Hi,

Would appreciate any help.

I ran Malwarebytes and here is the log file (log file from hijackthis follows)

Malwarebytes' Anti-Malware 1.40
Database version: 2718
Windows 5.1.2600 Service Pack 2

9/2/2009 4:35:59 PM
mbam-log-2009-09-02 (16-35-56).txt

Scan type: Quick Scan
Objects scanned: 97561
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Geovision\Local Settings\Temp\tmp.tmp (Malware.Packer) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{51716c09-6b08-4ccf-b526-718e912c0573} (Trojan.GamesThief) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{51716c09-6b08-4ccf-b526-718e912c0573} (Trojan.GamesThief) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Geovision\Local Settings\Temp\tmp.tmp (Malware.Packer) -> No action taken.
C:\WINDOWS\system32\PERrGx5DkqSbQdwauCRQH.dll (Trojan.GamesThief) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temp\108328_xeex.exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temp\71562_xeex.exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\cqsj9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\dhwd9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\kx9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\mhxu9m1[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\qq3g9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\sx9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\tx29m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\wl9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\zx9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\CJSH9M[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\dh29m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\dj9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\dnf9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\hx29m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\jxsj9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\jz9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\mhxu9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\RXCQ9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\wd9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\xc9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\zt9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\qqhx9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\wmgj9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\yxd9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\zu9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\zzh9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\dh39m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\jr9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\mu9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\MXD9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\rxjh9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\tl9m[1].exe (Spyware.OnlineGames) -> No action taken.


Hijack this log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:47 PM, on 9/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: xunlei Class - {21910D9A-058E-95F2-642F-95A6E221C648} - C:\WINDOWS\TUIKNKMV.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: xunlei Class - {84CA70D3-777F-2BFF-136F-DC274F669D53} - C:\WINDOWS\BUBJDXQUGSPAB.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: xunlei Class - {EEE9A750-3BC5-5D98-B423-C38B641E10F3} - C:\WINDOWS\VOEMAQZCTCLF.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: qqrrftfx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: MSNServiceObj - {AD26AC5F-8421-419C-8692-ED0FE1FE74D8} - C:\Program Files\Messenger\msmsgs.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: bnetroighv - Unknown owner - C:\Program Files\byrinwwuvlcnloe\iqsvpyqnfipbg.exe (file missing)
O23 - Service: CAZXE - Unknown owner - C:\Program Files\XIKWTHRW0S\0RICFOB.EXE (file missing)
O23 - Service: dasno - Unknown owner - C:\WINDOWS\system32\dasno.exe (file missing)
O23 - Service: dbsno - Unknown owner - C:\WINDOWS\system32\dbsno.exe (file missing)
O23 - Service: ddsno - Unknown owner - C:\WINDOWS\system32\ddsno.exe (file missing)
O23 - Service: desno - Unknown owner - C:\WINDOWS\system32\desno.exe (file missing)
O23 - Service: dfsno - Unknown owner - C:\WINDOWS\system32\dfsno.exe (file missing)
O23 - Service: dgsno - Unknown owner - C:\WINDOWS\system32\dgsno.exe (file missing)
O23 - Service: dkjno - Unknown owner - C:\WINDOWS\system32\dkjno.exe (file missing)
O23 - Service: dojno - Unknown owner - C:\WINDOWS\system32\dojno.exe (file missing)
O23 - Service: dsjno - Unknown owner - C:\WINDOWS\system32\dsjno.exe (file missing)
O23 - Service: dteno - Unknown owner - C:\WINDOWS\system32\dtesm.exe (file missing)
O23 - Service: dtjealqpijxfzj - Unknown owner - C:\Program Files\lewtfsevdhz\swpzyugw.exe (file missing)
O23 - Service: Intcrface Pdby Prohdure (gerbassmn) - Unknown owner - C:\WINDOWS\system32\Miekcsr.exe (file missing)
O23 - Service: H3KJ16M - Unknown owner - C:\Program Files\4DXJGE43B1O2\7MWZ6KDVV.EXE (file missing)
O23 - Service: hkyoulbzkasgllw - Unknown owner - C:\Program Files\pvldytpnxyuv\wnfiaujgh.exe (file missing)
O23 - Service: jmotuqyw - Unknown owner - C:\Program Files\zdvqqnbivm\gvpdspdjxjblfph.exe (file missing)
O23 - Service: jtesm - Unknown owner - C:\WINDOWS\system32\jtesm.exe (file missing)
O23 - Service: jzchqigczupkmo - Unknown owner - C:\Program Files\jtpwnpuqnkr\qlikorojp.exe (file missing)
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: nbjyaqolmamr - Unknown owner - C:\Program Files\vnwnxfcza\cnptyhwsbnauoy.exe (file missing)
O23 - Service: nckhnmfsh - Unknown owner - C:\Program Files\nnxxkutfvrltyt\ufrklvnzeox.exe (file missing)
O23 - Service: pvcofbbdcpiawre - Unknown owner - C:\Program Files\qgpecipqynjo\xhirdkrka.exe (file missing)
O23 - Service: pxjuzimzc - Unknown owner - C:\Program Files\qivjdqaeppeknv\xbpxxscgrmr.exe (file missing)
O23 - Service: qteno - Unknown owner - C:\WINDOWS\system32\otesm.exe (file missing)
O23 - Service: Ris tptfypuwcgweo (Risuuzijhguscjnsfe) - Unknown owner - C:\Program Files\Intel\phvuhaxaeaz.EXE (file missing)
O23 - Service: rlqynxwwajy - Unknown owner - C:\Program Files\awdnjfsk\hwwtlhmdywmpgb.exe (file missing)
O23 - Service: sejno - Unknown owner - C:\WINDOWS\system32\syjno.exe (file missing)
O23 - Service: sksno - Unknown owner - C:\WINDOWS\system32\sksno.exe (file missing)
O23 - Service: spqoydygccns - Unknown owner - C:\Program Files\sbcdvlmmy\ztwjwnonapcdihg.exe (file missing)
O23 - Service: sssno - Unknown owner - C:\WINDOWS\system32\sssno.exe (file missing)
O23 - Service: steno - Unknown owner - C:\WINDOWS\system32\stesm.exe (file missing)
O23 - Service: tteno - Unknown owner - C:\WINDOWS\system32\wtesm.exe (file missing)
O23 - Service: uewzzrjrc - Unknown owner - C:\Program Files\vxjovzxwqcxqgw\cpcbxbzxazj.exe (file missing)
O23 - Service: ukaqjmbmfgj - Unknown owner - C:\Program Files\sbinnjeyevse\kwhthdjtcsxgu.exe (file missing)
O23 - Service: uucrimqlgqcyx - Unknown owner - C:\Program Files\xeowhdzltjh\ewhjifbf.exe (file missing)
O23 - Service: valjsxfk - Unknown owner - C:\Program Files\vlyyontpvnkho\kerdqpvjed.exe (file missing)
O23 - Service: wqtesm - Unknown owner - C:\WINDOWS\system32\wqtesm.exe (file missing)
O23 - Service: wrmkjjntgjpci - Unknown owner - C:\Program Files\xczafrbzth\eusfhsdavwdfgiu.exe (file missing)
O23 - Service: yasnp - Unknown owner - C:\WINDOWS\system32\yasnp.exe (file missing)
O23 - Service: zxfrldoilnl - Unknown owner - C:\Program Files\zqsghlco\gimtjnepaazlr.exe (file missing)

--
End of file - 10045 bytes


tried running malwarebytes multiple times but cannot remove the virus. would appreciate help on this.

thanks

dm

Hello and welcome to the forum!

Run a scan with RootRepeal, followed by DDS, a scanner tool so I can see the current condition of your machine.

Also, please provide a description of any remaining problems or symptoms you may still have please.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

• Direct Download (Recommended)
  • Primary Mirror
  • Secondary Mirror
  • Secondary Mirror
  • Secondary Mirror
• Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
  
  • Primary Mirror
    
  • Secondary Mirror
    
  • Secondary Mirror

• Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
• Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
• Physically disconnect your machine from the internet as your system will be unprotected.
• Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
• Click the tab at the bottom.
• Now press the button.
• A box will pop up, check the boxes beside All Seven options/scan area
  
• Now click OK.
• Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
• The scan will take a little while to run, so let it go unhindered.
• Once it is done, click the Save Report button.
• Save it as RepealScan and save it to your desktop
• Reconnect to the internet.
• Post the contents of that log in your reply please.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
• Notepad will open with the results soon.
• Follow the instructions that pop up for posting the results and then click Ok.
• The black and message box window shall then disappear.
• Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.
  

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Also, please provide a description of any remaining problems or symptoms you may still have please.

With Regards,
Extremeboy

There you go extremeboy

RootRepeal log file data

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/04 23:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEEC6A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B02000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE982000 Size: 49152 File Visible: No Signed: -
Status: -

Name: xnovlfwc.sys
Image Path: xnovlfwc.sys
Address: 0xF75D6000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\qqrrftfx.sys" at address 0xf7b5a7e2

Stealth Objects
-------------------
Object: Hidden Module [Name: qqrrftfx.dll]
Process: winlogon.exe (PID: 648) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: services.exe (PID: 692) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: lsass.exe (PID: 704) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 856) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 924) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 964) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 1032) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 1084) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: spoolsv.exe (PID: 1276) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: avgwdsvc.exe (PID: 1392) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: SyncServices.exe (PID: 1512) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: SeaPort.exe (PID: 1704) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: avgnsx.exe (PID: 2024) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: explorer.exe (PID: 340) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 412) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: alg.exe (PID: 1680) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: ctfmon.exe (PID: 2112) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: RootRepeal.exe (PID: 3412) Address: 0x14960000 Size: 90112

==EOF==

and I have attached the attach.txt. Appreciate your help.

Regards

dm

Hello.

No need to quote everything I say. Just use the Add reply button to reply back to me.

