hello,

i seem to have managed to get a trojan on my pc.
tried a couple of free software programs.
i have downloaded atf cleaner, anit malwarebytes and has antivirus super pro, which i;ve tried to remove, it seem to be giving my grief.
i also have virgin media guard pro.

the virus can cause the pc the hang or restarts itself at any time. i've tried doing scan on normal and safe mode. when doing scan, sometimes it will pick up files to delete, sometime it will say pc is clean and other times while doing the scan it restarts pc.

your help will be very much appreciated.
i have access to internet at my work pc, so this will be where i get most of my time to check back on your updates before i head home. i can access internet but as i said it can hang and restart all over the place.

i will be able to respond quicker between 9am - 4pm uk time.

if you could let me know of what steps to complete first of all that would be ideal.

the trojan in the topic description has definatley shwon up on my machine not sure if there is anything else.

Hi,

Please do the following:

STEP #1

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.



STEP #2




Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following …
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" r it will save as a .log file which cannot be uploaded to your post.
• Save it where you can easily find it, such as your desktop and attach it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




.

hi,

thanks for looking into this for me.

on saturday i was trying to access the internet to see if you had replied. I encountered numerous pc restarts.
i then left the internet alone and turned on my iTunes and the music placyed for 30mins without crashing.
tried the internet again and the pc restarted itself!?!?
so my conclusion was that it does not like me going on the net?

can you suggest how a can download your files you suggested.
will the programs fit on to a USB stick.
i was thinking i could ask a friend nicely if i could get access to their pc and download them a memory stick then transfer to my pc/

can you confirm if this will work?

i appreciate you have alot of files and like to close and help people asap, but i will try and get access to another pc by tues evening uk time.

ps. i also ran antimalware bytes and it now completes the scan in 45 mins where it used to take just over 2 hours, and the scan says it clear?!?! guess that the virus given false info.

could you confirm that what i suggested will work if i get the files from another pc and trnasfer them?
in the meantime, i'll try an source someone who's comp i can get access to.

thanks.

Hi,

Yes...transfer the files via USB

Please don't run any other scans without my direction ...I will work with you on this till you are clean

hello.

managed to download your files to a pen drive.

i've completed the tasks you asked.

here is the dds file.


DDS (Ver_09-06-26.01) - NTFSx86 MINIMAL
Run by Mickey at 18:02:32.62 on 30/06/2009
Internet Explorer: 7.0.6000.16851
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.447.164 [GMT 1:00]

AV: PCguard Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: PCguard Anti-Spyware *enabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Users\Mickey\Desktop\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\virgin broadband\pcguard\pkR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPER help.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Tour]
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [PCMService] "c:\acer\empowering technology\emode\pcm\PCMService.exe"
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eRecoveryService]
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [Setresolution] c:\acersw\config\1440x900.cmd
mRun: [Apanel] c:\acersw\config\NewSetApanel.cmd
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [PCguard] "c:\program files\virgin broadband\pcguard\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\virgin broadband\pcguard\ZkRunOnceR.exe"
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [Wireless Manager] "c:\program files\virgin broadband wireless\Wireless Manager.exe" startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [<NO NAME>]
dRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\zdwlan~1.lnk - c:\program files\zydas technology corporation\zydas_802.11g_utility\ZDWlan.exe
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.1.11.30.dll/206
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

============= SERVICES / DRIVERS ===============

S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\drivers\athru6.sys [2007-7-5 873472]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2006-11-2 7168]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2007-12-26 288768]

=============== Created Last 30 ================

2009-06-27 16:51 <DIR> --d----- c:\program files\iPod
2009-06-17 22:48 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-17 22:48 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-17 22:39 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-17 22:39 <DIR> --d----- c:\program files\iTunes
2009-06-17 22:39 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-17 20:17 <DIR> --d-h--- c:\windows\PIF
2009-06-16 19:52 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-06-16 19:52 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-06-16 19:47 <DIR> --d----- c:\users\mickey\appdata\roaming\SUPERAntiSpyware.com
2009-06-15 22:26 <DIR> --d----- c:\users\mickey\appdata\roaming\Malwarebytes
2009-06-15 22:02 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 22:02 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 22:02 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-15 22:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 22:02 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-14 22:13 <DIR> --d----- C:\1fd72c35818bff34e24c1e4c14831d0f
2009-06-14 12:58 82,467,728 a------- c:\windows\MEMORY.DMP
2009-06-11 19:28 2,028,032 a------- c:\windows\system32\win32k.sys
2009-06-11 19:27 696,832 a------- c:\windows\system32\localspl.dll
2009-06-11 19:22 788,992 a------- c:\windows\system32\rpcrt4.dll

