'Your computer is infected!' - AntiVirus Pro 2009.

It seems I'm not only one who is having this problems in recents days. Is there a worm going around?

Anyway, I don't know when the problems exactly started but my AVG Free stopped working few days (4 or 5 days ago?). Shamefully on myself, I never got around to fix it. While browsing a mobile theme site which I visit regularly, out of blue - 20-30 task manager windows appeared at once. I closed them via one Task Manager. This solved. My PC suddenly rebooted itself. Here, I was thinking it was just an annoying Windows Updates and enjoyed my cup of tea while it boots up.

I choked on my tea when I got a 'Your computer is infected!' Panic kicks in.

I've tried ClamWin as recommended by a friend and smitRem by another friend. Both didn't fix the problem. Getting annoyed with this and feeling clever, I tried to open SpyBot and AdAware. To my shock, they wouldn't open at all. I googled SpyBot and others antispyware programs but they all redirected me to another websites or ads.

I've tried to fix this via Safe Mode too. No luck. My friend whose is starting to become very annoyed with me, suggested HijackThis logs for him to check. Guess what? That wouldn't start up too.

I'm pretty stuck on what to do next? The 'Your computer is infected!' pops up appears every 10 minutes. I'm ripping out my hair.

 

Hi WildDemin

Rogue antimalware is on the blast these days. Unfortunately, malware is popping up faster than antimalwares can catch it, so I will recommend safe surfing for the next few weeks.

Please reboot your computer into Safe Mode With Networking by doing the following:
• Restart your computer
• After pressing the power button, repeatedly tap the F8 key.
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the option to run Windows in Safe Mode With Networking, then press Enter.
• Choose the administrator's account.

Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required.

Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop.

Configuring Malwarebytes

• Click on the tab Settings.
• Make sure only these boxes are checked:

Code:

Terminate Internet Explorer
Automatically save and display logfile after removal
Always scan memory objects
Always scan registry objects
Always scan filesystem
Always scan extra and heuristics objects

Updating Malwarebytes

• Click on the tab Update.
• Press the button Check for Updates
• Wait for Malwarebytes to be fully updated.

Scanning Time

• Click on the tab Scanner.
• Check Perform full scan and click on Scan
• Wait for the scan to complete, and then click on Show Results.
• Make sure all items are checked, then click on Remove Selected.
**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately.

Post A Log

• A text box will pop up after the removal process is over. Post the contents of the text here.
• If no text box pops up, launch Malwarebytes, and click on the tab Logs.
• The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open.
• Post the log here.

Best Regards

 

Good news! It deleted all the trojans and the annoying pop up and icon have now gone. I'm also able to run SpyBot and HijackThis. Hurrah!

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:37:24, on 18/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\vVX1000.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Natalie\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1190329343796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1190329466375
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: karna.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 7421 bytes


MalwareBytes:- I couldn't find the log (I've now booted into normal mode.) after the removal but this is before the removal - I've removed all the infected files by the program.

Malwarebytes' Anti-Malware 1.30
Database version: 1409
Windows 5.1.2600 Service Pack 3

18/11/2008 17:23:05
mbam-log-2008-11-18 (17-22-52).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 151117
Time elapsed: 38 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\antiviruspro2009 (Rogue.Antivirus2008) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Routing (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WServing (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons (Trojan.Downloader) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AntivirusPro2009 (Rogue.Antivirus2008) -> No action taken.

Files Infected:
C:\System Volume Information\_restore{F02E162A-AEF4-400D-AB00-355F8943098E}\RP475\A0084648.dll (Rogue.AntivirusPro2009) -> No action taken.
C:\System Volume Information\_restore{F02E162A-AEF4-400D-AB00-355F8943098E}\RP475\A0084674.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{F02E162A-AEF4-400D-AB00-355F8943098E}\RP475\A0084675.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSedpn.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\drivers\TDSSijso.sys (Trojan.TDSS) -> No action taken.
C:\Program Files\AntivirusPro2009\Uninstall.exe (Rogue.Antivirus2008) -> No action taken.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mtmc.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drmgs.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\wini10894.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Natalie\Application Data\urlredir.cfg (Adware.RightOnAds) -> No action taken.
C:\WINDOWS\system32\TDSSnhvw.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSuyka.log (Trojan.TDSS) -> No action taken.

