windows 2010 Virus

kiavickers · September 6, 2009

Hello,

I am new to the forum and to computer virusses. A message keeps pooping up abot windows 2010 spyware, I cannot run Malwarebytes,and having been trying for hours just to finaly get my taskbar working. i tried to rename the mbam.exe file as suggested, however a message pops up sying that I cannot rename this file.

Per the borad instructions I dowloaded hijackthis but that won't run, nor can I get a malware log. I did get win32diag to run and have the information below. Any help you can give would be greatly appreciated

Ian Vickers

Log file is located at: C:\Documents and Settings\Ian Vickers\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13D.tmp\ZAP13D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP245.tmp\ZAP245.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP38.tmp\ZAP38.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP39.tmp\ZAP39.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP42.tmp\ZAP42.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9B.tmp\ZAP9B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Leica.OfficeDatabase\Database.Geoids\Database.Geoids

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Leica.OfficeDatabase\Database.InitialData\Database.InitialData

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\braviax.exe

[1] 2009-09-06 01:13:03 11776 C:\WINDOWS\braviax.exe ()

[1] 2009-09-06 01:13:03 11776 C:\WINDOWS\system32\braviax.exe ()

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Google\Plugin\Plugin

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-4163015748-2675040888-3751452516-1003\S-1-5-21-4163015748-2675040888-3751452516-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\IdentityCRL\production\production

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\0820aec70989\0820aec70989

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-4163015748-2675040888-3751452516-1003\S-1-5-21-4163015748-2675040888-3751452516-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Maurice Naggar · September 6, 2009

Hello kiavickers and welcome to MalwareBytes forums.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not kiavickers and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Begin with this:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Temporarily only, disable your antivirus program and anti-malware real-time monitors. Do not disable the firewall !!

Use this as a guide on how to do these

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

=

Download The Avenger by Swandog46 from here.

Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.

Files to delete:
C:\WINDOWS\braviax.exe
C:\WINDOWS\system32\braviax.exe 

Folders to delete:
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

In the avenger window, click the Paste Script from Clipboard icon, button.
:!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Avenger.txt

and C:\Combofix.txt

Maurice Naggar · September 6, 2009

Kindly ONLY use the ADDREPLY button (at bottom of window) to start a reply.

Your last post had none of your information, and I'll delete it.

kiavickers · September 6, 2009

Well I did what you instructed, Ater running both programs the windows 2010 virus was still poopong up however I was now able to run Malwarebytes, I will attach the combofix, avenger and malware text

Here is the combofix text

ComboFix 09-09-06.02 - Ian Vickers 09/06/2009 12:21.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.292 [GMT -5:00]

Running from: c:\documents and settings\Ian Vickers\Desktop\Combo-Fix.exe

AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {CBF7D2C9-A0CE-4D62-BBC6-C96A063C1A43}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\boduw.vbs

c:\documents and settings\All Users\Application Data\bydoxe.bat

c:\documents and settings\All Users\Application Data\siwed._sy

c:\documents and settings\All Users\Application Data\tajezy.exe

c:\documents and settings\All Users\Documents\ehiqykup.sys

c:\documents and settings\All Users\Documents\gynakiga.dll

c:\documents and settings\All Users\Documents\itoci.scr

c:\documents and settings\All Users\Documents\yjenudisu.sys

c:\documents and settings\Ian Vickers\Application Data\apikem.scr

c:\documents and settings\Ian Vickers\Application Data\caqanodyk.bin

c:\documents and settings\Ian Vickers\Application Data\ebap.reg

c:\documents and settings\Ian Vickers\Application Data\emepiwed.bat

c:\documents and settings\Ian Vickers\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\Ian Vickers\Cookies\bafamute.dll

c:\documents and settings\Ian Vickers\Cookies\jopezyfo.scr

c:\documents and settings\Ian Vickers\Cookies\ohudufe.dll

c:\documents and settings\Ian Vickers\Cookies\olyvejofa.exe

c:\documents and settings\Ian Vickers\Cookies\xywemuhy.com

c:\documents and settings\Ian Vickers\Local Settings\Application Data\dawuc.dl

c:\documents and settings\Ian Vickers\Local Settings\Application Data\enycuz.pif

c:\documents and settings\Ian Vickers\Local Settings\Application Data\inosok.ban

c:\documents and settings\Ian Vickers\Local Settings\Application Data\lyxumuk.scr

