Help to remove Antispywareupdates.net virus

Hello Sdhanemkula

Welcome to G2Go.
=====================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally copy and paste the contents of the results file Report.txt back onto the forum.

==============
Next::
Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Hi

Thank you for your advise.

Please find here with log's that are advised for.

SDFix:


SDFix: Version 1.158

Run by Administrator on Mon 03/17/2008 at 06:39 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: D:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

D:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted
D:\WINDOWS\system32\000090.exe - Deleted
D:\WINDOWS\system32\winfrun32.bin - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 18:46:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
"LsaPid"=dword:000003b0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\Memory Management\PrefetchParameters]
"VideoInitTime"=dword:0000059d
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Watchdog\Display]
"ShutdownCount"=dword:00000044
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Epoch]
"Epoch"=dword:000004ef
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters]
"DhcpDomain"="ks.cox.net"
"DhcpNameServer"="68.105.28.11 68.105.29.11 68.105.28.12"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{469C679D-EB03-4ECA-A3E9-C36818AA74F2}]
"LeaseObtainedTime"=dword:47de6198
"T1"=dword:47df0a58
"T2"=dword:47df88e8
"LeaseTerminatesTime"=dword:47dfb318
"DhcpRetryTime"=dword:0000a8be
"DhcpRetryStatus"=dword:00000000
"DhcpDomain"="ks.cox.net"
"DhcpNameServer"="68.105.28.11 68.105.29.11 68.105.28.12"
"DhcpDefaultGateway"=str(7):"192.168.1.1\0"
"DhcpSubnetMaskOpt"=str(7):"255.255.255.0\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WmiApRpl\Performance]
"Last Counter"=dword:00000968
"Last Help"=dword:00000969
"Object List"="2384 2390 2402"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\{469C679D-EB03-4ECA-A3E9-C36818AA74F2}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:47de6198
"T1"=dword:47df0a58
"T2"=dword:47df88e8
"LeaseTerminatesTime"=dword:47dfb318
"DhcpDefaultGateway"=str(7):"192.168.1.1\0"
"DhcpSubnetMaskOpt"=str(7):"255.255.255.0\0"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"D:\\Program Files\\AVG\\AVG8\\avgupd.exe"="D:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"D:\\Program Files\\AVG\\AVG8\\avgemc.exe"="D:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"D:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="D:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - D:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jan 2008 352 A..H. --- "D:\WINDOWS\nod32fixtemdono.reg"
Sat 15 Mar 2008 43,928 ..SH. --- "D:\WINDOWS\system32\drivers\ctfmon.exe"
Sat 15 Mar 2008 48,270 ..SH. --- "D:\Documents and Settings\admin\Local Settings\Application Data\spool.exe"
Sat 15 Mar 2008 70,960 ..SH. --- "D:\Documents and Settings\LocalService\Local Settings\Application Data\spool.exe"

Finished!