==================== Find3M ====================

2009-06-28 10:06 51,200 a------- c:\windows\inf\infpub.dat
2009-06-28 10:06 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-28 10:06 86,016 a------- c:\windows\inf\infstor.dat
2009-04-24 17:22 827,392 a------- c:\windows\system32\wininet.dll
2009-04-24 17:14 56,320 a------- c:\windows\system32\iesetup.dll
2009-04-24 17:14 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 17:14 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-04-24 17:11 72,704 a------- c:\windows\system32\admparse.dll
2009-04-24 14:53 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-24 13:25 48,128 a------- c:\windows\system32\mshtmler.dll
2008-12-10 23:59 174 a--sh--- c:\program files\desktop.ini
2008-12-01 21:07 0 a------- c:\users\mickey\appdata\roaming\wklnhst.dat
2008-06-14 16:45 665,600 a------- c:\windows\inf\drvindex.dat
2008-02-22 19:30 1,206,366 a------- c:\users\mickey\wrar371.exe
2008-01-25 23:53 1,758,506 a------- c:\users\mickey\bitcomet.exe
2006-11-02 13:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-10-22 23:07 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-22 23:07 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-22 23:07 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 18:03:34.19 ===============


here is the attach file.

 Attach.zip ( 3.85K ) Number of downloads: 270


it said i was to zip and conpress the file so this should be attached.

finally here is the ark.txt file.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-30 18:10:43
Windows 6.0.6000


---- System - GMER 1.0.15 ----

Code 83BCBF68 ZwEnumerateKey
Code 83BCBF30 ZwFlushInstructionCache
Code 83BCBF9D IofCallDriver
Code 83BCBFD6 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\MSIVXvwnlkcaxjnwioxpsmimrigbtayvhrane.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [588] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\MSIVXqfjdvnrdixdorchavfqxdkgjecgegpmb.sys (*** hidden *** ) [SYSTEM] MSIVXserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXqfjdvnrdixdorchavfqxdkgjecgegpmb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXqfjdvnrdixdorchavfqxdkgjecgegpmb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXvwnlkcaxjnwioxpsmimrigbtayvhrane.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXjdwgjuktwlhntiepwjaufsralupidndp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXqfjdvnrdixdorchavfqxdkgjecgegpmb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXqfjdvnrdixdorchavfqxdkgjecgegpmb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXvwnlkcaxjnwioxpsmimrigbtayvhrane.dll
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXjdwgjuktwlhntiepwjaufsralupidndp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXqfjdvnrdixdorchavfqxdkgjecgegpmb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXqfjdvnrdixdorchavfqxdkgjecgegpmb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXvwnlkcaxjnwioxpsmimrigbtayvhrane.dll
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXjdwgjuktwlhntiepwjaufsralupidndp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXqfjdvnrdixdorchavfqxdkgjecgegpmb.sys
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXqfjdvnrdixdorchavfqxdkgjecgegpmb.sys
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXvwnlkcaxjnwioxpsmimrigbtayvhrane.dll
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXjdwgjuktwlhntiepwjaufsralupidndp.dll

---- EOF - GMER 1.0.15 ----


i hope this is correct from what you asked.
if not i know you'll let me know/

thanks for this.
i'll look out for your reply.
if you can reply by 4pm uk time then i'll know to get access to another pc should i be required to download any programs from you.



cheers

Hi,

Please do the following:

Make sure you rename this file before transferring to the infected PC

Please download ComboFix from Here or Here to your Desktop.
**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
   • Set to "Always ask me where to Save the files".
   
   
2. During the download, rename Combofix to Combo-Fix as follows:
   
   
   
   
   
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
   
   
   • Close any open browsers.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
   
   
   -----------------------------------------------------------
7. Double click on combo-Fix.exe & follow the prompts.
8. When finished, it will produce a report for you.  
9. Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

hello,

managed, eventually to get combofix working.

first time tried it in safe mode and realised my virgin pc guard was still active.
then went into normal mode andcould get pc guard to sign in!!! so just uninstalled it,


then once i tried to run combfix it returned a message
" not allowed to rename combofix to combo-fix? please use alpha-numeric characters?" so i had to change it to combafix? hope thats okay.

inbetween the pc restarting, eventually combafix work.

i ran the program which started and asked me to note down these 3 file name, as we may need them later.