--

You posted the Attach.txt log but not the DDS.txt log. I need to see that one as well.

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy

Can anyone please help with the issue?

thanks

dm

Hello Extremeboy,

Sorry for the delayed response. I am still trying to learn how to view and post messages on the messageboard.

I have attached the DDS.txt file, as requested.

Thanks for your help.

Regards

dm

Hello.

Thanks for those logs. You appear to have quite a few infections on your system.

We are going to start with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
• Double click ComboFix.exe to start the program. Agree to the prompts.
• When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

~Extremeboy

There you go Extremeboy. I have attached is as well.

thx

dm



ComboFix 09-09-08.02 - Geovision 09/08/2009 17:41.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.654 [GMT 1:00]
Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
C:\RECYC.exe
c:\windows\AppPatch\AcXtrnel.dll
c:\windows\Downloaded Program Files\2yhusbzAYuevSnXtW.Ttf
c:\windows\Downloaded Program Files\CgMnxhFV2Qa68TsVz.Ttf
c:\windows\Downloaded Program Files\JjedvMTDtPyqp9ZTrgw.Ttf
c:\windows\Downloaded Program Files\NFesCyNNswv2Crfru.Ttf
c:\windows\Downloaded Program Files\u9A2PqtvjkJkzBcJxZbPc.Ttf
c:\windows\Downloaded Program Files\uMub3WCE6aZ3nFgrYRX.Ttf
c:\windows\Downloaded Program Files\xW6JeYmCY9e3yf5KD.Ttf
c:\windows\Downloaded Program Files\ZK26EzBfBUG8P9s8d.Ttf
c:\windows\Fonts\2knxWtVjbWXmUdGG.Ttf
c:\windows\Fonts\6e6EUdxVeWUYJynN.Ttf
c:\windows\Fonts\AjrMtd1HXvFm.Ttf
c:\windows\Fonts\AP2aBkXfCnZZwkTu.Ttf
c:\windows\Fonts\avJ9SdDwMd9Qzt.Ttf
c:\windows\Fonts\CcKKcpwJmND4.Ttf
c:\windows\Fonts\cD9KArZZUHxCqnyM.Ttf
c:\windows\Fonts\cFDPmh3MDPjcHMPd.Ttf
c:\windows\Fonts\CRp3uYCmcxMp3qQn9.Ttf
c:\windows\Fonts\CSzZ3gVtf.Ttf
c:\windows\Fonts\du3Q2JXbHYGxcSAe.Ttf
c:\windows\Fonts\e38H8kRkk.Ttf
c:\windows\Fonts\EEUJgNKN6xmNqKr6.Ttf
c:\windows\Fonts\eSEWZRdrSK3NeEJVy4.Ttf
c:\windows\Fonts\FCvvnT2B.Ttf
c:\windows\Fonts\FRSUApxKxh4aqhh4TnMqpe.Ttf
c:\windows\Fonts\FTQ3Xu3wZEZsJ358S.Ttf
c:\windows\Fonts\G8qZ5hBX7H.Ttf
c:\windows\Fonts\GanWM9z57VChEAfV.Ttf
c:\windows\Fonts\GbWrTV56WV24M.Ttf
c:\windows\Fonts\GD9xUjmZ8vHS5Vj.Ttf
c:\windows\Fonts\gfq7ymgpkp.Ttf
c:\windows\Fonts\HXxfduw9KeQTCeP6Z.Ttf
c:\windows\Fonts\jcPMKqwuVC7J.Ttf
c:\windows\Fonts\K7XaTBMWp8TPrYgw.Ttf
c:\windows\Fonts\KzAMjdYaws6f395.Ttf
c:\windows\Fonts\pDuuqr4BgFn65AeW.Ttf
c:\windows\Fonts\PeMTdMfqzpGTb5ps.Ttf
c:\windows\Fonts\pqgXk4S6U25v6f.Ttf
c:\windows\Fonts\qP2N8HTHkmGRq5.Ttf
c:\windows\Fonts\Qq3qg7RGSp9raxWW.Ttf
c:\windows\Fonts\qWskzsQA6.Ttf
c:\windows\Fonts\RCZbVbjCY6wYszD3.Ttf
c:\windows\Fonts\Rfs3DRdsUfkma5.Ttf
c:\windows\Fonts\rgBuFNZP2MWF7WQjA.Ttf
c:\windows\Fonts\S8a8cnEuaydPJGg8.Ttf
c:\windows\Fonts\sUfa6DfmrK.Ttf
c:\windows\Fonts\T8EkDVD578wpyAdP.Ttf
c:\windows\Fonts\tBeuadwPppCBnDUPgJH7P6.Ttf
c:\windows\Fonts\uawyv9Pr.Ttf
c:\windows\Fonts\urgU7WBMQ.Ttf
c:\windows\Fonts\usMywhxbgf5N8e9u6.Ttf
c:\windows\Fonts\uytczRnGV8NUp.Ttf
c:\windows\Fonts\VDcvXDH5px.Ttf
c:\windows\Fonts\Vx53f7Scj63HVHDE.Ttf
c:\windows\Fonts\vztr58qstaca8y8j.Ttf
c:\windows\Fonts\WD7eC3pJvgmYQYNwrVP.Ttf
c:\windows\Fonts\WFsARAucm7DAuX8.Ttf
c:\windows\Fonts\Wt2KuAXTXmrRUbAq.Ttf
c:\windows\Fonts\xSvCE2272aekx.Ttf
c:\windows\Fonts\yGMHUAj5Npydj8FZ.Ttf
c:\windows\Fonts\yHguCdqt6hp2.Ttf
c:\windows\Fonts\yrMyUq1ke.Ttf
c:\windows\Fonts\YywxhF7TSnkktrJw.Ttf
c:\windows\Fonts\Z3tcgfaZ.Ttf
c:\windows\PAXHCD0A.EXE
c:\windows\RYM531DN0T07.EXE
c:\windows\Tasks\SgF9z49Ph7g5UNpM.ico
c:\windows\W2UQ75.EXE
c:\windows\YB0Q1N1141.EXE
c:\windows\YLWVOVCCQP.EXE
c:\windows\ZZCWNB.EXE

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_IPRIP
-------\Legacy_KLAN
-------\Legacy_NWCWORKSTATION
-------\Legacy_NWSAPAGENT
-------\Legacy_PORTING
-------\Legacy_WMISVC
-------\Service_6to4
-------\Service_Ias
-------\Service_Iprip
-------\Service_NWCWorkstation
-------\Service_Nwsapagent


((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache
2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE
2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro
2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google
2009-08-09 00:22 . 2009-08-01 16:00 -------- d-----w- c:\program files\xnsjkdiacqsb
2009-08-09 00:22 . 2009-07-22 23:36 -------- d-----w- c:\program files\XIKWTHRW0S
2009-08-09 00:22 . 2009-08-03 20:32 -------- d-----w- c:\program files\wkdxkkcw
2009-08-09 00:22 . 2009-07-31 02:07 -------- d-----w- c:\program files\xgzqugwmrstoxl
2009-08-09 00:22 . 2009-07-22 22:53 -------- d-----w- c:\program files\WMUGAXR
2009-08-09 00:20 . 2009-08-03 21:05 -------- d-----w- c:\program files\vqievceso
2009-08-09 00:20 . 2009-07-31 00:30 -------- d-----w- c:\program files\vnwnxfcza
2009-08-09 00:20 . 2009-07-31 02:13 -------- d-----w- c:\program files\tbxnlphnqljx
2009-08-09 00:20 . 2009-07-31 01:48 -------- d-----w- c:\program files\uhkjyhzmxgtl
2009-08-09 00:20 . 2009-07-20 21:08 -------- d-----w- c:\program files\R0974Q3IE
2009-08-09 00:20 . 2009-07-18 23:14 -------- d-----w- c:\program files\sbcdvlmmy
2009-08-09 00:20 . 2009-07-31 01:00 -------- d-----w- c:\program files\qivjdqaeppeknv
2009-08-09 00:20 . 2009-07-21 00:01 -------- d-----w- c:\program files\qgpecipqynjo
2009-08-09 00:20 . 2009-07-31 01:52 -------- d-----w- c:\program files\oopyrxlgnb
2009-08-09 00:20 . 2009-07-20 18:47 -------- d-----w- c:\program files\nnxxkutfvrltyt
2009-08-09 00:14 . 2009-08-01 16:06 -------- d-----w- c:\program files\jxtsibzbmrtjzeo
2009-08-09 00:14 . 2009-07-31 20:59 -------- d-----w- c:\program files\jwtpcqkoxymeir
2009-08-09 00:09 . 2009-07-31 02:28 -------- d-----w- c:\program files\bftrruzlyibxxk
2009-08-09 00:09 . 2009-07-29 03:38 -------- d-----w- c:\program files\awdnjfsk
2009-08-09 00:09 . 2009-07-25 07:19 -------- d-----w- c:\program files\byrinwwuvlcnloe
2009-08-09 00:09 . 2009-07-22 22:57 -------- d-----w- c:\program files\273LIR
2009-08-09 00:09 . 2009-07-20 23:41 -------- d-----w- c:\program files\4DXJGE43B1O2
2009-08-06 00:44 . 2009-07-22 22:22 -------- d-----w- c:\program files\zqsghlco
2009-08-06 00:44 . 2009-07-21 21:56 -------- d-----w- c:\program files\xczafrbzth
2009-08-06 00:44 . 2009-07-25 07:22 -------- d-----w- c:\program files\xeowhdzltjh
2009-08-06 00:44 . 2009-07-20 20:38 -------- d-----w- c:\program files\vlyyontpvnkho
2009-08-06 00:44 . 2009-07-21 22:10 -------- d-----w- c:\program files\vxjovzxwqcxqgw
2009-08-06 00:44 . 2009-07-21 22:03 -------- d-----w- c:\program files\sbinnjeyevse
2009-08-06 00:44 . 2009-07-25 19:19 -------- d-----w- c:\program files\jtpwnpuqnkr
2009-08-06 00:44 . 2009-07-22 17:33 -------- d-----w- c:\program files\zdvqqnbivm
2009-08-06 00:43 . 2009-07-29 03:45 -------- d-----w- c:\program files\pvldytpnxyuv
2009-08-06 00:43 . 2009-07-23 18:59 -------- d-----w- c:\program files\lewtfsevdhz
2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG
2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3
2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat
2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe
2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe
2009-07-22 22:57 . 2009-07-22 22:57 28672 ----a-w- c:\windows\BUBJDXQUGSPAB.dll
2009-07-22 22:53 . 2009-07-22 22:53 28672 ----a-w- c:\windows\VOEMAQZCTCLF.dll
2009-07-20 21:08 . 2009-07-20 21:08 28672 ----a-w- c:\windows\TUIKNKMV.dll
2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network
2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java
2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel
2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