=========================================

Combo Fix:
ComboFix 08-03-17.1 - admin 2008-03-17 18:58:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.625 [GMT 5.5:30]
Running from: D:\Documents and Settings\admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\msixu.dll
D:\WINDOWS\system32\wer8274.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-17 18:37 . 2008-03-17 18:38 <DIR> d-------- D:\WINDOWS\ERUNT
2008-03-17 18:33 . 2008-03-17 18:33 <DIR> d-------- D:\SDFix
2008-03-16 12:43 . 2008-03-17 18:49 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-03-16 12:43 . 2008-03-16 12:43 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-16 12:43 . 2008-03-16 12:43 <DIR> d-------- D:\Documents and Settings\admin\Application Data\SUPERAntiSpyware.com
2008-03-16 12:36 . 2008-03-16 12:36 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-03-16 11:32 . 2008-03-16 11:32 <DIR> d-------- D:\Documents and Settings\admin\Application Data\Grisoft
2008-03-16 11:26 . 2008-03-16 11:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-16 11:26 . 2008-03-16 11:26 <DIR> d-------- D:\Documents and Settings\Administrator.INDIA.000\Application Data\Grisoft
2008-03-16 11:26 . 2007-05-30 17:40 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-16 11:16 . 2008-03-16 11:16 <DIR> d-------- D:\Documents and Settings\admin\Application Data\AVGTOOLBAR
2008-03-16 11:15 . 2008-03-16 11:15 <DIR> d-------- D:\WINDOWS\FLEOK
2008-03-16 09:23 . 2008-03-16 09:23 <DIR> d-------- D:\Program Files\Trend Micro
2008-03-15 23:51 . 2008-03-16 08:10 4,212 ---h----- D:\WINDOWS\system32\zllictbl.dat
2008-03-15 23:50 . 2008-03-16 11:18 <DIR> d-------- D:\WINDOWS\Internet Logs
2008-03-15 23:36 . 2008-03-15 23:40 <DIR> d-------- D:\WINDOWS\system32\drivers\Avg
2008-03-15 23:36 . 2008-03-15 23:36 96,520 --a------ D:\WINDOWS\system32\drivers\avgldx86.sys
2008-03-15 23:36 . 2008-03-15 23:36 74,376 --a------ D:\WINDOWS\system32\drivers\avgtdix.sys
2008-03-15 23:36 . 2008-03-15 23:36 12,424 --a------ D:\WINDOWS\system32\drivers\avgrkx86.sys
2008-03-15 23:36 . 2008-03-15 23:36 10,520 --a------ D:\WINDOWS\system32\avgrsstx.dll
2008-03-15 23:35 . 2008-03-16 11:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\avg8
2008-03-15 23:20 . 2008-03-16 11:16 <DIR> d-------- D:\Program Files\AVG
2008-03-15 23:20 . 2008-03-15 23:20 45,568 --a------ D:\WINDOWS\system32\avgfwdx.dll
2008-03-15 23:20 . 2008-03-15 23:20 22,528 --a------ D:\WINDOWS\system32\drivers\avgfwdx.sys
2008-03-15 23:12 . 2008-03-15 23:12 32,256 --a------ D:\WINDOWS\system32\shdocpe.dll
2008-03-15 23:12 . 2008-03-15 23:12 24,320 --a------ D:\WINDOWS\system32\ntnut32.exe
2008-03-15 23:12 . 2008-03-15 23:12 14,336 --a------ D:\WINDOWS\system32\MSNSA32.dll
2008-03-15 23:12 . 2008-03-15 23:12 9,472 --a------ D:\WINDOWS\system32\SIPSPI32.dll
2008-03-15 22:17 . 2008-03-15 22:17 499,712 --a------ D:\WINDOWS\system32\msvcp71.dll
2008-03-15 22:17 . 2008-03-15 22:17 348,160 --a------ D:\WINDOWS\system32\msvcr71.dll
2008-03-15 22:12 . 2008-03-15 22:12 <DIR> d-------- D:\Documents and Settings\admin\Application Data\SiteAdvisor
2008-03-15 20:49 . 2008-03-17 18:45 5,120 --a------ D:\Documents and Settings\LocalService\ftpdll.dll
2008-03-15 20:39 . 2006-07-27 16:45 1,808 --a------ D:\WINDOWS\system32\subst.inf
2008-03-15 20:35 . 2008-03-15 22:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\McAfee
2008-03-15 20:35 . 2008-03-15 20:35 43,928 ---hs---- D:\WINDOWS\system32\drivers\ctfmon.exe
2008-03-15 20:35 . 2008-03-17 18:45 5,120 --a------ D:\WINDOWS\system32\ftpdll.dll
2008-03-15 20:35 . 2008-03-17 18:10 5,120 --a------ D:\Documents and Settings\admin\ftpdll.dll
2008-03-15 20:06 . 2008-03-15 20:06 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Rabio
2008-03-15 20:05 . 2008-03-16 10:35 <DIR> d-------- D:\Program Files\Bat
2008-03-14 20:55 . 2008-03-14 20:55 237,568 --a------ D:\WINDOWS\system32\config\systemprofile\NTUSER(2).DAT
2008-03-13 17:14 . 2008-03-13 17:14 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-13 17:14 . 2008-03-13 17:15 <DIR> d-------- D:\Documents and Settings\admin\Application Data\Yahoo!
2008-03-13 10:46 . 2008-03-13 10:46 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-13 10:45 . 2008-03-13 10:46 <DIR> d-------- D:\Program Files\Yahoo!
2008-03-13 10:41 . 2002-05-06 13:59 26,776 --a------ D:\WINDOWS\system32\drivers\SQCamD.sys
2008-03-13 10:41 . 2002-05-06 13:58 24,511 --a------ D:\WINDOWS\system32\drivers\sqcaptur.sys
2008-03-08 00:13 . 2008-03-08 00:13 <DIR> d-------- D:\Documents and Settings\admin\Application Data\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 05:11 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-02-11 17:20 --------- d-----w D:\Documents and Settings\admin\Application Data\vlc