1 - C:\ windows\system32\MSIVxqfjdvnrdixdorchavfqxdkgjecgegpmb.sys
2 - C:\ windows\system32\MSIVxvwnlkcaxjnwioxpsmimrigbtayvhrane.dll
3 - C:\ windows\system32\MSIVxjdwgjvktwlhntiepwjaufsraluidndp.dll

the combo prompted it would restart the pc, once it restarted, combo loaded and said access denied. and then said "this op returned because the timeout period expired".

so i restarted the combo and thankfully it started ok and ran the scanbacking up registry it then completed all stages from 1 throught to stage 50.

it deleted 3 files think i was the same 3 files above, combo rebooted the pc and i managed to find the combo file in the c drive.

i've copy them to my mem pen.

i'm not sure what file to send you?

thought i found the file in the c drive? it was next to the folder of combofix in the c drive, with the same icon as the 'my computer' option in windows. a message with an option to skip or add. so i completed bith and attached them to my pen drive,brought it into work, when i try to upload both, it says i do not attach a file?
when i double click it, it takes me to the list of drives available as it would when double clicking on my computer icon?


can you adive the final step to get the report to you. i could not see a combofix.txt? file?

i'll try and persevere at home and try and attach file to you.

thanks

Hi can you please tell me what files you do see? You may have your file extensions hidden.

Double click on 'my computer' > Go to > Tools > Folder options
Click the View tab > Scroll down to > "Hide extensions for known file types" and uncheck the box. > hit "Apply" then 'OK'

Now you should be able to see the file extensions.

It should be called ComboFix.txt but probably is called combafix with or without the .txt extension

try opening any txt file you see by double clicking it - if a note pad opens copy/paste the text into the thread.

hey there.

thanks for the tip. i just ran combofix again. this time it must have worked properly cos it told me it would produce a txt file.

here it is below.

by the way can you give me some pointers.
i had to uninstall my virgin media pc guard to run combofix as it has active virus and spyware apps on it. cos i couldn't remember the password to open the program to let me disable them! and now my pc is so much faster. and while i type this the pc aint crashed once. touch wood!!! can you tell what you think the best free anti virus + spyward program is out to download, is it avg free. preferrably one which is good but fast?

cheers here is the combolog txt file.
also can you tell how to speed up the pc. eg removing the files that start up automatically cos it usually take long time before can start something as all these programs are trying to start!!