[-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe





c:\windows\system32\comres.dll ... is missing !!
c:\windows\system32\qmgr.dll ... is missing !!
c:\windows\system32\drivers\asyncmac.sys ... is missing !!
c:\windows\system32\mspmsnsv.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21910D9A-058E-95F2-642F-95A6E221C648}]
2009-07-20 21:08 28672 ----a-w- c:\windows\TUIKNKMV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84CA70D3-777F-2BFF-136F-DC274F669D53}]
2009-07-22 22:57 28672 ----a-w- c:\windows\BUBJDXQUGSPAB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE9A750-3BC5-5D98-B423-C38B641E10F3}]
2009-07-22 22:53 28672 ----a-w- c:\windows\VOEMAQZCTCLF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4894F5C2-169D-4DAC-A982-444B9BDB3AC4}"= "c:\windows\Downloaded Program Files\UYTbcaZtxE23MEzKGQ.cur" [2009-09-08 22016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R2 bnetroighv;bnetroighv;c:\program files\byrinwwuvlcnloe\iqsvpyqnfipbg.exe [x]
R2 CAZXE;CAZXE;c:\program files\XIKWTHRW0S\0RICFOB.EXE [x]
R2 dasno;dasno;c:\windows\system32\dasno.exe [x]
R2 dbsno;dbsno;c:\windows\system32\dbsno.exe [x]
R2 ddsno;ddsno;c:\windows\system32\ddsno.exe [x]
R2 desno;desno;c:\windows\system32\desno.exe [x]
R2 dfsno;dfsno;c:\windows\system32\dfsno.exe [x]
R2 dgsno;dgsno;c:\windows\system32\dgsno.exe [x]
R2 dkjno;dkjno;c:\windows\system32\dkjno.exe [x]
R2 dojno;dojno;c:\windows\system32\dojno.exe [x]
R2 dsjno;dsjno;c:\windows\system32\dsjno.exe [x]
R2 dteno;dteno;c:\windows\system32\dtesm.exe [x]
R2 dtjealqpijxfzj;dtjealqpijxfzj;c:\program files\lewtfsevdhz\swpzyugw.exe [x]
R2 gerbassmn;Intcrface Pdby Prohdure;c:\windows\system32\Miekcsr.exe [x]
R2 H3KJ16M;H3KJ16M;c:\program files\4DXJGE43B1O2\7MWZ6KDVV.EXE [x]
R2 hkyoulbzkasgllw;hkyoulbzkasgllw;c:\program files\pvldytpnxyuv\wnfiaujgh.exe [x]
R2 jmotuqyw;jmotuqyw;c:\program files\zdvqqnbivm\gvpdspdjxjblfph.exe [x]
R2 jtesm;jtesm;c:\windows\system32\jtesm.exe [x]
R2 jzchqigczupkmo;jzchqigczupkmo;c:\program files\jtpwnpuqnkr\qlikorojp.exe [x]
R2 nbjyaqolmamr;nbjyaqolmamr;c:\program files\vnwnxfcza\cnptyhwsbnauoy.exe [x]
R2 nckhnmfsh;nckhnmfsh;c:\program files\nnxxkutfvrltyt\ufrklvnzeox.exe [x]
R2 PCIEDump;PCIEDump;c:\windows\system32\drivers\qqrrftfx.sys [x]
R2 pvcofbbdcpiawre;pvcofbbdcpiawre;c:\program files\qgpecipqynjo\xhirdkrka.exe [x]
R2 pxjuzimzc;pxjuzimzc;c:\program files\qivjdqaeppeknv\xbpxxscgrmr.exe [x]
R2 qteno;qteno;c:\windows\system32\otesm.exe [x]
R2 Risuuzijhguscjnsfe;Ris tptfypuwcgweo;c:\program files\Intel\phvuhaxaeaz.EXE lwqrdbdfqzcdphn [x]
R2 rlqynxwwajy;rlqynxwwajy;c:\program files\awdnjfsk\hwwtlhmdywmpgb.exe [x]
R2 sejno;sejno;c:\windows\system32\syjno.exe [x]
R2 sksno;sksno;c:\windows\system32\sksno.exe [x]
R2 spqoydygccns;spqoydygccns;c:\program files\sbcdvlmmy\ztwjwnonapcdihg.exe [x]
R2 sssno;sssno;c:\windows\system32\sssno.exe [x]
R2 steno;steno;c:\windows\system32\stesm.exe [x]
R2 tteno;tteno;c:\windows\system32\wtesm.exe [x]
R2 uewzzrjrc;uewzzrjrc;c:\program files\vxjovzxwqcxqgw\cpcbxbzxazj.exe [x]
R2 ukaqjmbmfgj;ukaqjmbmfgj;c:\program files\sbinnjeyevse\kwhthdjtcsxgu.exe [x]
R2 uucrimqlgqcyx;uucrimqlgqcyx;c:\program files\xeowhdzltjh\ewhjifbf.exe [x]
R2 valjsxfk;valjsxfk;c:\program files\vlyyontpvnkho\kerdqpvjed.exe [x]
R2 wqtesm;wqtesm;c:\windows\system32\wqtesm.exe [x]
R2 wrmkjjntgjpci;wrmkjjntgjpci;c:\program files\xczafrbzth\eusfhsdavwdfgiu.exe [x]
R2 yasnp;yasnp;c:\windows\system32\yasnp.exe [x]
R2 zxfrldoilnl;zxfrldoilnl;c:\program files\zqsghlco\gimtjnepaazlr.exe [x]
R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

SSODL-MSNServiceObj-{AD26AC5F-8421-419C-8692-ED0FE1FE74D8} - c:\program files\Messenger\msmsgs.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 17:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2252)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-08 17:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-08 16:57

Pre-Run: 2,750,029,824 bytes free
Post-Run: 2,685,046,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

351

Hello.

Sorry for not replying earlier, I almost missed this thread in my subscriptions... Anyways, let's continue. Sorry for the short delay.

You have quite a few system infected files here and as well as a bunch of other infections on your machine. One of them is a backdoor.
---

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

---
If you wish to continue follow the steps below...

You don't have Service Pack 3 installed which is good as we can install that later and if there are no good replacement for certain files using the service pack can help us. Don't install it just yet please. Follow my instructions and we can deal with this effectively and efficiently.

Continue with the following...