c:\documents and settings\Ian Vickers\Local Settings\Application Data\milo._dl

c:\documents and settings\Ian Vickers\Local Settings\Application Data\nurodotafu.dll

c:\documents and settings\Ian Vickers\Local Settings\Application Data\ukuwelosaz._dl

c:\documents and settings\Ian Vickers\Local Settings\Application Data\xitupob.dll

c:\documents and settings\Ian Vickers\Local Settings\Application Data\zowyqysul.bin

c:\documents and settings\Ian Vickers\Local Settings\Temporary Internet Files\eharu.bat

c:\documents and settings\Ian Vickers\Local Settings\Temporary Internet Files\menedyc.bat

c:\documents and settings\Ian Vickers\Local Settings\Temporary Internet Files\uduruxavyl.inf

C:\emxtqjit.exe

C:\fyblb.exe

C:\hpbyv.exe

C:\p2hhr.bat

c:\program files\Common Files\heniporon.dl

c:\program files\Common Files\xoxofywedi.bat

c:\program files\Common Files\yhavezas.com

C:\svfp.exe

c:\windows\afimu.bat

c:\windows\braviax.exe

c:\windows\cru629.dat

c:\windows\icatorif.dll

c:\windows\ilywesu.dl

c:\windows\jiwob.reg

c:\windows\system32\_scui.cpl

c:\windows\system32\~.exe

c:\windows\system32\braviax.exe

c:\windows\system32\cru629.dat

c:\windows\system32\DdLUwyxx.ini

c:\windows\system32\DdLUwyxx.ini2

c:\windows\system32\dllcache\beep.sys

c:\windows\system32\fixlxtvi.ini

c:\windows\system32\jiremeye.dll

c:\windows\system32\mipuged.dl

c:\windows\system32\mupitera.dll

c:\windows\system32\oxawole.pif

c:\windows\system32\pasugusa.dll

c:\windows\system32\pekugedi.exe

c:\windows\system32\sapah.dll

c:\windows\system32\ssprs.dll

c:\windows\system32\tajf83ikdmf.dll

c:\windows\system32\terobila.dll

c:\windows\system32\winhelper.dll

c:\windows\system32\wisdstr.exe

c:\windows\system32\ylop.sys

c:\windows\system32\ytyh.vbs

c:\windows\Temp\tmp3.tmp

c:\windows\ukumyka.reg

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\logevent.dll

c:\windows\system32\drivers\beep.sys . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))

.

2009-09-06 17:13 . 2009-09-06 17:14 -------- d-----w- c:\program files\AntivirusPro_2010

2009-09-06 16:39 . 2009-09-06 16:39 -------- d-----w- c:\program files\ERUNT

2009-09-06 07:46 . 2009-09-06 07:46 -------- d-----w- c:\program files\Trend Micro

2009-09-06 06:12 . 2009-09-06 06:12 -------- d-----w- c:\windows\system32\wbem\Repository

2009-09-06 05:34 . 2009-09-06 05:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-06 03:48 . 2009-09-06 03:47 67424 ----a-w- c:\windows\system32\drivers\CDAVFS.sys

2009-09-06 03:48 . 2009-09-06 03:48 -------- d-----w- c:\program files\CyberDefender

2009-09-06 03:35 . 2009-09-06 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-09-06 03:35 . 2009-09-06 03:35 -------- d-----w- c:\program files\CCleaner

2009-09-06 02:57 . 2009-09-06 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-09-06 02:50 . 2009-09-06 02:53 -------- d-----w- c:\program files\Windows Live Safety Center

2009-09-05 08:08 . 2009-09-05 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard

2009-09-05 08:07 . 2009-09-06 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-09-05 08:07 . 2009-09-05 08:07 -------- d-----w- c:\program files\Common Files\iS3

2009-09-05 06:55 . 2009-09-05 06:55 16492 ----a-w- c:\program files\Common Files\rupy.dat

