . 2009-07-22 10:53 -------- d-----w- i:\program files\IObit
2009-07-13 20:35 . 2009-07-13 20:35 -------- d-----w- i:\documents and settings\Billy\Application Data\Malwarebytes
2009-07-13 20:27 . 2009-07-13 20:27 3550592 ----a-w- I:\winlogon.exe.exe
2009-07-13 03:44 . 2009-07-13 03:44 3561752 ----a-w- I:\mbam-setup.exe
2009-07-13 03:06 . 2009-06-17 16:27 38160 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 03:06 . 2009-07-13 18:36 19096 ----a-w- i:\windows\system32\drivers\mbam.sys
2009-07-13 03:06 . 2009-07-13 03:06 -------- d-----w- i:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-13 03:02 . 2009-07-13 03:02 -------- d-----w- i:\program files\FileASSASSIN
2009-07-13 00:55 . 2009-07-03 14:49 15688 ----a-w- i:\windows\system32\lsdelete.exe
2009-07-13 00:13 . 2009-07-03 14:49 64160 ----a-w- i:\windows\system32\drivers\Lbd.sys
2009-07-13 00:13 . 2009-07-13 00:13 -------- dc-h--w- i:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-13 00:13 . 2009-07-08 17:28 2920112 -c--a-w- i:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-13 00:13 . 2009-07-13 00:13 -------- d-----w- i:\program files\Lavasoft
2009-07-13 00:13 . 2009-07-13 00:13 -------- d-----w- i:\documents and settings\All Users\Application Data\Lavasoft
2009-07-12 23:11 . 2009-07-12 23:11 -------- d-----w- i:\documents and settings\Billy\Application Data\Yahoo!
2009-07-12 23:11 . 2009-07-25 17:38 -------- d-----w- i:\program files\Yahoo!
2009-07-12 23:06 . 2009-07-12 23:07 49492 ----a-w- I:\cc_20090712_180634.reg
2009-07-11 22:26 . 2009-07-12 22:28 -------- d-----w- i:\documents and settings\All Users\Application Data\4545
2009-07-11 22:25 . 2009-07-11 22:25 -------- d-sh--w- i:\windows\system32\config\systemprofile\IETldCache
2009-07-11 15:03 . 2009-07-11 15:04 -------- d-----w- i:\documents and settings\Billy\Local Settings\Application Data\Temp
2009-07-11 15:03 . 2009-07-11 15:03 -------- d-----w- i:\documents and settings\Billy\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-04 23:10 . 2009-04-11 03:27 -------- d-----w- i:\program files\Microsoft Silverlight
2009-07-25 16:26 . 2009-03-31 01:22 -------- d-----w- i:\documents and settings\Billy\Application Data\LimeWire
2009-07-25 13:12 . 2009-07-25 13:12 12720 ----a-w- i:\documents and settings\ADMIN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-25 13:12 . 2009-07-25 13:12 -------- d-----w- i:\documents and settings\ADMIN\Application Data\Logitech
2009-07-25 13:12 . 2009-07-25 13:12 -------- d-----w- i:\documents and settings\ADMIN\Application Data\ATI
2009-07-19 12:40 . 2009-03-31 01:28 -------- d-----w- i:\documents and settings\All Users\Application Data\avg8
2009-07-17 13:49 . 2009-03-31 01:28 335752 ----a-w- i:\windows\system32\drivers\avgldx86.sys
2009-07-07 22:30 . 2009-03-27 21:39 12720 ----a-w- i:\documents and settings\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-05 15:04 . 2009-07-05 15:04 0 ----a-w- i:\windows\Infob.dat
2009-07-05 15:04 . 2009-07-05 15:04 0 ----a-w- i:\windows\Infoa.dat
2009-07-05 15:04 . 2009-07-05 14:34 -------- d-----w- i:\program files\Free MKV Video2Dvd
2009-07-05 14:12 . 2009-04-06 01:06 -------- d-----w- i:\documents and settings\All Users\Application Data\Apple Computer
2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\Sonic Foundry
2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\Pure Motion
2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\DebugMode
2009-07-03 17:09 . 2008-04-14 10:42 915456 ----a-w- i:\windows\system32\wininet.dll
2009-06-24 20:51 . 2009-03-31 01:28 11952 ----a-w- i:\windows\system32\avgrsstx.dll
2009-06-24 20:51 . 2009-03-31 01:28 27784 ----a-w- i:\windows\system32\drivers\avgmfx86.sys
2009-06-19 14:56 . 2009-06-19 14:56 -------- d-----w- i:\documents and settings\Billy\Application Data\x3watch
2009-06-16 14:36 . 2008-04-14 10:42 119808 ----a-w- i:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-14 10:41 81920 ----a-w- i:\windows\system32\fontsub.dll
2009-06-15 03:26 . 2009-03-28 07:26 -------- d-----w- i:\documents and settings\Billy\Application Data\AdobeUM
2009-06-03 19:09 . 2008-04-14 10:42 1291264 ----a-w- i:\windows\system32\quartz.dll
2009-06-01 14:29 . 2009-06-01 14:29 12328 ----a-w- i:\documents and settings\Florence\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 18:06 . 2009-05-25 18:06 79872 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
2009-05-25 18:06 . 2009-05-25 18:06 349184 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2009-05-25 18:06 . 2009-05-25 18:06 541696 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2009-05-07 15:32 . 2008-04-14 10:41 345600 ----a-w- i:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-05-25 79872]
"Nero PhotoShow Media Manager"="i:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-05-10 249856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="i:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"ccleaner"="i:\program files\CCleaner\CCleaner.exe" [2009-06-25 1578736]
"Advanced SystemCare 3"="i:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"StartCCC"="i:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NeroFilterCheck"="i:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"LiveMonitor"="i:\program files\MSI\Live Update 3\LMonitor.exe" [2009-02-24 498688]
"InCD"="i:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 1051648]
"AVG8_TRAY"="i:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-24 1948440]
"avgnt"="i:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"MSConfig"="i:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"RTHDCPL"="RTHDCPL.EXE" - i:\windows\RTHDCPL.exe [2008-07-03 16876032]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - i:\windows\KHALMNPR.Exe [2004-10-21 29696]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - i:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - i:\program files\Logitech\SetPoint\KEM.exe [2009-3-27 581632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-24 20:51 11952 ----a-w- i:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"i:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"j:\\Unreal Tournament 3\\Binaries\\UT3.exe"=