ComboFix 09-07-01.04 - Mickey 02/07/2009 19:44.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.447.98 [GMT 1:00]
Running from: c:\users\Kelly\Desktop\ComboaFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\drivers\MSIVXqfjdvnrdixdorchavfqxdkgjecgegpmb.sys
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXjdwgjuktwlhntiepwjaufsralupidndp.dll
c:\windows\system32\MSIVXvwnlkcaxjnwioxpsmimrigbtayvhrane.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-02 18:51 . 2009-07-02 18:52 -------- d-----w- c:\users\Mickey\AppData\Local\temp
2009-07-02 18:51 . 2009-07-02 18:51 -------- d-----w- c:\users\Kelly\AppData\Local\temp
2009-07-02 18:31 . 2009-07-02 18:31 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb18BF.tmp.exe
2009-07-01 18:25 . 2009-07-01 18:25 -------- d-s---w- C:\Combo-Fix
2009-07-01 08:43 . 2009-07-01 08:43 -------- d-----w- c:\users\Kelly\AppData\Roaming\CyberLink
2009-07-01 08:36 . 2009-07-01 08:36 -------- d-----w- c:\users\Kelly\AppData\Local\Apple Computer
2009-06-29 09:04 . 2009-06-29 09:04 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbDBEE.tmp.exe
2009-06-28 08:32 . 2009-06-28 08:32 -------- d-----w- c:\users\Mickey\AppData\Local\Apple
2009-06-28 08:25 . 2009-06-28 08:25 -------- d-----w- c:\users\Mickey\AppData\Local\Apple Computer
2009-06-27 16:12 . 2009-06-27 16:11 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb6F28.tmp.exe
2009-06-27 15:51 . 2009-06-27 15:51 -------- d-----w- c:\program files\iPod
2009-06-17 22:17 . 2009-06-17 22:17 -------- d-----w- c:\users\Kelly\AppData\Roaming\Malwarebytes
2009-06-17 21:48 . 2009-03-19 15:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-17 21:48 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-17 21:39 . 2009-06-23 18:52 -------- d-----w- c:\program files\iTunes
2009-06-17 21:39 . 2009-06-17 21:47 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-17 21:25 . 2009-06-17 21:26 -------- d-----w- c:\program files\QuickTime
2009-06-17 21:18 . 2009-06-17 21:18 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-17 19:17 . 2009-06-17 19:17 -------- d--h--w- c:\windows\PIF
2009-06-16 18:53 . 2009-06-17 19:59 117760 ----a-w- c:\users\Mickey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-16 18:52 . 2009-06-16 18:52 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-06-16 18:47 . 2009-06-16 18:47 -------- d-----w- c:\users\Mickey\AppData\Roaming\SUPERAntiSpyware.com
2009-06-15 21:26 . 2009-06-15 21:26 -------- d-----w- c:\users\Mickey\AppData\Roaming\Malwarebytes
2009-06-15 21:02 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 21:02 . 2009-06-23 18:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 21:02 . 2009-06-15 21:02 -------- d-----w- c:\programdata\Malwarebytes
2009-06-15 21:02 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 21:13 . 2009-06-14 21:13 -------- d-----w- C:\1fd72c35818bff34e24c1e4c14831d0f
2009-06-14 20:19 . 2009-06-14 20:19 -------- d-----w- c:\windows\Sun
2009-06-11 18:28 . 2009-04-21 12:04 2028032 ----a-w- c:\windows\system32\win32k.sys
2009-06-11 18:27 . 2009-04-23 12:56 696832 ----a-w- c:\windows\system32\localspl.dll
2009-06-11 18:22 . 2009-04-23 13:01 788992 ----a-w- c:\windows\system32\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 19:04 . 2007-12-31 19:58 -------- d-----w- c:\users\Kelly\AppData\Roaming\Virgin Broadband
2009-07-01 19:04 . 2007-12-31 13:50 -------- d-----w- c:\users\Mickey\AppData\Roaming\Virgin Broadband
2009-07-01 19:04 . 2007-12-31 13:49 -------- d-----w- c:\programdata\Virgin Broadband
2009-07-01 19:04 . 2007-12-31 13:47 -------- d-----w- c:\program files\Virgin Broadband
2009-06-23 17:20 . 2008-05-26 21:40 1356 ----a-w- c:\users\Mickey\AppData\Local\d3d9caps.dat
2009-06-17 21:42 . 2008-01-01 15:46 -------- d-----w- c:\program files\Common Files\Apple
2009-05-13 21:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-10 20:53 . 2009-05-10 20:53 -------- d-----w- c:\program files\Apple Software Update
2009-04-24 16:22 . 2009-06-11 18:23 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:14 . 2009-06-11 18:23 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-04-24 16:14 . 2009-06-11 18:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 16:11 . 2009-06-11 18:23 72704 ----a-w- c:\windows\system32\admparse.dll
2009-04-24 13:53 . 2009-06-11 18:23 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-24 12:25 . 2009-06-11 18:23 48128 ----a-w- c:\windows\system32\mshtmler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2007-01-24 319488]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-07 464168]
"PCMService"="c:\acer\Empowering Technology\eMode\PCM\PCMService.exe" [2007-01-13 151552]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-06 57344]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 2061552]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-23 4423680]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-2-14 528384]
ZDWLan Utility.lnk - c:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2008-6-29 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A3FC06DA-DC2E-412B-8BA2-841286041986}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{602A864E-D914-428B-B1D5-8EF09128712F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5005C520-8B41-4CF4-BD29-9CBA1EFB039C}"= UDP:c:\acer\Empowering Technology\eMode\PCM\PCMService.exe:CyberLink PowerCinema Resident Program