2009-09-05 06:49 . 2009-09-05 06:49 705 ----a-w- C:\tujfbtrj.exe

2009-09-05 06:49 . 2009-09-05 06:49 705 ----a-w- C:\qbuf.exe

2009-09-05 06:49 . 2009-09-05 06:49 705 ----a-w- C:\enurmyv.exe

2009-09-04 04:22 . 2009-09-04 04:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland

2009-09-04 04:21 . 2009-08-12 17:50 21192 ----a-w- c:\windows\system32\dopdfmn6.dll

2009-09-04 04:21 . 2009-08-12 17:50 18632 ----a-w- c:\windows\system32\dopdfmi6.dll

2009-09-04 04:21 . 2009-09-04 04:21 -------- d-----w- c:\program files\Softland

2009-09-04 00:31 . 2009-09-04 00:31 -------- d-----w- c:\documents and settings\Ian Vickers\Local Settings\Application Data\Xobni

2009-09-04 00:28 . 2009-09-04 00:29 -------- d-----w- c:\program files\Xobni

2009-09-04 00:27 . 2009-09-04 00:27 -------- d-----w- c:\documents and settings\Ian Vickers\Application Data\OpenCandy

2009-09-04 00:26 . 2009-04-24 02:55 176235 ----a-w- c:\windows\system32\Primomonnt.dll

2009-09-04 00:26 . 2009-09-04 00:41 -------- d-----w- c:\program files\Nitro PDF

2009-08-11 23:35 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-10 17:14 . 2009-08-10 17:14 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-10 17:13 . 2009-08-10 17:13 -------- d-----w- c:\program files\MSBuild

2009-08-10 17:13 . 2009-08-10 17:13 -------- d-----w- c:\program files\Reference Assemblies

2009-08-10 17:13 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-10 17:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-10 17:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-10 17:13 . 2009-08-10 17:13 -------- d-----w- C:\17ebbc381830da554c392e308a9f9a03

2009-08-10 17:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-10 17:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-10 17:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-10 17:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-06 17:07 . 2006-03-17 07:43 -------- d-----w- c:\program files\Google

2009-09-06 17:03 . 2006-12-08 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2009-09-06 16:50 . 2008-12-27 03:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-06 03:35 . 2006-10-14 00:48 -------- d-----w- c:\program files\Yahoo!

2009-09-06 02:13 . 2006-10-13 01:07 -------- d-----w- c:\program files\Windows Live Toolbar

2009-09-05 06:55 . 2009-09-05 06:55 19707 ----a-w- c:\program files\Common Files\fepa.lib

2009-09-05 06:49 . 2009-04-26 02:52 -------- d-----w- c:\program files\PeerGuardian2

2009-09-04 00:36 . 2006-10-13 01:06 -------- d-----w- c:\program files\MSN Messenger

2009-08-31 21:16 . 2006-03-27 04:30 73328 ----a-w- c:\documents and settings\Ian Vickers\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-27 11:37 . 2007-04-16 01:47 -------- d-----w- c:\documents and settings\Ian Vickers\Application Data\U3

2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-02 04:28 . 2008-12-29 02:17 -------- d-----w- c:\program files\Microsoft Silverlight

2009-07-18 01:38 . 2009-07-17 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-18 01:38 . 2009-07-17 21:55 -------- d-----w- c:\program files\NOS

2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-10 18:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-26 16:50 . 2004-08-10 18:51 666624 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 16:50 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-10 18:51 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:19 . 2004-08-10 19:01 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2004-08-10 18:51 132096 ----a-w- c:\windows\system32\wkssvc.dll

2006-07-16 00:53 . 2006-03-27 04:35 152 --sh--r- c:\windows\system32\112CB0E998.sys

2006-07-16 00:53 . 2006-04-16 19:22 6686 --sha-w- c:\windows\system32\KGyGaAvL.sys

1997-07-22 00:30 . 1997-07-22 00:30 1045776 --sha-w- c:\windows\system32\Msjet35.dll

1997-06-23 08:00 . 1997-06-23 08:00 123664 --sha-w- c:\windows\system32\Msjint35.dll

1997-06-23 17:06 . 1997-06-23 17:06 24848 --sha-w- c:\windows\system32\Msjter35.dll