2008-02-10 14:07 --------- d-----w D:\Documents and Settings\NetworkService\Application Data\Intel
2008-02-10 14:06 --------- d-----w D:\Documents and Settings\admin\Application Data\ESET
2008-02-10 14:05 --------- d-----w D:\Program Files\ESET
2008-02-10 14:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\ESET
2008-02-10 14:01 --------- d-----w D:\Program Files\VideoLAN
2008-02-10 14:01 --------- d-----w D:\Program Files\Real
2008-02-10 14:01 --------- d-----w D:\Program Files\Common Files\xing shared
2008-02-10 14:01 --------- d-----w D:\Program Files\Common Files\Real
2008-02-10 14:00 --------- d-----w D:\Program Files\CyberLink
2008-02-10 14:00 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-10 13:59 --------- d-----w D:\Program Files\Common Files\InstallShield
2008-02-10 13:59 --------- d-----w D:\Program Files\Common Files\Adobe
2008-02-10 13:56 --------- d-----w D:\Program Files\Winamp
2008-02-10 13:55 --------- d-----w D:\Program Files\Microsoft.NET
2008-02-10 13:55 --------- d-----w D:\Program Files\Common Files\L&H
2008-02-10 13:54 99,965 ----a-w D:\WINDOWS\UninstallFirefox.exe
2008-02-10 13:54 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-02-10 13:53 --------- d-----w D:\Program Files\Microsoft Works
2008-02-10 13:51 --------- d-----w D:\Program Files\Common Files\Ahead
2008-02-10 13:51 --------- d-----w D:\Documents and Settings\admin\Application Data\Ahead
2008-02-10 13:49 --------- d-----w D:\Program Files\Nero
2008-02-10 13:49 --------- d-----w D:\Documents and Settings\All Users\Application Data\Nero
2008-02-10 13:46 --------- d-----w D:\Program Files\CONEXANT
2008-02-10 13:44 --------- d-----w D:\Program Files\SigmaTel
2008-02-10 13:43 21,275 ----a-w D:\WINDOWS\system32\drivers\AegisP.sys
2008-02-10 13:43 --------- d-----w D:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-02-10 13:43 --------- d-----w D:\Documents and Settings\admin\Application Data\Intel
2008-02-10 13:42 --------- d-----w D:\Program Files\Intel
2008-02-10 13:42 --------- d-----w D:\Documents and Settings\All Users\Application Data\Intel
2008-02-10 13:41 --------- d-----w D:\Program Files\Broadcom
2008-02-10 10:39 --------- d-----w D:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [ ]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"QdrPack14"="D:\Program Files\QdrPack\QdrPack14.exe" [ ]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-17 18:49 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="D:\WINDOWS\system32\igfxtray.exe" [2007-01-13 17:47 131072]
"HotKeysCmds"="D:\WINDOWS\system32\hkcmd.exe" [2007-01-13 17:47 163840]
"Persistence"="D:\WINDOWS\system32\igfxpers.exe" [2007-01-13 17:46 135168]
"IntelZeroConfig"="D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 09:28 667718]
"IntelWireless"="D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 09:28 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 15:35 397312 D:\WINDOWS\stsystra.exe]
"NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [2006-03-10 23:15 35328]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 17:35 32768]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-10 19:31 180269]
"AVG8_TRAY"="D:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-03-15 23:36 1171712]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-17 18:49 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"D:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"D:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;D:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-03-15 23:36]
R1 AvgLdx86;AVG AVI Loader Driver x86;D:\WINDOWS\system32\Drivers\avgldx86.sys [2008-03-15 23:36]
R2 avg8wd;AVG8 WatchDog;D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-03-15 23:36]
R2 AvgTdiX;AVG8 Network Redirector;D:\WINDOWS\system32\Drivers\avgtdix.sys [2008-03-15 23:36]
R2 XAudio;XAudio;D:\WINDOWS\system32\DRIVERS\xaudio.sys [2006-08-04 16:39]
S2 avg8emc;AVG8 E-mail Scanner;D:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-03-15 23:36]
S2 avgfws8;AVG8 Firewall;D:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-03-15 23:36]
S3 Avgfwdx;Avgfwdx;D:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-03-15 23:20]
S3 Avgfwfd;AVG network filter service;D:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-03-15 23:20]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 18:59:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-17 19:00:04
ComboFix-quarantined-files.txt 2008-03-17 13:30:02
ComboFix2.txt 2008-03-16 04:06:28