R0 Lbd;Lbd;i:\windows\system32\drivers\Lbd.sys [7/12/2009 7:13 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;i:\windows\system32\drivers\avgldx86.sys [3/30/2009 8:28 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;i:\windows\system32\drivers\avgtdix.sys [3/30/2009 8:28 PM 108552]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;i:\program files\Avira\AntiVir Desktop\sched.exe [7/25/2009 4:09 PM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;i:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;i:\windows\system32\drivers\AtiHdmi.sys [3/27/2009 9:54 PM 93184]
S2 bjftulks;bjftulks;i:\windows\system32\drivers\brrshma.sys --> i:\windows\system32\drivers\brrshma.sys [?]
S2 rayar;rayar;\??\i:\windows\system32\drivers\skvelixtl.sys --> i:\windows\system32\drivers\skvelixtl.sys [?]
S2 vkcyvsjbs;vkcyvsjbs;\??\i:\windows\system32\drivers\jkqtor.sys --> i:\windows\system32\drivers\jkqtor.sys [?]
S4 avg8wd;AVG Free8 WatchDog;i:\progra~1\AVG\AVG8\avgwdsvc.exe [3/30/2009 8:28 PM 298776]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"i:\windows\system32\rundll32.exe" "i:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 i:\windows\Tasks\Ad-Aware Update (Weekly).job
- i:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-04 i:\windows\Tasks\WGASetup.job
- i:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: Add to Google Photos Screensa&ver - i:\windows\system32\GPhotos.scr/200
DPF: Microsoft XML Parser for Java - file://i:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 18:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
i:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2472)
i:\windows\system32\WININET.dll
i:\program files\Logitech\SetPoint\lgscroll.dll
i:\windows\system32\ieframe.dll
i:\windows\system32\webcheck.dll
i:\windows\system32\WPDShServiceObj.dll
i:\windows\system32\PortableDeviceTypes.dll
i:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
i:\windows\system32\ati2evxx.exe
i:\windows\system32\ati2evxx.exe
i:\program files\AVG\AVG8\avgrsx.exe
i:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
i:\program files\Avira\AntiVir Desktop\avguard.exe
i:\program files\Nero\Nero 7\InCD\InCDsrv.exe
i:\program files\Java\jre6\bin\jqs.exe
i:\program files\Common Files\LightScribe\LSSrvc.exe
i:\windows\system32\wbem\unsecapp.exe
i:\program files\Lavasoft\Ad-Aware\AAWTray.exe
i:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
i:\program files\AVG\AVG8\avgtray.exe
i:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
i:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
i:\program files\Logitech\SetPoint\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-08-04 18:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-04 23:49

Pre-Run: 94,835,458,048 bytes free
Post-Run: 94,961,287,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
i:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

210 --- E O F --- 2009-08-04 23:09

Hi and welcome back

Combofix has finished up the clean as anticipated.

At the moment your showing as running 2 antivirus's in realtime this is ot a reccomended practice since both perform simillar roles then there is a high probability they will conflict with each other and instead of giving extra protection they could in fact null each other out at worst or a negative impact on pc performance at best.So best to decide to keep 1 resident and uninstall the second or else configure 1 to only run as on demand scan(backup scan) and not load in realtime.

ComboFix log is showing clear so any more issue's to report on the PC ?

I plan on uninstalling my other resident software and going with the one I found through Malwarebytes.
So my plan is to run Avira and Malwarebytes. Avira runs in realtime but Malwarebytes does not correct?
I plan on purchasing Malwarebytes and I have been asked to write a review which I will most certainly do.

Earlier in the thread you had mentioned giving me some additional tips or direction to avoid future problems
so I am ready for that if you have the time.

You have done an awesome job. Thank you very much for all your help and patience.

Hi ya the pay for version of MBAM is realtime protection component,we dont operate at the same level as an AV software so no conflicts there and i know quite a few folks that use AntiVir and MBAM combo

As promised here's my closing spiel for all help sessions once finished

Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.


We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.


Safe surfing