---

Delete the existing Combofix.exe you currently have. Re-download one from one of those 2 links I linked above and save it to your desktop.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
• Open notepad (Start>Run>"notepad") and copy/paste ALL of the contents of the text in the codebox below into it:
  CODE
  http://www.malwarebytes.org/forums/index.php?showtopic=23222
  Collect::[68]
  c:\windows\BUBJDXQUGSPAB.dll
  c:\windows\VOEMAQZCTCLF.dll
  c:\windows\TUIKNKMV.dll
  c:\program files\byrinwwuvlcnloe\iqsvpyqnfipbg.exe
  c:\program files\XIKWTHRW0S\0RICFOB.EXE
  c:\windows\system32\dasno.exe
  c:\windows\system32\dbsno.exe
  c:\windows\system32\ddsno.exe
  c:\windows\system32\desno.exe
  c:\windows\system32\dfsno.exe
  c:\windows\system32\dgsno.exe
  c:\windows\system32\dkjno.exe
  c:\windows\system32\dojno.exe
  c:\windows\system32\dsjno.exe
  c:\windows\system32\dtesm.exe
  c:\program files\lewtfsevdhz\swpzyugw.exe
  c:\windows\system32\Miekcsr.exe
  c:\program files\4DXJGE43B1O2\7MWZ6KDVV.EXE
  c:\program files\pvldytpnxyuv\wnfiaujgh.exe
  c:\program files\zdvqqnbivm\gvpdspdjxjblfph.exe
  c:\windows\system32\jtesm.exe
  c:\program files\jtpwnpuqnkr\qlikorojp.exe
  c:\program files\vnwnxfcza\cnptyhwsbnauoy.exe
  c:\program files\nnxxkutfvrltyt\ufrklvnzeox.exe
  c:\windows\system32\drivers\qqrrftfx.sys
  c:\program files\qgpecipqynjo\xhirdkrka.exe
  c:\program files\qivjdqaeppeknv\xbpxxscgrmr.exe
  c:\windows\system32\otesm.exe
  c:\program files\Intel\phvuhaxaeaz.EXE lwqrdbdfqzcdphn
  c:\program files\awdnjfsk\hwwtlhmdywmpgb.exe
  c:\windows\system32\syjno.exe
  c:\windows\system32\sksno.exe
  c:\program files\sbcdvlmmy\ztwjwnonapcdihg.exe
  c:\windows\system32\sssno.exe
  c:\windows\system32\stesm.exe
  c:\windows\system32\wtesm.exe
  c:\program files\vxjovzxwqcxqgw\cpcbxbzxazj.exe
  c:\program files\sbinnjeyevse\kwhthdjtcsxgu.exe
  c:\program files\xeowhdzltjh\ewhjifbf.exe
  c:\program files\vlyyontpvnkho\kerdqpvjed.exe
  c:\windows\system32\wqtesm.exe
  c:\program files\xczafrbzth\eusfhsdavwdfgiu.exe
  c:\windows\system32\yasnp.exe
  c:\program files\zqsghlco\gimtjnepaazlr.exe
  Folder::
  c:\program files\xnsjkdiacqsb
  c:\program files\XIKWTHRW0S
  c:\program files\wkdxkkcw
  c:\program files\xgzqugwmrstoxl
  c:\program files\WMUGAXR
  c:\program files\vqievceso
  c:\program files\vnwnxfcza
  c:\program files\tbxnlphnqljx
  c:\program files\uhkjyhzmxgtl
  c:\program files\R0974Q3IE
  c:\program files\sbcdvlmmy
  c:\program files\qivjdqaeppeknv
  c:\program files\qgpecipqynjo
  c:\program files\oopyrxlgnb
  c:\program files\nnxxkutfvrltyt
  c:\program files\jxtsibzbmrtjzeo
  c:\program files\jwtpcqkoxymeir
  c:\program files\bftrruzlyibxxk
  c:\program files\awdnjfsk
  c:\program files\byrinwwuvlcnloe
  c:\program files\273LIR
  c:\program files\4DXJGE43B1O2
  c:\program files\zqsghlco
  c:\program files\xczafrbzth
  c:\program files\xeowhdzltjh
  c:\program files\vlyyontpvnkho
  c:\program files\vxjovzxwqcxqgw
  c:\program files\sbinnjeyevse
  c:\program files\jtpwnpuqnkr
  c:\program files\zdvqqnbivm
  c:\program files\pvldytpnxyuv
  c:\program files\lewtfsevdhz
  Registry::
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21910D9A-058E-95F2-642F-95A6E221C648}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84CA70D3-777F-2BFF-136F-DC274F669D53}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE9A750-3BC5-5D98-B423-C38B641E10F3}]
  [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
  "nlsf"=-
  [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
  "{4894F5C2-169D-4DAC-A982-444B9BDB3AC4}"=-
  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
  "NoLogoff"=-
  Driver::
  bnetroighv
  CAZXE
  dasno
  dbsno
  ddsno
  desno
  dfsno
  dgsno
  dkjno
  dojno
  dsjno
  dteno
  dtjealqpijxfzj
  gerbassmn
  H3KJ16M
  hkyoulbzkasgllw
  jmotuqyw
  jtesm
  jzchqigczupkmo
  nbjyaqolmamr
  nckhnmfsh
  PCIEDump
  pvcofbbdcpiawre
  pxjuzimzc
  qteno
  Risuuzijhguscjnsfe
  rlqynxwwajy
  sejno
  sksno
  spqoydygccns
  sssno
  steno
  tteno
  uewzzrjrc
  ukaqjmbmfgj
  uucrimqlgqcyx
  valjsxfk
  wqtesm
  wrmkjjntgjpci
  yasnp
  zxfrldoilnl
  SysRst::
  SrPeek::
  c:\windows\system32\userinit.exe
  c:\windows\system32\comres.dll
  c:\windows\system32\drivers\asyncmac.sys
  Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  
• Refering to the picture above, drag CFScript into ComboFix.exe.
• When finished, it shall produce a log for you at "C:\ComboFix.txt"
• Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

• Important: Ensure you are connected to the internet before clicking OK on the message box.
• A blue-screen would appear auto-uploading the zipped file I requested.
• After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================

• IF for some reason Combofix fails to upload anything please do the following:
• Go to Start >> My Computer > C:\
• Then Navigate to the C:\Qoobox\Quarantine folder.
• Find the archive zip file called "[68]-Submit_Date_Time.zip"
• Simply go to This Channel and upload the submit.zip archive file to me.
• Follow the instructions on that page to copy/paste/send the requested file.

Let me know how it goes and if the upload went successfully or not in your next reply.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":
  
  CODE
  :filefind
  userinit.exe
  comres.dll
  asyncmac.sys
  ntoskrnl.exe
  tcpip.sys
  explorer.exe
• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan.
• Please ATTACH this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Thanks.

With Regards,
Extremeboy

Extremeboy,

I ll try to use your help in getting the viruses out and if that doesnt work then i ll reformat it. And I appreciate your patience.

Here is the combofix file. I have posted the zip file using the info you provided. I have also attached the malwarebytes log file and systemlook log file.

Please let me know if I missed anything.

Thanks

dm


ComboFix 09-09-09.04 - Geovision 09/09/2009 21:25.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.613 [GMT 1:00]
Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Geovision\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\BUBJDXQUGSPAB.dll
file zipped: c:\windows\TUIKNKMV.dll
file zipped: c:\windows\VOEMAQZCTCLF.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\273LIR
c:\program files\4DXJGE43B1O2
c:\program files\awdnjfsk
c:\program files\bftrruzlyibxxk
c:\program files\byrinwwuvlcnloe
c:\program files\jtpwnpuqnkr
c:\program files\jwtpcqkoxymeir
c:\program files\jxtsibzbmrtjzeo
c:\program files\lewtfsevdhz
c:\program files\nnxxkutfvrltyt
c:\program files\oopyrxlgnb
c:\program files\pvldytpnxyuv
c:\program files\qgpecipqynjo
c:\program files\qivjdqaeppeknv
c:\program files\R0974Q3IE
c:\program files\sbcdvlmmy
c:\program files\sbinnjeyevse
c:\program files\tbxnlphnqljx
c:\program files\uhkjyhzmxgtl
c:\program files\vlyyontpvnkho
c:\program files\vnwnxfcza
c:\program files\vqievceso
c:\program files\vxjovzxwqcxqgw
c:\program files\wkdxkkcw
c:\program files\WMUGAXR
c:\program files\xczafrbzth
c:\program files\xeowhdzltjh
c:\program files\xgzqugwmrstoxl
c:\program files\XIKWTHRW0S
c:\program files\xnsjkdiacqsb
c:\program files\zdvqqnbivm
c:\program files\zqsghlco
c:\windows\BUBJDXQUGSPAB.dll
c:\windows\Downloaded Program Files\UYTBcaztxe23mezkgq.cur
c:\windows\SWEPVWJ17OXH.EXE
c:\windows\TUIKNKMV.dll
c:\windows\UDXVHFM16.EXE
c:\windows\VOEMAQZCTCLF.dll

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BNETROIGHV
-------\Legacy_CAZXE
-------\Legacy_DASNO
-------\Legacy_DBSNO
-------\Legacy_DDSNO
-------\Legacy_DESNO
-------\Legacy_DFSNO
-------\Legacy_DGSNO
-------\Legacy_DKJNO
-------\Legacy_DOJNO
-------\Legacy_DSJNO
-------\Legacy_DTENO
-------\Legacy_DTJEALQPIJXFZJ
-------\Legacy_GERBASSMN
-------\Legacy_H3KJ16M
-------\Legacy_HKYOULBZKASGLLW
-------\Legacy_JMOTUQYW
-------\Legacy_JTESM
-------\Legacy_JZCHQIGCZUPKMO
-------\Legacy_NBJYAQOLMAMR
-------\Legacy_NCKHNMFSH
-------\Legacy_PCIEDUMP
-------\Legacy_PVCOFBBDCPIAWRE
-------\Legacy_PXJUZIMZC
-------\Legacy_QTENO
-------\Legacy_RISUUZIJHGUSCJNSFE
-------\Legacy_RLQYNXWWAJY
-------\Legacy_SEJNO
-------\Legacy_SKSNO
-------\Legacy_SPQOYDYGCCNS
-------\Legacy_SSSNO
-------\Legacy_STENO
-------\Legacy_TTENO
-------\Legacy_UEWZZRJRC
-------\Legacy_UKAQJMBMFGJ
-------\Legacy_UUCRIMQLGQCYX
-------\Legacy_VALJSXFK
-------\Legacy_WQTESM
-------\Legacy_WRMKJJNTGJPCI
-------\Legacy_YASNP
-------\Legacy_ZXFRLDOILNL
-------\Service_bnetroighv
-------\Service_CAZXE
-------\Service_dasno
-------\Service_dbsno
-------\Service_ddsno
-------\Service_desno
-------\Service_dfsno
-------\Service_dgsno
-------\Service_dkjno
-------\Service_dojno
-------\Service_dsjno
-------\Service_dteno
-------\Service_dtjealqpijxfzj
-------\Service_gerbassmn
-------\Service_H3KJ16M
-------\Service_hkyoulbzkasgllw
-------\Service_jmotuqyw
-------\Service_jtesm
-------\Service_jzchqigczupkmo
-------\Service_nbjyaqolmamr
-------\Service_nckhnmfsh
-------\Service_PCIEDump
-------\Service_pvcofbbdcpiawre
-------\Service_pxjuzimzc
-------\Service_qteno
-------\Service_Risuuzijhguscjnsfe
-------\Service_rlqynxwwajy
-------\Service_sejno
-------\Service_sksno
-------\Service_spqoydygccns
-------\Service_sssno
-------\Service_steno
-------\Service_tteno
-------\Service_uewzzrjrc
-------\Service_ukaqjmbmfgj
-------\Service_uucrimqlgqcyx
-------\Service_valjsxfk
-------\Service_wqtesm
-------\Service_wrmkjjntgjpci
-------\Service_yasnp
-------\Service_zxfrldoilnl


((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache
2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE
2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro
2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google
2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG
2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3
2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat
2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe
2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe
2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network
2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java
2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel
2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------


[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe


[-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

c:\windows\system32\drivers\asyncmac.sys ... is missing !!
c:\windows\system32\qmgr.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 21:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3596)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2009-09-09 21:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-09 20:37
ComboFix2.txt 2009-09-08 16:57

Pre-Run: 2,674,049,024 bytes free
Post-Run: 2,654,560,256 bytes free

293

======

Hello again.