==============================

HijackThis New Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:31 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\Program Files\AVG\AVG8\avgrsx.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\WINDOWS\stsystra.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [QdrPack14] "D:\Program Files\QdrPack\QdrPack14.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Bat - Auto Update.lnk = D:\Program Files\Bat\Bat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - D:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 6869 bytes

========================

Please advise for any other actions.

Regards,
Sagar

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.





Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

Hi

Please find here the requested log:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Standard" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


After the prior action, the other observation that I had is that I am not able to see any pictures or diagrams on my FireFox browser. Can you please advise on the same.

Regards,
Sagar

That is a trange issue.
We will see if it clears up after the rest is gone.
=================================
1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo...ml#entry1191471

Collect::
D:\WINDOWS\FLEOK
D:\Program Files\Bat
D:\WINDOWS\system32\drivers\ctfmon.exe
D:\Documents and Settings\admin\Local Settings\Application Data\spool.exe
D:\Documents and Settings\LocalService\Local Settings\Application Data\spool.exe
Folder::
D:\Program Files\QdrPack
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QdrPack14"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. Additonally, ComboFix will generate the following files on your desktop

• A zipped file on your desktop called Submit [Date Time].zip
• And another file named - CF-Submit.htm

6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:



Clicking OK will cause the machine's browser to load CF-Submit.htm



9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.

• Click on the file to Select it.
• Submit the file by clicking "OK"

10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log (run after ComboFix has finished its work.)

Hi

Please find here with logs advised for.

Combo Fix:

ComboFix 08-03-17.1 - admin 2008-03-18 8:38:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.653 [GMT 5.5:30]
Running from: D:\Documents and Settings\admin\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\admin\Local Settings\Application Data\spool.exe
D:\Documents and Settings\LocalService\Local Settings\Application Data\spool.exe
D:\WINDOWS\system32\drivers\ctfmon.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.