 

No edit button?

Anyway, forgot to add, my AVG is still refusing to update. Something about CTF control.

 

Oh! My AVG problem is now fixed! I used del_avg_CFT file I found on Google.

I think that's all the problems solved. But to be on safe side, can you tell me if I'm all clean?

 

Hey WildDenim

Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

• Run Combo-Fix.exe and follow the prompts.
• Accept the End-User License Agreement.
• Allow the Recovery Console to be installed.
• When you see the window below, click on Yes.

• When the Recovery Console has been installed, click on Yes to start the scan.


**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be fully completed.
• If it requires a reboot, please do so.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

Best Regards

 

ComboFix 08-11-18.03 - Natalie 2008-11-19 3:42:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.214 [GMT 0:00]
Running from: c:\documents and settings\Natalie\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Natalie\Application Data\inst.exe
c:\documents and settings\Natalie\Cookies\eturebuty.dat
c:\documents and settings\Natalie\Cookies\gatofeka.bin
c:\documents and settings\Natalie\Cookies\ozice._dl
c:\documents and settings\Natalie\Cookies\wygica.dll
c:\documents and settings\Natalie\Cookies\zesaxali.bin
c:\documents and settings\Natalie\Local Settings\Temporary Internet Files\acuhyxa.sys
c:\documents and settings\Natalie\Local Settings\Temporary Internet Files\kykucyc.bin
c:\windows\Downloaded Program Files\setup.inf
c:\windows\Install.txt
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\tmp0_236504375077.bk
c:\windows\system32\tmp0_702311757493.bk
c:\windows\system32\tmp1_194621202914.bk
c:\windows\system32\tmp1_498158652693.bk
c:\windows\system32\tmp3_162735306081.bk
c:\windows\system32\tmp3_50733536387.bk
c:\windows\system32\tmp3_85729527889.bk
c:\windows\system32\tmp4_161055602957.bk
c:\windows\system32\tmp4_25746926004.bk
c:\windows\system32\tmp4_727582389471.bk
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-18 21:12 . 2008-11-18 21:12 <DIR> d-------- c:\documents and settings\Natalie\Application Data\ESET
2008-11-18 21:07 . 2008-11-18 21:07 <DIR> d-------- c:\program files\ESET
2008-11-18 21:07 . 2008-11-18 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-18 18:02 . 2008-11-18 18:16 <DIR> d-------- c:\program files\FileSubmit
2008-11-18 16:40 . 2008-11-18 16:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-18 16:35 . 2008-11-18 16:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-18 16:35 . 2008-11-18 16:35 <DIR> d-------- c:\documents and settings\Natalie\Application Data\Malwarebytes
2008-11-18 16:35 . 2008-11-18 16:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-18 16:35 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-18 16:35 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-18 04:49 . 2008-11-18 04:49 18,639 --a------ c:\windows\system32\pefadaty.inf
2008-11-18 04:41 . 2008-11-18 04:41 527 --a------ c:\windows\system32\TDSSierd.dat
2008-11-12 13:05 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 13:05 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-30 16:03 . 2008-10-30 16:03 <DIR> d-------- c:\documents and settings\Natalie\Application Data\gtk-2.0
2008-10-30 14:02 . 2008-10-30 14:02 <DIR> d-------- c:\program files\Common Files\GTK
2008-10-24 12:09 . 2008-11-12 21:02 1,393 --a------ c:\windows\imsins.BAK
2008-10-24 02:32 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 23:50 . 2008-10-27 22:58 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-22 23:50 . 2008-10-22 23:50 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 21:55 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-18 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-18 20:25 --------- d-----w c:\documents and settings\Natalie\Application Data\uTorrent
2008-11-18 20:05 --------- d-----w c:\program files\Camfrog
2008-11-18 17:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-18 06:16 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 22:08 --------- d-----w c:\documents and settings\Natalie\Application Data\Skype
2008-11-14 19:47 --------- d-----w c:\documents and settings\Natalie\Application Data\skypePM
2008-11-12 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-27 13:05 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-11 22:13 --------- d-----w c:\documents and settings\Natalie\Application Data\Rominator Data
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-07-06 04:50 47,360 ----a-w c:\documents and settings\Natalie\Application Data\pcouffin.sys
2008-05-14 16:52 1,260,032 ----a-w c:\documents and settings\All Users\S2014L1T_V102.exe
2008-05-14 16:52 1,260,032 ----a-w c:\documents and settings\Administrator\S2014L1T_V102.exe
2007-09-22 03:24 774,144 ----a-w c:\program files\RngInterstitial.dll
2003-07-15 14:33 225,280 ----a-w c:\windows\inf\i386\rtscan.dll
2002-10-09 09:11 61,440 ----a-w c:\windows\inf\i386\onetUSD.dll
2002-08-23 14:06 13,824 ----a-w c:\windows\inf\i386\Usbscan.sys
2002-07-09 08:23 36,864 ----a-w c:\windows\inf\i386\Vizmicro.dll
2002-05-20 08:20 172,032 ----a-w c:\windows\inf\i386\viceo.dll
2001-11-22 13:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
"STYLEXP"=c:\program files\TGTSoft\StyleXP\StyleXP.exe -Hide
"Google Update"="c:\documents and settings\Natalie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"AdobeUpdater"=c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe"
"PaperPort PTD"=c:\program files\Scansoft\PaperPort\pptd40nt.exe
"IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe
"PP8 Reminder"="c:\program files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" -r "c:\program files\Scansoft\PaperPort\WebEreg\navLoad.ini"
"nwiz"=nwiz.exe /install
"Antivirus Pro 2009"="c:\program files\AntivirusPro2009\AntivirusPro2009.exe" /hide
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8319:TCP"= 8319:TCP:BitComet 8319 TCP
"8319:UDP"= 8319:UDP:BitComet 8319 UDP