1997-06-23 17:06 . 1997-06-23 17:06 252176 --sha-w- c:\windows\system32\Msrd2x35.dll

1997-06-23 17:06 . 1997-06-23 17:06 287504 --sha-w- c:\windows\system32\Msxbse35.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"CyberDefender Early Detection Center"="c:\program files\CyberDefender\AntiSpyware\cdas68.exe" [2009-09-06 738632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-15 180269]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" [2009-09-06 596346]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-25 525640]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\CyberDefender\\AntiSpyware\\cdas68.exe"=

R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [7/14/2009 3:46 PM 44776]

S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [9/5/2009 10:48 PM 67424]

.

Contents of the 'Scheduled Tasks' folder

2009-09-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\PAVRM.exe

SharedTaskScheduler-{754f1eda-8484-40b1-a1fd-30b01b201739} - c:\windows\system32\bonafanu.dll

SSODL-gafodalol-{754f1eda-8484-40b1-a1fd-30b01b201739} - c:\windows\system32\bonafanu.dll

Notify-yaywWnLC - yaywWnLC.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

mWindow Title = Windows Internet Explorer provided by Comcast

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-06 12:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\drivers\CDAC11BA.EXE

c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe

c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-06 12:35 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-06 17:35

Pre-Run: 48,498,774,016 bytes free

Post-Run: 48,411,975,680 bytes free

255 --- E O F --- 2009-09-02 08:00

And here is the Avenger text

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "C:\WINDOWS\braviax.exe" deleted successfully.

File "C:\WINDOWS\system32\braviax.exe" deleted successfully.

Folder "C:\recycler" deleted successfully.

Error: could not open folder "D:\recycler"

Deletion of folder "D:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "e:\recycler"

Deletion of folder "e:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "f:\recycler"

Deletion of folder "f:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "g:\recycler"

Deletion of folder "g:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "h:\recycler"

Deletion of folder "h:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Completed script processing.

*******************

Finished! Terminate.

here is the Malware Log:

Malwarebytes' Anti-Malware 1.40

Database version: 2749

Windows 5.1.2600 Service Pack 3

9/6/2009 3:20:12 PM

mbam-log-2009-09-06 (15-20-12).txt

Scan type: Quick Scan

Objects scanned: 102541

Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\enurmyv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\qbuf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\tujfbtrj.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ian Vickers\Local Settings\Temp\msupd_2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Maurice Naggar · September 6, 2009

If you are still getting a "rogue" popup window, do this to close the rogue window. Repeat as needed.

Use ALT+F4 keys to close those rogue pop-up windows. Press and hold the ALT key & then press F4 key.

Stay tuned for my next reply.

Maurice Naggar · September 6, 2009

There is still a remainder of the pesky rogue Antivirus Pro 2010. It needs to be wiped. You've already got Avenger. This next will squash it, hopefully. Do not be alarmed if not all the files I listed are found.

Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.

Files to delete:
C:\WINDOWS\braviax.exe
C:\WINDOWS\system32\braviax.exe
C:\tujfbtrj.exe
C:\qbuf.exe
C:\enurmyv.exe

Drivers to delete:
Antivirus Pro 2010

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Antivirus Pro 2010
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices | Antivirus Pro 2010

Folders to delete:
c:\program files\AntivirusPro_2010
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

In the avenger window, click the Paste Script from Clipboard icon, button.
:!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

Trend Micro Damage Cleanup Engine

[*]Make sure you read this document to understand how to use the program.

Trend Micro Sysclean Package README 1st

[*]Basically there are 3 parts that need to be downloaded and SAVED from these links:

[*]Sysclean Package

[*]Virus Pattern Files that will be a LPTxxx.ZIP file

[*]Spyware Pattern Files this is a SSAPIPTNxxx.ZIP

It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware)

kiavickers · September 7, 2009

I have two of the three reports for you. Kaspersky would not run, it kept giving the error message," An uninterrupted internet session is required...." I believe that I disabled my AVG antivirus before starting kaspersky by right clicking the icon at the bottom right hand corner of the screen and choosing exit.

At Any rate I am not getting any popupsor messages from the 2010 virus, also the computer seems to be running faster.