2008-03-17 18:37 . 2008-03-17 18:38 <DIR> d-------- D:\WINDOWS\ERUNT
2008-03-17 18:33 . 2008-03-17 18:33 <DIR> d-------- D:\SDFix
2008-03-16 12:43 . 2008-03-17 18:49 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-03-16 12:43 . 2008-03-16 12:43 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-16 12:43 . 2008-03-16 12:43 <DIR> d-------- D:\Documents and Settings\admin\Application Data\SUPERAntiSpyware.com
2008-03-16 12:36 . 2008-03-16 12:36 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-03-16 11:32 . 2008-03-16 11:32 <DIR> d-------- D:\Documents and Settings\admin\Application Data\Grisoft
2008-03-16 11:26 . 2008-03-16 11:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-16 11:26 . 2008-03-16 11:26 <DIR> d-------- D:\Documents and Settings\Administrator.INDIA.000\Application Data\Grisoft
2008-03-16 11:26 . 2007-05-30 17:40 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-16 11:16 . 2008-03-16 11:16 <DIR> d-------- D:\Documents and Settings\admin\Application Data\AVGTOOLBAR
2008-03-16 11:15 . 2008-03-16 11:15 <DIR> d-------- D:\WINDOWS\FLEOK
2008-03-16 09:23 . 2008-03-16 09:23 <DIR> d-------- D:\Program Files\Trend Micro
2008-03-15 23:51 . 2008-03-16 08:10 4,212 ---h----- D:\WINDOWS\system32\zllictbl.dat
2008-03-15 23:50 . 2008-03-16 11:18 <DIR> d-------- D:\WINDOWS\Internet Logs
2008-03-15 23:36 . 2008-03-15 23:40 <DIR> d-------- D:\WINDOWS\system32\drivers\Avg
2008-03-15 23:36 . 2008-03-15 23:36 96,520 --a------ D:\WINDOWS\system32\drivers\avgldx86.sys
2008-03-15 23:36 . 2008-03-15 23:36 74,376 --a------ D:\WINDOWS\system32\drivers\avgtdix.sys
2008-03-15 23:36 . 2008-03-15 23:36 12,424 --a------ D:\WINDOWS\system32\drivers\avgrkx86.sys
2008-03-15 23:36 . 2008-03-15 23:36 10,520 --a------ D:\WINDOWS\system32\avgrsstx.dll
2008-03-15 23:35 . 2008-03-16 11:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\avg8
2008-03-15 23:20 . 2008-03-16 11:16 <DIR> d-------- D:\Program Files\AVG
2008-03-15 23:20 . 2008-03-15 23:20 45,568 --a------ D:\WINDOWS\system32\avgfwdx.dll
2008-03-15 23:20 . 2008-03-15 23:20 22,528 --a------ D:\WINDOWS\system32\drivers\avgfwdx.sys
2008-03-15 23:12 . 2008-03-15 23:12 32,256 --a------ D:\WINDOWS\system32\shdocpe.dll
2008-03-15 23:12 . 2008-03-15 23:12 24,320 --a------ D:\WINDOWS\system32\ntnut32.exe
2008-03-15 23:12 . 2008-03-15 23:12 14,336 --a------ D:\WINDOWS\system32\MSNSA32.dll
2008-03-15 23:12 . 2008-03-15 23:12 9,472 --a------ D:\WINDOWS\system32\SIPSPI32.dll
2008-03-15 22:17 . 2008-03-15 22:17 499,712 --a------ D:\WINDOWS\system32\msvcp71.dll
2008-03-15 22:17 . 2008-03-15 22:17 348,160 --a------ D:\WINDOWS\system32\msvcr71.dll
2008-03-15 22:12 . 2008-03-15 22:12 <DIR> d-------- D:\Documents and Settings\admin\Application Data\SiteAdvisor
2008-03-15 20:49 . 2008-03-17 18:45 5,120 --a------ D:\Documents and Settings\LocalService\ftpdll.dll
2008-03-15 20:39 . 2006-07-27 16:45 1,808 --a------ D:\WINDOWS\system32\subst.inf
2008-03-15 20:35 . 2008-03-15 22:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\McAfee
2008-03-15 20:35 . 2008-03-17 18:45 5,120 --a------ D:\WINDOWS\system32\ftpdll.dll
2008-03-15 20:35 . 2008-03-17 18:10 5,120 --a------ D:\Documents and Settings\admin\ftpdll.dll
2008-03-15 20:06 . 2008-03-15 20:06 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Rabio
2008-03-15 20:05 . 2008-03-16 10:35 <DIR> d-------- D:\Program Files\Bat
2008-03-14 20:55 . 2008-03-14 20:55 237,568 --a------ D:\WINDOWS\system32\config\systemprofile\NTUSER(2).DAT
2008-03-13 17:14 . 2008-03-13 17:14 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-13 17:14 . 2008-03-13 17:15 <DIR> d-------- D:\Documents and Settings\admin\Application Data\Yahoo!
2008-03-13 10:46 . 2008-03-13 10:46 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-13 10:45 . 2008-03-13 10:46 <DIR> d-------- D:\Program Files\Yahoo!
2008-03-13 10:41 . 2002-05-06 13:59 26,776 --a------ D:\WINDOWS\system32\drivers\SQCamD.sys
2008-03-13 10:41 . 2002-05-06 13:58 24,511 --a------ D:\WINDOWS\system32\drivers\sqcaptur.sys
2008-03-08 00:13 . 2008-03-08 00:13 <DIR> d-------- D:\Documents and Settings\admin\Application Data\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 05:11 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-02-11 17:20 --------- d-----w D:\Documents and Settings\admin\Application Data\vlc
2008-02-10 14:07 --------- d-----w D:\Documents and Settings\NetworkService\Application Data\Intel
2008-02-10 14:06 --------- d-----w D:\Documents and Settings\admin\Application Data\ESET
2008-02-10 14:05 --------- d-----w D:\Program Files\ESET