Not that it's not going to work but if you plan on formatting, why not do it now? If you are going to plan formatting anyways why waste the time here to continue with the disinfection process?

Anyways, If you do wish to continue, follow instructions below otherwise, please let me know. Still some more work we need to do here before we are done.

There are a couple of odd things in the logs... Do the following...

Create and Run batch script

• Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".
  
  QUOTE
  @ECHO OFF
  
  For %%a in (
  C:\WINDOWS\explorer.exe
  c:\windows\system32\userinit.exe
  c:\windows\system32\ntoskrnl.exe
  c:\windows\system32\drivers\tcpip.sys
  c:\windows\system32\comres.dll
  ) DO (
  zip FilesToUpload %%a
  )
  del %0
  
• Click File, then Save As... .
• Click Desktop on the left.
• Under the Save as type dropdown, select All Files.
• In the box File Name, input Zip.bat.
• Hit OK.

When done properly, the icon should look like for XP machines and for Vista machines.

Double click on Zip.bat to run it. If you are using Windows Vista, please right-click and Run As Administrator...

A Black DOS window shall appear and then disappear. This is normal please do not panic. Then a zipped compressed file called FilesToUpload.zip file should be created in the same location that zip.bat was ran. Should be on your desktop.

Please upload that file to me...

Submit file samples

1. Open to the Submission Channel.
2. Under Link to topic where this file was requested, input:
   
   CODE
   http://www.malwarebytes.org/forums/index.php?showtopic=23222
3. Click Browse and select the FilesToUpload.zip on your desktop.
4. Under the comments section, say that Extremeboy asked for the submission.
5. Then select Send File to send it
6. After that you should get a confirmation if it was uploaded successfully.

Run a scan with Systemlook again...

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop if you lost your copy...
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":
  
  CODE
  :filefind
  asyncmac.sys
  qmgr.dll
  comres.dll
  :dir
  C:\Windows\system32\dllcache
  C:\WINDOWS\ERDNT\cache
• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan.
• Close notepad. On your desktop there should be a text file called Systemlook.txt.
• Please right-click on Systemlook.txt and press send to >. From the drop down list select Compressed (zipped) folder
• Now a compressed zipped folder called Systemlook.zip shall be created on your desktop
• Please ATTACH the Systemlook.zip folder in your next reply. DO NOT post it. ATTACH IT please.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

• Please download GMER from one of the following locations, and save it to your desktop:
  
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zip Mirror
    Alternate Zip Mirror 1
    Alternate Zip Mirror 2
  
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

• Close any and all open programs, as this process may crash your computer.
• Double click or on your desktop.
  
• When you have done this, close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.

• Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
• Allow the gmer.sys driver to load if asked.
  If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
  

• In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
  
  • Sections
  • IAT/EAT
  • Registry
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show all (Don't miss this one!)
• Click on and wait for the scan to finish.
• If you see a rootkit warning window, click OK.
• Push and save the logfile to your desktop.
• Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

For your next reply I would like to see:
-Successfully uploaded FilesToUpload.zip to my channel
-ATTACHED the Systemlook.zip log as instructed
-The GMER log

Thanks.

Any problems, please do not hesitate to ask.

With Regards,
Extremeboy

Thanks Extremeboy, I ll run these and post the information as directed tonight.

Please do not get me wrong, I have no intention of reformatting it after going thru these steps. I only threw out that option not knowing that this will work.

Thanks for the continued support.

Regards

dm

Hello.

Thanks for letting me know.


I'm not getting your wrong and I understand what you mean. What I'm saying is that we can clean this machine still but your computer WAS compromised and your security may also be altered and therefore I can not way be sure it's 100% trustworthy any longer.

With Regards,
Extremeboy

the zip.bat file is not generating any zip file. not sure why. any idea

here is the log file for GMER. Couldnt run zip.bat.

Thx

dm

GMER 1.0.15.15077 [wpoxrsiq.exe] - http://www.gmer.net
Rootkit scan 2009-09-14 07:27:01
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Okay.

Please delete the existing Combofix.exe you currently have.

Re-download one from one of the links below and save it to your desktop.

Then run it again and once it's done post the log to me.

Link 1
Link 2

With Regards,
Extremeboy

There you go. Thx

dm

ComboFix 09-09-14.02 - Geovision 09/15/2009 22:12.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.670 [GMT 1:00]
Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache
2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE
2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro
2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google
2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG
2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3
2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat
2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe
2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe
2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network
2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java
2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel
2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------


[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe


[-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

c:\windows\system32\drivers\asyncmac.sys ... is missing !!
c:\windows\system32\qmgr.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 22:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2272)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-09-15 22:21
ComboFix-quarantined-files.txt 2009-09-15 21:21
ComboFix2.txt 2009-09-08 16:57

Pre-Run: 2,645,417,984 bytes free
Post-Run: 2,623,598,592 bytes free

156

Hello.

I want samples of those files so, let's try it again.

Create and Run batch script

• Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".
  
  QUOTE
  @ECHO OFF
  
  For %%a in (
  C:\WINDOWS\explorer.exe
  c:\windows\system32\userinit.exe
  c:\windows\system32\ntoskrnl.exe
  c:\windows\system32\drivers\tcpip.sys
  c:\windows\system32\comres.dll
  ) DO (
  zip FilesToUpload %%a
  )
  del %0
  
• Click File, then Save As... .
• Click Desktop on the left.
• Under the Save as type dropdown, select All Files.
• In the box File Name, input Upload.bat
• Hit OK.

When done properly, the icon should look like for XP machines and for Vista machines.

Double click on Zip.bat to run it. If you are using Windows Vista, please right-click and Run As Administrator...

A Black DOS window shall appear and then disappear. This is normal please do not panic. Then a zipped compressed file called FilesToUpload.zip file should be created in the same location that zip.bat was ran. Should be on your desktop.

Please upload that file to me...

Submit file samples

1. Open to the Submission Channel.
2. Under Link to topic where this file was requested, input:
   
   CODE
   http://www.malwarebytes.org/forums/index.php?showtopic=23222
3. Click Browse and select the FilesToUpload.zip on your desktop.
4. Under the comments section, say that Extremeboy asked for the submission.
5. Then select Send File to send it
6. After that you should get a confirmation if it was uploaded successfully.

Do you still have your Windows XP Professional Sp2 disk still with you? If so, we can use that to do some fixing as well.

Please scans these files with VirusTotal... Somethings doesn't look quite right with some of the information

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN

• Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
• At the top of the page you'll see a box. Browse to the location of each file and select that file. (do one line at a time).
  
  1. c:\windows\explorer.exe
  2. c:\windows\system32\userinit.exe
  3. c:\windows\system32\ntoskrnl.exe
  4. c:\windows\system32\drivers\tcpip.sys

• Click Submit.
• Wait for the scan to finish.
• Copy Scanner Results into your next reply.
• If more than one file was listed, repeat for each of them.

Post the results here once done.

Take a new DDS run as well and post back with both the DDS and Attach logs.

With Regards,
Extremeboy

Tried running the upload.bat but it again did not generate any zip file.

Ran the other things that you requested and have attached the results of the online scan as well as the dds.txt and attach.txt.

Please let me know if i missed anything.

seems like the userinit.exe is the culprit.

Thanks

DM

Hello.

This question was not answered...



Userinit.exe is indeed patched.

Please also scan the following file...

c:\windows\system32\comres.dll <- This file

Using Virsutotal. Post the results when done.

~Extremeboy

I do have the windows xp professional sp2 disk.

Will also scan the comres.dll file tonite.

Thanks

DM

okay.

I'll wait for the results then.

Extremeboy.

could not find the comres.dll file in the c:\windows\system32\ folder.

Thanks

DM

Hello.

That's fine then.

See if you can upload the following files to me. It may not work, so if it fails to upload the file just let me know.

C:\WINDOWS\explorer.exe <- This file
c:\windows\system32\userinit.exe <- This file
c:\windows\system32\ntoskrnl.exe <- This file
c:\windows\system32\drivers\tcpip.sys <- And This file

---

After uploading them (if it works) continue with the following...

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:

• Hide extensions for known file types
• Hide protected operating system files (Recommended)

You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:

• Show hidden files and folders

Click Apply and then click OK



Now please navigate to your system32 directory:

c:\windows\system32 <- This folder

Look for the file called userinit.exe
Do NOT delete it. Instead please rename it to userinit.exe.bak
You will get a confirmation error, that if you change the extension it may be unusable, please select Yes.
Now press the F5 key on your keyboard to refresh the page.
Make sure that userinit.exe.bak is still named userinit.exe.bak and that userinit.exe was not created.

Now run Combofix again and post the log back here.

We are going to use your Windows Disk next post.

With Regards,
Extremeboy

you are correct, I was not allowed to upload any of those files.

Here are the results from combofix after changing the userint.exe file to userinit.exe.bat

thx

dm


ComboFix 09-09-18.02 - Geovision 09/19/2009 15:19.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.663 [GMT 1:00]
Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
.

2009-09-19 14:19 . 2006-01-06 20:57 1075200 ----a-w- c:\windows\system32\userinit.exe
2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache
2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE
2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro
2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google
2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG
2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3
2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat
2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe
2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe
2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------


[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe


[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\system32\userinit.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

c:\windows\system32\drivers\asyncmac.sys ... is missing !!
c:\windows\system32\qmgr.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-08_16.49.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-09-01 08:00 . 2004-09-01 08:00 24576 c:\windows\system32\userinit.exe.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-19 15:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-09-19 15:28
ComboFix-quarantined-files.txt 2009-09-19 14:28
ComboFix2.txt 2009-09-15 21:21
ComboFix3.txt 2009-09-08 16:57

Pre-Run: 2,609,426,432 bytes free
Post-Run: 2,584,231,936 bytes free

157

Hello again.

Sorry for the delay.

I was going to do something else, but then after some thinking we'll just go with this one. Probably faster and easier.