"{89FBBB22-34FD-4C8C-992E-FF69A60C42A8}"= TCP:c:\acer\Empowering Technology\eMode\PCM\PCMService.exe:CyberLink PowerCinema Resident Program
"{E83D495F-7451-4DD5-BF2C-9295CAE063BC}"= UDP:c:\program files\360Share Pro\Gui\360SharePro.exe:360Share Pro
"{FDE0259F-FFE5-4A3C-93F6-3CCCD31B3231}"= TCP:c:\program files\360Share Pro\Gui\360SharePro.exe:360Share Pro
"{941F6F98-93BD-4208-B72E-0E0FFB78F30B}"= UDP:c:\program files\Java\jre1.5.0_09\bin\javaw.exe:javaw
"{86D26736-A89A-43ED-80FD-014409AD44C8}"= TCP:c:\program files\Java\jre1.5.0_09\bin\javaw.exe:javaw
"{D50A7996-A45A-4502-82B0-92B59BA2717D}"= UDP:c:\program files\Java\jre1.5.0_09\bin\javaws.exe:javaws
"{F3EE06F5-8989-4BF0-AD61-3E6388EBAAFA}"= TCP:c:\program files\Java\jre1.5.0_09\bin\javaws.exe:javaws
"{61E63B01-72F7-4AA6-B672-37E8B455A479}"= UDP:c:\program files\Java\jre1.5.0_09\bin\java.exe:java
"{FE67E60F-F94F-451B-B465-DA35178F821D}"= TCP:c:\program files\Java\jre1.5.0_09\bin\java.exe:java
"{E76900A3-1889-42A8-B6E5-620C3D26F8F9}"= UDP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{AF1BF9C9-275E-44FB-B3E7-48F8F61061A2}"= TCP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{3CFA809D-7201-49EC-96DB-65B5C8F2EB09}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{A8755A13-F0A5-4B82-8998-97E44E6775CA}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{7F8C35AD-1C00-48CF-A9FF-50B2EA086F1C}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{6C3C10A8-6C6C-4126-8341-776A4EC1A23C}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{E37F97B0-0B38-4B07-A7CF-F6B38921EBFC}c:\\users\\mickey\\program files\\dna\\btdna.exe"= UDP:c:\users\mickey\program files\dna\btdna.exe:btdna.exe
"UDP Query User{8204E6AE-C376-45F3-B401-13F5EFE9DD9C}c:\\users\\mickey\\program files\\dna\\btdna.exe"= TCP:c:\users\mickey\program files\dna\btdna.exe:btdna.exe
"TCP Query User{39A5A3F4-4F49-46C3-88A5-C94A2F8C6389}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{FAE4FF25-E48C-4FCC-A702-1EC08579BEAE}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{6D9DE3A9-7F46-43BD-AA71-59C5AB0253C3}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{431CC742-061E-4BF7-A600-F9739A544BB7}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{D12CFB78-B712-4049-BF76-AD4F574B55AD}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{99E18B0A-97BD-425C-9EFE-1ABEF6AFFBC2}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{4A4EF83A-410F-4D34-9C27-2FD27FBBE6A9}"= UDP:c:\program files\PLUSCOM\WU-ZD1211B Wireless Utility\ZDWlan.exe:WU-ZD1211B Wireless Utility
"{FB1BB5E5-0148-4EE2-9FF1-2D3B37EA7CCB}"= TCP:c:\program files\PLUSCOM\WU-ZD1211B Wireless Utility\ZDWlan.exe:WU-ZD1211B Wireless Utility
"{8AB6C5B9-E41E-4048-99FC-EF6BA2011AE6}"= UDP:c:\program files\Virgin Broadband Wireless\Wireless Manager.exe:Wireless Manager
"{1721A3CE-B613-40D1-9B5D-C7263259CB98}"= TCP:c:\program files\Virgin Broadband Wireless\Wireless Manager.exe:Wireless Manager
"{FDDDB41E-8ABA-41EC-9E88-22F4259559C6}"= UDP:c:\program files\Virgin Broadband Wireless\Wireless Manager.exe:Wireless Manager
"{C049EC61-0581-4DCB-9E3E-EBE686645328}"= TCP:c:\program files\Virgin Broadband Wireless\Wireless Manager.exe:Wireless Manager
"{54A8FB84-BC50-4B7A-9729-79C32CAD96C5}"= UDP:c:\program files\Virgin Broadband Wireless\Wireless Manager.exe:Wireless Manager
"{A50E877B-B206-43AF-9CF0-8FF21E11A751}"= TCP:c:\program files\Virgin Broadband Wireless\Wireless Manager.exe:Wireless Manager
"TCP Query User{8EDB4F17-D927-4F2F-8FBB-3A7D9A9AB1B3}c:\\windows\\system32\\java.exe"= UDP:c:\windows\system32\java.exe:Java™ 2 Platform Standard Edition binary
"UDP Query User{87FBE4C2-A96F-4E6C-ADA1-119544A70CF7}c:\\windows\\system32\\java.exe"= TCP:c:\windows\system32\java.exe:Java™ 2 Platform Standard Edition binary
"{26F1F4D8-63F2-49A0-BBED-12A74EDDB68F}"= Disabled:UDP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{8CA77966-50D9-41A2-B2A4-96381166660B}"= Disabled:TCP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{28DBE92B-18AC-4434-99CE-202A74C780B2}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{EA8A15D0-5865-4C7F-ADE7-80FB97C62D06}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{832E5870-7504-41FF-954F-3BC94021A5BA}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{28850772-7E07-48DF-B27D-D75C0C193B07}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2007-12-26 288768]
R3 ZDPSp60;ZDPSp60 NDIS Protocol Driver;c:\windows\system32\Drivers\ZDPSp60.sys [x]
S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\DRIVERS\athru6.sys [2007-07-05 873472]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPER help.exe
HKLM-Run-Setresolution - c:\acersw\config\1440x900.cmd
HKLM-Run-Apanel - c:\acersw\config\NewSetApanel.cmd
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 19:52
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1465822639-1801902029-3587921670-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*5*ø[]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1465822639-1801902029-3587921670-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*5*ø[\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3696)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
Completion time: 2009-07-02 19:55
ComboFix-quarantined-files.txt 2009-07-02 18:55