2008-02-10 14:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\ESET
2008-02-10 14:01 --------- d-----w D:\Program Files\VideoLAN
2008-02-10 14:01 --------- d-----w D:\Program Files\Real
2008-02-10 14:01 --------- d-----w D:\Program Files\Common Files\xing shared
2008-02-10 14:01 --------- d-----w D:\Program Files\Common Files\Real
2008-02-10 14:00 --------- d-----w D:\Program Files\CyberLink
2008-02-10 14:00 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-10 13:59 --------- d-----w D:\Program Files\Common Files\InstallShield
2008-02-10 13:59 --------- d-----w D:\Program Files\Common Files\Adobe
2008-02-10 13:56 --------- d-----w D:\Program Files\Winamp
2008-02-10 13:55 --------- d-----w D:\Program Files\Microsoft.NET
2008-02-10 13:55 --------- d-----w D:\Program Files\Common Files\L&H
2008-02-10 13:54 99,965 ----a-w D:\WINDOWS\UninstallFirefox.exe
2008-02-10 13:54 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-02-10 13:53 --------- d-----w D:\Program Files\Microsoft Works
2008-02-10 13:51 --------- d-----w D:\Program Files\Common Files\Ahead
2008-02-10 13:51 --------- d-----w D:\Documents and Settings\admin\Application Data\Ahead
2008-02-10 13:49 --------- d-----w D:\Program Files\Nero
2008-02-10 13:49 --------- d-----w D:\Documents and Settings\All Users\Application Data\Nero
2008-02-10 13:46 --------- d-----w D:\Program Files\CONEXANT
2008-02-10 13:44 --------- d-----w D:\Program Files\SigmaTel
2008-02-10 13:43 21,275 ----a-w D:\WINDOWS\system32\drivers\AegisP.sys
2008-02-10 13:43 --------- d-----w D:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-02-10 13:43 --------- d-----w D:\Documents and Settings\admin\Application Data\Intel
2008-02-10 13:42 --------- d-----w D:\Program Files\Intel
2008-02-10 13:42 --------- d-----w D:\Documents and Settings\All Users\Application Data\Intel
2008-02-10 13:41 --------- d-----w D:\Program Files\Broadcom
2008-02-10 10:39 --------- d-----w D:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-03-17_18.59.56.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-17 13:20:13 41,028 ----a-w D:\WINDOWS\system32\perfc009.dat
+ 2008-03-18 02:56:32 41,028 ----a-w D:\WINDOWS\system32\perfc009.dat
- 2008-03-17 13:20:13 313,356 ----a-w D:\WINDOWS\system32\perfh009.dat
+ 2008-03-18 02:56:32 313,356 ----a-w D:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [ ]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-17 18:49 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="D:\WINDOWS\system32\igfxtray.exe" [2007-01-13 17:47 131072]
"HotKeysCmds"="D:\WINDOWS\system32\hkcmd.exe" [2007-01-13 17:47 163840]
"Persistence"="D:\WINDOWS\system32\igfxpers.exe" [2007-01-13 17:46 135168]
"IntelZeroConfig"="D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 09:28 667718]
"IntelWireless"="D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 09:28 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 15:35 397312 D:\WINDOWS\stsystra.exe]
"NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [2006-03-10 23:15 35328]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 17:35 32768]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-10 19:31 180269]
"AVG8_TRAY"="D:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-03-15 23:36 1171712]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-17 18:49 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"D:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"D:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;D:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-03-15 23:36]
R1 AvgLdx86;AVG AVI Loader Driver x86;D:\WINDOWS\system32\Drivers\avgldx86.sys [2008-03-15 23:36]
R2 avg8wd;AVG8 WatchDog;D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-03-15 23:36]
R2 AvgTdiX;AVG8 Network Redirector;D:\WINDOWS\system32\Drivers\avgtdix.sys [2008-03-15 23:36]
R2 XAudio;XAudio;D:\WINDOWS\system32\DRIVERS\xaudio.sys [2006-08-04 16:39]
S2 avg8emc;AVG8 E-mail Scanner;D:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-03-15 23:36]
S2 avgfws8;AVG8 Firewall;D:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-03-15 23:36]
S3 Avgfwdx;Avgfwdx;D:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-03-15 23:20]
S3 Avgfwfd;AVG network filter service;D:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-03-15 23:20]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 08:39:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-18 8:39:24
ComboFix-quarantined-files.txt 2008-03-18 03:09:23
ComboFix2.txt 2008-03-17 14:40:32
ComboFix3.txt 2008-03-17 13:30:05
ComboFix4.txt 2008-03-16 04:06:28