Get a fresh copy of Combofix from one of those two links below and save it to your desktop:

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
• Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
  CODE
  http://www.malwarebytes.org/forums/index.php?showtopic=23222&st=20
  Collect::[68]
  c:\windows\system32\userinit.exe.bat
  c:\windows\system32\userinit.exe
  c:\windows\system32\comres.dll
  Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  
• Refering to the picture above, drag CFScript into ComboFix.exe.
• When finished, it shall produce a log for you at "C:\ComboFix.txt"
• Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

• Important: Ensure you are connected to the internet before clicking OK on the message box.
• A blue-screen would appear auto-uploading the zipped file I requested.
• After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================

• IF for some reason Combofix fails to upload anything please do the following:
• Go to Start >> My Computer > C:\
• Then Navigate to the C:\Qoobox\Quarantine folder.
• Find the archive zip file called "[68]-Submit_Date_Time.zip"
• Simply go to This Channel and upload the submit.zip archive file to me.
• Follow the instructions on that page to copy/paste/send the requested file.

Let me know how it goes and if the upload went successfully or not in your next reply.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

• Direct Download (Recommended)
  • Primary Mirror
  • Secondary Mirror
  • Secondary Mirror
  • Secondary Mirror
• Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
  
  • Primary Mirror
    
  • Secondary Mirror
    
  • Secondary Mirror

• Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
• Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
• Physically disconnect your machine from the internet as your system will be unprotected.
• Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
• Click the tab at the bottom.
• Now press the button.
• A box will pop up, check the boxes beside All Seven options/scan area
  
• Now click OK.
• Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
• The scan will take a little while to run, so let it go unhindered.
• Once it is done, click the Save Report button.
• Save it as RepealScan and save it to your desktop
• Reconnect to the internet.
• Post the contents of that log in your reply please.

Extremeboy,

The contents from combofix should be posted online as it got uploaded automatically.

Here is the combfix log file. The rootrepeal log file is after that.

Lemme know if you need anything else.

thanks

dm


ComboFix 09-09-20.04 - Geovision 09/22/2009 1:08.6.1 - NTFSx86
Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Geovision\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\system32\userinit.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.

2009-09-19 14:39 . 2006-01-06 20:57 1075200 ----a-w- c:\windows\system32\userinit.exe
2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache
2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE
2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro
2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google
2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG
2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3
2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat
2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe
2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe
2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------


[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe


[-] 2006-01-06 20:57 . 742BFCF5861C2FD593EEC5D0C17588A5 . 1075200 . . [------] . . c:\windows\system32\userinit.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

c:\windows\system32\drivers\asyncmac.sys ... is missing !!
c:\windows\system32\qmgr.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 01:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3700)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-09-22 1:16
ComboFix-quarantined-files.txt 2009-09-22 00:16
ComboFix2.txt 2009-09-19 15:40
ComboFix3.txt 2009-09-19 14:28
ComboFix4.txt 2009-09-15 21:21
ComboFix5.txt 2009-09-22 00:06

Pre-Run: 2,571,632,640 bytes free
Post-Run: 2,546,651,136 bytes free

155
Upload was successful



Here is the rootrepeal log file

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/22 06:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF7587000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2187904 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEED5B000 Size: 138496 File Visible: - Signed: -
Status: -

Name: ALCXWDM.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF718B000 Size: 926816 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7519000 Size: 95616 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7BCF000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xEEC70000 Size: 328576 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xF7926000 Size: 21120 File Visible: - Signed: -
Status: -

Name: avgtdix.sys
Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys
Address: 0xEEDC6000 Size: 101888 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7AE6000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF79E6000 Size: 12288 File Visible: - Signed: -
Status: -

Name: catchme.sys
Image Path: C:\DOCUME~1\GEOVIS~1\LOCALS~1\Temp\catchme.sys
Address: 0xF792E000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7816000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7686000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7616000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7606000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7531000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7ADA000 Size: 5888 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF76A6000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEEC58000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B04000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xEEE82000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C2000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7CC0000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xEE3A8000 Size: 143616 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF78AE000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF7786000 Size: 34944 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF78E6000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF74FA000 Size: 124800 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7AE4000 Size: 7936 File Visible: - Signed: -
Status: -

Name: fssfltr_tdi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
Address: 0xF7806000 Size: 48128 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7557000 Size: 125056 File Visible: - Signed: -
Status: -

Name: gameenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\gameenum.sys
Address: 0xF7A6A000 Size: 10624 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131712 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF78F6000 Size: 28672 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xEE2ED000 Size: 262272 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7666000 Size: 52736 File Visible: - Signed: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBFA2D000 Size: 905216 File Visible: - Signed: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBFA01000 Size: 180224 File Visible: - Signed: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF9E2000 Size: 126976 File Visible: - Signed: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Address: 0xF72F0000 Size: 804256 File Visible: - Signed: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF9D4000 Size: 57344 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7676000 Size: 41984 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF7646000 Size: 36096 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xEEDA5000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xEEE37000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75D6000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF78B6000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7AD6000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF726E000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF74D1000 Size: 92032 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7AE8000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF78BE000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF75E6000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xEE933000 Size: 181248 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xEECC1000 Size: 452864 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7906000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF76E6000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF7A8E000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF73FD000 Size: 105088 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7417000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF7A72000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xEEBA4000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF713F000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7716000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF7776000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xEED7D000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF790E000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7444000 Size: 574592 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2187904 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7C29000 Size: 2944 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF7291000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF785E000 Size: 18688 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7B3E000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7576000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7B9E000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7856000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2187904 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF7167000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF7B58000 Size: 6464 File Visible: No Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF712E000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF78D6000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF6FA8000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF76B6000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF76C6000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF76D6000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF78DE000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2187904 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xEED30000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7AEA000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF70FD000 Size: 196864 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7696000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE7E1000 Size: 49152 File Visible: No Signed: -
Status: -

Name: Rtnicxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
Address: 0xF72A5000 Size: 78720 File Visible: - Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xEE729000 Size: 163584 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xF7A66000 Size: 15488 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xF7656000 Size: 64896 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF74E8000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xEE891000 Size: 332544 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7AE0000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF77D6000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xEEDDF000 Size: 360448 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF78C6000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7706000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF70A1000 Size: 209280 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7AE2000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF78A6000 Size: 27008 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7746000 Size: 57856 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF72B9000 Size: 143360 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF789E000 Size: 20480 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF78FE000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF72DC000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF75F6000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF7766000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7946000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEE624000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1843200 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1843200 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7AD8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2187904 File Visible: - Signed: -
Status: -

Hello.

Sorry for the delay.

Read this guide and following the instructions on using your sfc /scannow disk: http://www.bleepingcomputer.com/forums/topic43051.html

Take your CD out once done and reboot your computer.

After rebooting your computer. Download and NEW copy of Combofix and delete the older copy and run the new version of Combofix.

Post the log once it's done.

With Regards,
Extremeboy

Tried using the techique to scan the computer but nothing happened.

Ran the new combofix and here is the log file.

thx

dm
ComboFix 09-09-25.01 - Geovision 09/26/2009 1:15.7.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.675 [GMT 1:00]
Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-22 00:23 . 2009-09-22 00:23 0 ----a-w- c:\documents and settings\Geovision\settings.dat
2009-09-19 14:39 . 2006-01-06 20:57 1075200 ----a-w- c:\windows\system32\userinit.exe
2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache
2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE
2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro
2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google
2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG
2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3
2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat
2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe
2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe
2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------


[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe


[-] 2006-01-06 20:57 . 742BFCF5861C2FD593EEC5D0C17588A5 . 1075200 . . [------] . . c:\windows\system32\userinit.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

c:\windows\system32\drivers\asyncmac.sys ... is missing !!
c:\windows\system32\qmgr.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 01:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3536)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-09-26 2:36
ComboFix-quarantined-files.txt 2009-09-26 01:36
ComboFix2.txt 2009-09-22 00:17
ComboFix3.txt 2009-09-19 15:40
ComboFix4.txt 2009-09-19 14:28
ComboFix5.txt 2009-09-26 00:14

Pre-Run: 2,529,951,744 bytes free
Post-Run: 2,506,010,624 bytes free

156

Hello.

Sorry for the delay, please run a scan with Kaspersky.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main Select Files to Delete choose: Select All.
• Click the Empty Selected button.

If you use Firefox browser also...

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser also...

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis if needed.

Download and Run SysProt Anti-Rootkit

Please download SysProt Antirootkit v1.0.1.0 from one of the links below in this link and save it to your desktop.

• Please extract the SysProt.zip file to your desktop. Unzip/extract the file to its own folder by Right-clicking on it and selecting Extract All.... (Click here for information on how to do this if not sure. Win 2000 users click here.). Follow the prompts to finish extracting it.
• Open the extracted folder and double-click the Sysprot.exe program to run it. (If you are using Vista, pelase right-click and select run as administrator)

• Click on the Log tab.
• Under the Write to log box select all 7 items referring to the diagram below
  
• Now push the button near the bottom.
• Another window shall appear soon. Please be paitent while it collects some information.
• Once the new windows appears, please select the Scan Root Drive option.
• Now press the button.
• It will now begin to scan. Please be paitent until the scan is complete.
• Once the scan is complete, a new window will appear notifying you that is complete.

The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the Sysprot folder and in there you should see the SysProtLog.txt log.

Please post/attach the contents of that log here in your next reply.

~Extremeboy

Sorry for the delayed response, Extremeboy.