Pre-Run: 42,240,909,312 bytes free
Post-Run: 42,214,576,128 bytes free

219 --- E O F --- 2009-07-01 08:55

You will get many different opinions on this, but in my opinion Avira AntiVir is the best free program out there.

Many people are annoyed by the "Nag Screen" that pops up once a days after Avira automatically updates it's virus definitions, but I think one click on the close button, once a day is a small price to pay for a most excellent antivirus product.

As for an Anti Spyware product - personally I use Windows Defender along with the stand alone scanner Malwarebytes Antimalware.


The programs can be found here: (please don't install anything until the computer is completely clean - stay off the internet unless it's to download a tool or perform a scan)

Avira AntiVir Personal

Windows Defender

You already have Malwarebytes, which we are now going to use.

NEXT

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

NEXT

Please download Malwarebytes' Anti-Malware

• Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

• MBAM Log
• Kaspersky report

cheers for that.

ran the tfc cleaner.
ran the malware bytes scan here is the log

Malwarebytes' Anti-Malware 1.38
Database version: 2365
Windows 6.0.6000

02/07/2009 23:05:43
mbam-log-2009-07-02 (23-05-42).txt

Scan type: Quick Scan
Objects scanned: 83605
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



i'll send on the kaspersky file on shortly.

it froze on the save screen it had 9 items it think.

hey, not sure what happening,

ran kaspersky again. and it did the same thing,
scan run fine but when i click save as the button greys and does not give option to save file.

i can still click on the option on the left hand side and change the width of the columns in the scan report just cant save it.



anything you cann suggest?

That's odd...must be a hiccup in the Kaspersky site?

are you able to view the log? and perhaps copy it to clipboard - then paste here?

If not - try this scan instead:

Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activeX control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

 kasp.ppt ( 217K ) Number of downloads: 8



now on my work pc.

i sent screen prints in a microsoft word doc to my work email.
ive converted it to powerpoint? not sure if this is ok?
not sure if i have clipboard

let me know if this is okay or not
i've got notepad, mirocsoft photo editor,
notepad
and paint ( although paint wont say a file has been attached?)

Hi,

I can't see the full path of the infected files in order to delete them for you, There were a couple there already in quarantine, but I could see a couple of infected music files, so we need another scan.

I am not sure why it's not letting you save a report.

Please do this scan instead.

Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activeX control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

every computer has a clipboard - it is just unseen. when you highlight text and choose to "copy' it...that function places the copied text onto a 'clipboard' It is the computers way of 'remembering' text so that it can use that text for your next instructions.

Then once you choose to "paste" that text into an open Notepad or word document. The computer retrieves the copied text from the clipboard and pastes it into the open notepad or word document.

so the text will always be on that hidden clipboard until you choose to do something with it.

you can copy text to the clipboard then place it anywhere...for instance - here in your post. If you add reply and the reply window opens, if you have previously copied something to the clipboard, by rightclicking into this open window and choosing paste - the copied text will appear.

It is best to use notepad to copy/paste text to forums.

hope that explanation helps.