=================================

HijackThis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:47 AM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\WINDOWS\stsystra.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\AVG\AVG8\avgrsx.exe
D:\Program Files\AVG\AVG8\avgrsx.exe
D:\Program Files\AVG\AVG8\avgrsx.exe
D:\Program Files\AVG\AVG8\avgrsx.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Bat - Auto Update.lnk = D:\Program Files\Bat\Bat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - D:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 6865 bytes
========================

Please advise for further actions.

Thank you for your help.

Regards,
Sagar

Hi

I also had uploaded the ComboFix Log to Bleepingcomputer.com

Rgrds,
Sunil

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  D:\Program Files\Bat
  D:\Documents and Settings\All Users\Application Data\Rabio
  D:\WINDOWS\FLEOK

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.
• OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

Hi

Thank you for the advise. I appreciate your repeated guidance in getting this threat removed.


Log from OTMoveIt2:

D:\Program Files\Bat moved successfully.
D:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer moved successfully.
D:\Documents and Settings\All Users\Application Data\Rabio moved successfully.
D:\WINDOWS\FLEOK moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03182008_194045

================================================

Log from Mbam:

Malwarebytes' Anti-Malware 1.08
Database version: 502

Scan type: Quick Scan
Objects scanned: 29766
Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{5a148cf2-9c7b-4499-8e25-c9383a5e8680} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{daa07812-5c88-4ccc-8d25-10fef65b77b1} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BndFibu7.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.Band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.Band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.BHO (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.BHO.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\MSNSA32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\ntnut32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\SIPSPI32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\Documents and Settings\admin\ftpdll.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\ftpdll.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
D:\Documents and Settings\admin\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.
D:\Documents and Settings\LocalService\ftpdll.dll (Trojan.Agent) -> Quarantined and deleted successfully.

=========================================================

Please advise for the next course of action.

Regards,
Sunil

You are welcome
===========================
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==================================
Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Hi

My previous action on MBAM scan resulted in a quick scan.

I just completed a full scan of my system with MBAM. Please find here with a log that got generated.

----------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.08
Database version: 502

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 215648
Time elapsed: 53 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\QooBox\Quarantine\D\Program Files\ISM\ism.exe.vir (Adware.ISM) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\Program Files\QdrDrive\QdrDrive12.dll.vir (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\Program Files\QdrDrive\qdrloader.exe.vir (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\Program Files\QdrModule\QdrModule13.exe.vir (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\Program Files\QdrPack\QdrPack14.exe.vir (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\000090.exe.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP17\A0075978.exe (Adware.Batco) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP17\A0076981.exe (Adware.Batco) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP17\A0078979.exe (Adware.Batco) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP17\A0080275.exe (Adware.Batco) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP18\A0081248.exe (Adware.Batco) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP18\A0081397.exe (Adware.Batco) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP25\A0084935.dll (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP25\A0084936.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP25\A0084937.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP25\A0084956.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP26\A0085437.exe (Adware.Batco) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP26\A0085478.exe (Adware.Batco) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP27\A0085505.exe (Adware.Batco) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP27\A0085690.exe (Adware.Batco) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP27\A0085930.dll (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP27\A0085931.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP27\A0085932.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP27\A0085934.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP27\A0086111.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP27\A0086112.dll (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP27\A0086113.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP28\A0096229.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{0443C307-E846-4F9C-B5B5-74D45F091447}\RP28\A0096235.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
D:\_OTMoveIt\MovedFiles\03182008_194045\Program Files\Bat\Bat.dll (Adware.Batco) -> Quarantined and deleted successfully.
D:\_OTMoveIt\MovedFiles\03182008_194045\Program Files\Bat\un_BatSetup_15041.exe (Adware.Rabio) -> Quarantined and deleted successfully.
D:\_OTMoveIt\MovedFiles\03182008_194045\Program Files\Bat\X_Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
============================================================================

Please advise for next set of actions.

Regards,
Sunil

Please see my previous post.

Hi

I cleaned with ATF.
But the system is not able to initiate scan when the 'Scan your PC' button on Panda web page is choosen.
Not sure if there any settings that I will have to enable / disable on my fire fox.
can you please advise on the same.

Regards,
Sunil

It is only for use with Internet Explorer.