Tried running Kaspersky online scanner but wouldnt run (key expired error). So downloaded trial version and ran the software. Here are the details

Thx

dm

--------------------------------

Quick Scan: completed 2 hours ago (events: 2, objects: 2037, time: 00:01:16)
9/30/2009 8:08:25 PM Task completed
9/30/2009 8:07:08 PM Task started
Objects Scan: completed 5 minutes ago (events: 32, objects: 423874, time: 02:01:00)
9/30/2009 8:11:05 PM Task started
9/30/2009 8:11:18 PM Detected: Trojan-Downloader.JS.Agent.dok c:\sa.txt
9/30/2009 8:11:53 PM Deleted: Trojan-Downloader.JS.Agent.dok c:\sa.txt
9/30/2009 8:52:00 PM Detected: Trojan.Win32.Scar.nve c:\Qoobox\Quarantine\C\WINDOWS\RYM531DN0T07.EXE.vir
9/30/2009 8:52:00 PM Detected: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\SWEPVWJ17OXH.EXE.vir
9/30/2009 8:52:00 PM Detected: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\PAXHCD0A.EXE.vir
9/30/2009 8:52:00 PM Detected: Trojan-Downloader.Win32.BHO.oit c:\Qoobox\Quarantine\[68]-Submit_2009-09-09_21.25.41.zip/TUIKNKMV.dll
9/30/2009 8:52:02 PM Deleted: Trojan-Downloader.Win32.BHO.oit c:\Qoobox\Quarantine\[68]-Submit_2009-09-09_21.25.41.zip/TUIKNKMV.dll
9/30/2009 8:52:03 PM Detected: Trojan-Downloader.Win32.BHO.oit c:\Qoobox\Quarantine\[68]-Submit_2009-09-09_21.25.41.zip/VOEMAQZCTCLF.dll
9/30/2009 8:52:03 PM Deleted: Trojan-Downloader.Win32.BHO.oit c:\Qoobox\Quarantine\[68]-Submit_2009-09-09_21.25.41.zip/VOEMAQZCTCLF.dll
9/30/2009 8:53:02 PM Deleted: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\PAXHCD0A.EXE.vir
9/30/2009 8:53:03 PM Detected: Backdoor.Win32.Bifrose.bomo c:\Qoobox\Quarantine\C\WINDOWS\UDXVHFM16.EXE.vir
9/30/2009 8:53:03 PM Deleted: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\SWEPVWJ17OXH.EXE.vir
9/30/2009 8:53:03 PM Detected: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\W2UQ75.EXE.vir
9/30/2009 8:53:03 PM Deleted: Trojan.Win32.Scar.nve c:\Qoobox\Quarantine\C\WINDOWS\RYM531DN0T07.EXE.vir
9/30/2009 8:53:04 PM Detected: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\YB0Q1N1141.EXE.vir
9/30/2009 8:53:04 PM Deleted: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\W2UQ75.EXE.vir
9/30/2009 8:53:04 PM Detected: Backdoor.Win32.Bifrose.bomo c:\Qoobox\Quarantine\C\WINDOWS\YLWVOVCCQP.EXE.vir
9/30/2009 8:53:04 PM Deleted: Backdoor.Win32.Bifrose.bomo c:\Qoobox\Quarantine\C\WINDOWS\UDXVHFM16.EXE.vir
9/30/2009 8:53:04 PM Detected: Trojan.Win32.Scar.nve c:\Qoobox\Quarantine\C\WINDOWS\ZZCWNB.EXE.vir
9/30/2009 8:53:04 PM Deleted: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\YB0Q1N1141.EXE.vir
9/30/2009 8:53:05 PM Deleted: Backdoor.Win32.Bifrose.bomo c:\Qoobox\Quarantine\C\WINDOWS\YLWVOVCCQP.EXE.vir
9/30/2009 8:53:05 PM Detected: Trojan-GameThief.Win32.Magania.cakv c:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\UYTbcaZtxE23MEzKGQ.cur.vir/PE_Patch.UPX/UPX
9/30/2009 8:53:06 PM Deleted: Trojan.Win32.Scar.nve c:\Qoobox\Quarantine\C\WINDOWS\ZZCWNB.EXE.vir
9/30/2009 8:53:06 PM Deleted: Trojan-GameThief.Win32.Magania.cakv c:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\UYTbcaZtxE23MEzKGQ.cur.vir
9/30/2009 8:55:43 PM Detected: Trojan.Win32.Scar.nef c:\System Volume Information\_restore{84584035-382A-4A86-BAB7-12FC15AFCE07}\RP6\A0001120.EXE
9/30/2009 8:55:43 PM Detected: Backdoor.Win32.Bifrose.bomo c:\System Volume Information\_restore{84584035-382A-4A86-BAB7-12FC15AFCE07}\RP6\A0001122.EXE
9/30/2009 8:56:03 PM Deleted: Trojan.Win32.Scar.nef c:\System Volume Information\_restore{84584035-382A-4A86-BAB7-12FC15AFCE07}\RP6\A0001120.EXE
9/30/2009 8:56:04 PM Deleted: Backdoor.Win32.Bifrose.bomo c:\System Volume Information\_restore{84584035-382A-4A86-BAB7-12FC15AFCE07}\RP6\A0001122.EXE
9/30/2009 9:02:18 PM Detected: Trojan-Downloader.Win32.Small.jmn c:\WINDOWS\system32\userinit.exe.bat.old
9/30/2009 9:02:43 PM Deleted: Trojan-Downloader.Win32.Small.jmn c:\WINDOWS\system32\userinit.exe.bat.old
9/30/2009 10:12:05 PM Task completed
Rootkit Scan: completed 1 hour ago (events: 2, objects: 414, time: 00:11:19)
9/30/2009 8:29:36 PM Task started
9/30/2009 8:40:59 PM Task completed


----------------------------------------

Here is the log file for SysProtlog

SysProt AntiRootkit v1.0.1.0
by swatkat

********************************************************************************
**********
********************************************************************************
**********

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 844
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 940
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 964
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 1012
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 1024
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1188
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1280
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1408
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1492
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1648
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1876
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 496
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 344
Hidden: No
Window Visible: No

Name: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
PID: 328
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 320
Hidden: No
Window Visible: No

Name: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
PID: 212
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 644
Hidden: No
Window Visible: No

Name: C:\Program Files\Maxtor\Sync\SyncServices.exe
PID: 688
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PID: 1104
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2220
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 2484
Hidden: No
Window Visible: No

Name: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
PID: 1416
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Geovision\Desktop\SysProt\SysProt\SysProt.exe
PID: 3784
Hidden: No
Window Visible: Yes

********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Geovision\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: ECEC0000
Module End: ECECB000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806ED280
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806EE000
Module End: 8070E280
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F79B6000
Module End: F79B8000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F78C6000
Module End: F78C9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F7467000
Module End: F7495000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F79B8000
Module End: F79BA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7456000
Module End: F7467000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F74B6000
Module End: F74BF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7A7E000
Module End: F7A7F000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7736000
Module End: F773D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F74C6000
Module End: F74D1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F7437000
Module End: F7456000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F79BA000
Module End: F79BC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F7411000
Module End: F7437000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F773E000
Module End: F7743000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F74D6000
Module End: F74E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F73F9000
Module End: F7411000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F74E6000
Module End: F74EF000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F74F6000
Module End: F7503000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys
Service Name: FltMgr
Module Base: F73DA000
Module End: F73F9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F73C8000
Module End: F73DA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\klbg.sys
Service Name: klbg
Module Base: F7506000
Module End: F7511000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F73B1000
Module End: F73C8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F7324000
Module End: F73B1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F72F7000
Module End: F7324000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F72DD000
Module End: F72F7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kl1.sys
Service Name: kl1
Module Base: F6DBD000
Module End: F72DD000
Hidden: No

Module Name: \WINDOWS\system32\drivers\TDI.SYS
Service Name: ---
Module Base: F7746000
Module End: F774B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F76F6000
Module End: F76FF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Service Name: ialm
Module Base: F6CB0000
Module End: F6D75000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F6B48000
Module End: F6B5C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F786E000
Module End: F7873000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F6B25000
Module End: F6B48000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7876000
Module End: F787D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
Service Name: RTL8023xp
Module Base: F6B11000
Module End: F6B25000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F7886000
Module End: F788D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F6AFD000
Module End: F6B11000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F7726000
Module End: F7736000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F79AA000
Module End: F79AE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F7536000
Module End: F7543000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F789E000
Module End: F78A4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\klmouflt.sys
Service Name: klmouflt
Module Base: F7546000
Module End: F754F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F78A6000
Module End: F78AC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\gameenum.sys
Service Name: gameenum
Module Base: F6D99000
Module End: F6D9C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7556000
Module End: F7561000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7566000
Module End: F7573000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F7576000
Module End: F7585000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F6A30000
Module End: F6A53000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Service Name: ALCXWDM
Module Base: F694D000
Module End: F6A30000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F6911000
Module End: F6935000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F7586000
Module End: F7595000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\klim5.sys
Service Name: klim5
Module Base: F7596000
Module End: F75A0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7B62000
Module End: F7B63000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F75A6000
Module End: F75B3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F6D85000
Module End: F6D88000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F68FA000
Module End: F6911000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F75B6000
Module End: F75C1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F75C6000
Module End: F75D2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F6849000
Module End: F685A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F75E6000
Module End: F75EF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7766000
Module End: F776B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F776E000
Module End: F7773000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F5B60000
Module End: F5B91000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F75F6000
Module End: F7600000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F79F8000
Module End: F79FA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F5B2C000
Module End: F5B60000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F7956000
Module End: F795A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F7616000
Module End: F7620000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F7646000
Module End: F7655000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7A4E000
Module End: F7A50000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F77BE000
Module End: F77C3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\klif.sys
Service Name: KLIF
Module Base: ED63B000
Module End: ED689000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: ED7B2000
Module End: ED7B4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7ACB000
Module End: F7ACC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: ED7B0000
Module End: ED7B2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F77D6000
Module End: F77DD000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F77DE000
Module End: F77E4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: ED7AE000
Module End: ED7B0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: ED7AC000
Module End: ED7AE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F77E6000
Module End: F77EB000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F77EE000
Module End: F77F6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: ED744000
Module End: ED747000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: ED5AC000
Module End: ED5BF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: ED52E000
Module End: ED586000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: ED4CC000
Module End: ED4F4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: ED47C000
Module End: ED49D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F76A6000
Module End: F76AF000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: ED45A000
Module End: ED47C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F76B6000
Module End: F76BF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: ED42F000
Module End: ED45A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: ED3C0000
Module End: ED42F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F76C6000
Module End: F76CF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F68DA000
Module End: F68EA000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: ED3A8000
Module End: ED3C0000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: ED7A0000
Module End: ED7A2000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: ED6D4000
Module End: ED6D7000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F7846000
Module End: F784B000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7B78000
Module End: F7B79000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
Service Name: fssfltr
Module Base: F76E6000
Module End: F76F2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: EDA90000
Module End: EDA94000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: ED064000
Module End: ED088000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: ED04F000
Module End: ED064000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: ED200000
Module End: ED20F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: ECF82000
Module End: ECFAF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F7A0C000
Module End: F7A0E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: ECEE0000
Module End: ECF32000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Service Name: Secdrv
Module Base: ECD78000
Module End: ECDA0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: ECA8D000
Module End: ECACE000
Hidden: No