R2 MSCamSvc;MSCamSvc;"c:\program files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 271720]
R2 UxTuneUp;TuneUp Design Expansion;c:\windows\System32\svchost.exe -k netsvcs [2003-03-31 14336]
R3 VX1000;VX-1000;c:\windows\system32\DRIVERS\VX1000.sys [2007-09-21 1966312]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\F.tmp []
S3 muIO;muIO;\??\c:\windows\system32\muIO.sys []
S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 15:53]

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]

2008-11-19 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Natalie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 00:38]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Natalie\Application Data\Mozilla\Firefox\Profiles\4frm8yjj.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.co.uk
FF -: plugin - c:\documents and settings\Natalie\Application Data\Mozilla\Firefox\Profiles\4frm8yjj.default\extensions\npmozax@real.com\plugins\npmozax.dll
FF -: plugin - c:\documents and settings\Natalie\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 03:52:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\F.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ESET\ESET Smart Security\ekrn.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2008-11-19 4:03:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-19 04:02:47

Pre-Run: 22,537,232,384 bytes free
Post-Run: 22,627,631,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

226 --- E O F --- 2008-11-12 21:08:52

 

I got this damn thing today. I had to restore my work PC.

 

Hey WildDenim

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

Open Notepad and copy/paste the text in the code box below into it:

Code:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Antivirus Pro 2009"=-

• Save this as CFScript.txt in the same folder as ComboFix.
• Then drag the CFScript.txt into Combo-Fix.exe.
• This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt).

Do not click on the ComoboFix window, as it may cause it to stall.

Please zip this folder, C:\Qoobox, and upload it to http://www.uploadmalware.com/

Any more problems?

Best Regards


@EricCarr

Please open a new thread. No point confusing this one up...