Avenger log

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\braviax.exe" not found!

Deletion of file "C:\WINDOWS\braviax.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\braviax.exe" not found!

Deletion of file "C:\WINDOWS\system32\braviax.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\tujfbtrj.exe" not found!

Deletion of file "C:\tujfbtrj.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\qbuf.exe" not found!

Deletion of file "C:\qbuf.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\enurmyv.exe" not found!

Deletion of file "C:\enurmyv.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Antivirus Pro 2010" not found!

Deletion of driver "Antivirus Pro 2010" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: folder "c:\program files\AntivirusPro_2010" not found!

Deletion of folder "c:\program files\AntivirusPro_2010" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Folder "C:\recycler" deleted successfully.

Error: could not open folder "D:\recycler"

Deletion of folder "D:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "e:\recycler"

Deletion of folder "e:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "f:\recycler"

Deletion of folder "f:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "g:\recycler"

Deletion of folder "g:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "h:\recycler"

Deletion of folder "h:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Antivirus Pro 2010"

Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Antivirus Pro 2010" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not delete registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices|Antivirus Pro 2010"

Deletion of registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices|Antivirus Pro 2010" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

-----------------------------------------------------------------------------------------------------------------------------------------------

Syslean log

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-09-06, 17:39:51, Auto-clean mode specified.

2009-09-06, 17:39:52, Initialized Rootkit Driver version 2.2.0.1004.

2009-09-06, 17:39:52, Running scanner "C:\dce\TSC.BIN"...

2009-09-06, 17:40:18, Scanner "C:\dce\TSC.BIN" has finished running.

2009-09-06, 17:40:18, TSC Log:

Maurice Naggar · September 7, 2009

There's a bit of follow-up and then let's have you run a different utility.

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:files
C:\WINDOWS\system32\4c9b3ee8dac64aad04663e33b7267979.szcpf
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

:Commands
[purity]
[emptytemp]
[reboot]

Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
Close any browser(s) windows that may be open.
Using your mouse, click on the red-lettered button Run Fix.
Once you see a message box "Fix complete! Click OK to open the fix log."
Click the OK button
The log will open in Notepad (your default text editor).
Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan tab" and UNcheck "Heuristic analysis"
Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
When done, a message will be displayed at the bottom advising if any viruses were found.
Click "Yes to all" if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

>

Reply with copy of the DrWeb Cure-it log

kiavickers · September 7, 2009

Ran OTL and Dr web. The computer seems to be running well and no 2010 virus messages or pop-ups.

Thanks for all of your help. I would have thrown the thing out of the window if it wasn't for you guys

Here are the reports

Dr.Web

MMComponentMgr.exe;C:\Program Files\MUSICMATCH\Common\ComponentMgr;Trojan.PWS.Banker.origin;Incurable.Moved.;

CMInstall.exe\data016;C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\CM\CMInstall.exe;Trojan.PWS.Banker.origin;;

CMInstall.exe;C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\CM;Archive contains infected objects;Moved.;

A0000065.rbf;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3;Trojan.Fakealert.4602;Deleted.;

A0001002.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3;Trojan.Fakealert.4972;Deleted.;

A0001003.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3;Trojan.Fakealert.4972;Deleted.;

A0001115.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3;Trojan.Fakealert.4972;Deleted.;

A0001116.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3;Trojan.Fakealert.4972;Deleted.;

A0001489.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7;Trojan.PWS.Banker.origin;Incurable.Moved.;

A0001490.exe\data016;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0001490.exe;Trojan.PWS.Banker.origin;;

A0001490.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7;Archive contains infected objects;Moved.;

Maurice Naggar · September 8, 2009

If you have not done the Kaspersky online scan, please do that.

Post a copy of the Kaspersky scan log.

Also, Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2758.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with copy of the MBAM scan log & Kaspersky log for my review.

Maurice Naggar · September 27, 2009

This thread is closed due to lack of response. The procedures used here were specific to this system and only for this system. Do not apply them to another; doing so will likely damage your system.

If you are a casual observer and having same issues, please follow forum procedures and create your own New topic.

I'm infected - What do I do now?

Procedures to help resolve issues preventing MBAM from running

windows 2010 Virus

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information