********************************************************************************
**********
********************************************************************************
**********
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: ED65A36E
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwClose
Address: ED65AA86
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwConnectPort
Address: ED65B60C
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateEvent
Address: ED65BB40
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateFile
Address: ED65AD78
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateKey
Address: ED659460
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateMutant
Address: ED65BA18
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateNamedPipeFile
Address: ED658D0A
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreatePort
Address: ED65B8D4
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateSection
Address: ED65A102
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateSemaphore
Address: ED65BC72
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateSymbolicLinkObject
Address: ED65D40E
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateThread
Address: ED65A886
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateWaitablePort
Address: ED65B976
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeleteKey
Address: ED659A20
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeleteValueKey
Address: ED659CF8
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeviceIoControlFile
Address: ED65B21C
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDuplicateObject
Address: ED65D980
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwEnumerateKey
Address: ED659E3A
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwEnumerateValueKey
Address: ED659EE4
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwFsControlFile
Address: ED65B016
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadDriver
Address: ED65CEA6
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadKey
Address: ED65943C
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadKey2
Address: ED65944E
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwNotifyChangeKey
Address: ED65A030
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenEvent
Address: ED65BBE2
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenFile
Address: ED65AB08
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenKey
Address: ED659604
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenMutant
Address: ED65BAB0
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenProcess
Address: ED65A56E
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenSection
Address: ED65D438
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenSemaphore
Address: ED65BD14
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenThread
Address: ED65A492
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryKey
Address: ED659F8E
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryMultipleValueKey
Address: ED659BB6
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryValueKey
Address: ED6598BC
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueueApcThread
Address: ED65D128
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRenameKey
Address: ED659B34
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplaceKey
Address: ED6590C2
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplyPort
Address: ED65C09E
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplyWaitReceivePort
Address: ED65BF64
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRequestWaitReplyPort
Address: ED65CC30
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRestoreKey
Address: ED659224
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwResumeThread
Address: ED65D860
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSaveKey
Address: ED658EC4
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSecureConnectPort
Address: ED65B312
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetContextThread
Address: ED65A984
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetInformationToken
Address: ED65C5F2
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetSecurityObject
Address: ED65CFA0
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetSystemInformation
Address: ED65D4C2
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetValueKey
Address: ED659744
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSuspendProcess
Address: ED65D5A6
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSuspendThread
Address: ED65D6D2
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSystemDebugControl
Address: ED65CDD2
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwTerminateProcess
Address: ED65A6EA
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwTerminateThread
Address: ED65A63C
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwWriteVirtualMemory
Address: ED65A7C8
Driver Base: ED63B000
Driver End: ED689000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

********************************************************************************
**********
********************************************************************************
**********
No Kernel Hooks found

********************************************************************************
**********
********************************************************************************
**********
No IRP Hooks found

********************************************************************************
**********
********************************************************************************
**********
Ports:
Local Address: TEST:1033
Remote Address: CDS10.LON9.MSECN.NET:HTTP
Type: TCP
Process: C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
State: CLOSE_WAIT

Local Address: TEST:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: TEST:5152
Remote Address: LOCALHOST:1346
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: TEST:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: TEST:1110
Remote Address: LOCALHOST:1336
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: TEST:1110
Remote Address: LOCALHOST:1331
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: TEST:1110
Remote Address: LOCALHOST:1330
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: TEST:1110
Remote Address: LOCALHOST:1328
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: TEST:1110
Remote Address: LOCALHOST:1302
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: TEST:1054
Remote Address: LOCALHOST:1110
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jusched.exe
State: CLOSE_WAIT

Local Address: TEST:1035
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: TEST:19780
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
State: LISTENING

Local Address: TEST:1110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
State: LISTENING

Local Address: TEST:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: TEST:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: TEST:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: TEST:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: TEST:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: TEST:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: TEST:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: TEST:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: TEST:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: TEST:1031
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: TEST:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: TEST:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

********************************************************************************
**********
********************************************************************************
**********
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{84584035-382A-4A86-BAB7-12FC15AFCE07}
Status: Access denied

Hello.

Something is regenerating the userinit.exe file after we delete it. We need to find out what that is.

Please get a fresh copy of Combofix downloaded onto your desktop. Run the following CFSCript...

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
• Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
  CODE
  Rootkit::
  C:\Windows\System32\userinit.exe
  Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  
  Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

there you go.

thx

dm

ComboFix 09-10-01.05 - Geovision 10/02/2009 17:59.8.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.725 [GMT -5:00]
Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Geovision\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-10-01 00:44 . 2009-10-01 00:44 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-10-01 00:42 . 2009-10-01 00:49 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-01 00:42 . 2009-10-01 00:49 107547 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-01 00:41 . 2009-10-02 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-01 00:41 . 2009-10-01 00:41 -------- d-----w- c:\program files\Kaspersky Lab
2009-09-30 22:44 . 2009-09-30 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-30 21:09 . 2009-09-30 21:09 -------- d-----w- c:\windows\Sun
2009-09-30 21:04 . 2009-07-31 14:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-30 21:04 . 2009-09-30 22:32 -------- d-----w- c:\program files\Java
2009-09-22 00:23 . 2009-09-22 00:23 0 ----a-w- c:\documents and settings\Geovision\settings.dat
2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache
2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 00:36 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro
2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes
2009-08-29 19:06 . 2009-08-29 19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google
2009-08-03 12:36 . 2009-08-29 19:05 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 12:36 . 2009-08-29 19:05 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat
2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe
2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe
2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------


[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe



[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

c:\windows\system32\drivers\asyncmac.sys ... is missing !!
c:\windows\system32\qmgr.dll ... is missing !!
c:\windows\system32\userinit.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-08_16.49.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-02 23:06 . 2009-10-02 23:06 16384 c:\windows\temp\Perflib_Perfdata_7f8.dat
+ 2004-09-01 08:00 . 2009-10-01 00:39 59992 c:\windows\system32\perfc009.dat
- 2004-09-01 08:00 . 2009-03-30 17:59 59992 c:\windows\system32\perfc009.dat
+ 2009-07-03 20:45 . 2009-07-03 20:45 27507 c:\windows\system32\drivers\klopp.dat
+ 2009-05-17 01:59 . 2009-05-17 01:59 19472 c:\windows\system32\drivers\klmouflt.sys
+ 2009-05-13 22:46 . 2009-05-13 22:46 31760 c:\windows\system32\drivers\klim5.sys
+ 2008-12-16 01:41 . 2008-12-16 01:41 33808 c:\windows\system32\drivers\klbg.sys
- 2004-09-01 08:00 . 2009-03-30 17:59 395862 c:\windows\system32\perfh009.dat
+ 2004-09-01 08:00 . 2009-10-01 00:39 395862 c:\windows\system32\perfh009.dat
+ 2009-07-03 20:48 . 2009-07-03 20:48 219664 c:\windows\system32\klogon.dll
+ 2009-09-30 22:32 . 2009-07-31 14:23 149280 c:\windows\system32\javaws.exe
+ 2009-09-30 22:32 . 2009-07-31 14:23 145184 c:\windows\system32\javaw.exe
+ 2009-09-30 22:32 . 2009-07-31 14:23 145184 c:\windows\system32\java.exe
+ 2009-10-01 00:41 . 2009-10-01 00:41 296976 c:\windows\system32\drivers\klif.sys
+ 2009-06-15 19:01 . 2009-06-15 19:01 128016 c:\windows\system32\drivers\kl1.sys
+ 2009-09-30 21:04 . 2009-09-30 21:04 536576 c:\windows\Installer\73c30.msi
+ 2009-10-01 00:42 . 2009-10-01 00:42 3341312 c:\windows\Installer\46a42.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-07-03 303376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-16 33808]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2009-05-13 31760]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-05-17 19472]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 18:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2148)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
**************************************************************************
.
Completion time: 2009-10-02 18:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-02 23:32
ComboFix2.txt 2009-09-26 01:36
ComboFix3.txt 2009-09-22 00:17
ComboFix4.txt 2009-09-19 15:40
ComboFix5.txt 2009-10-02 22:58

Pre-Run: 1,913,561,088 bytes free
Post-Run: 1,885,384,704 bytes free

175

Hello.

It seems it's gone now.

Try doing a sfc /scannow using your XP CD now and see what happens. We can replace anything afterwards.

Run a new Combofix scan by just double-clicking it once done.

With Regards,
Extremeboy

Hello Extremeboy,

Ran the sfc/scannow but the dos window opened up for a fraction of second and was closed, nothing after that.

Also ran the combofix as well. Do you want me to post it online?

btw, thank you so much for working with me in fixing the issues on my computer.

Thanks

Dilip

Hello.

Yes, you can post the Combofix log in this topic here.

Sorry for the delays recently as I have been quite busy.

~EB

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy