AV care and other possible malware

First thing that happened was a warning that my windows firewall was disabled. Then, the avcare supposed 'antivurus' started running. I couldn't get it to stop (not really knowing what was happening at that point) so I turned the PC off. On the first attempt, it wouldn't reboot (hung on the light-blue screen). No boot problems since.
Stopped the avcare program starting itself on boot-up by deleting its program files folder. But there seems to be other (or associated) malware. Every so often an IE window (or 2) will open spontaneously, always displaying some kind of spam ad (gambling, pharmaceuticals, etc). Sometimes when I use google I get re-directs to something like 'windowsclick.com...'.

I've read how Malwarebytes' Anti-Malware is the thing to try, but I can't get it to install. First I have to re-name it to even be allowed to begin the installation process, and at the point where you choose 'Finish' and it's supposed to auto-launch, it doesn't (waited on it for over 3 hours).

I tried to do an AVG scan, but something caused the computer to re-start before it was finished.

When I did a search on files created at the time this began, I also noticed msa.exe which I googled and found to be more malware, though doing the same search again now (a day later) I'm not seeing it.

And the last problem I can identify is b.exe which is always a running process when I start up now.

I wouldn't be too bothered at having to re-format if I could back up some files, but the final symptom I've encounterd is that I can't burn a CD any more as when I tried to Nero presented me with an option I've never encounted before about burning rights and will now not let me burn without downloading them - and I read of other people having this problem who've said downloading them won't fix it anyway.


I've had occasional virus/malware problems in the past but always managed to fix things just by reading up and using suggested programs. But this has me beat. Much thanks in advance for any help you can give.

Here are the logs:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Dave at 3:27:02.54 on 31/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.118 [GMT 1:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\SOINTGR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Dave\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.blueyonder.co.uk/blueyonder/index.jsp
uWindow Title = Microsoft Internet Explorer provided by blueyonder
uURLSearchHooks: {c12b4ec1-1f65-11d3-91ca-00104b9c4765} - c:\program files\copernic 2000 pro\CopernicFind.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RealPlayer] "c:\program files\real\realone player\realplay.exe" /RunUPGToolCommandReBoot
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ntuser] c:\windows\system32\drivers\spools.exe
uRun: [autoload] c:\documents and settings\dave\cftmon.exe
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [CTZDetec.exe] c:\program files\creative\creative media lite\CTZDetec.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Monopod] c:\docume~1\dave\locals~1\temp\b.exe
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [SO5 Integrator Pass Two] c:\windows\SOINTGR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver2\LVCOMS.EXE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [ntuser] c:\windows\system32\drivers\spools.exe
mRun: [autoload] c:\documents and settings\dave\cftmon.exe
mRun: [net] "c:\windows\system32\net.net"
mRun: [MSxmlHpr] RUNDLL32.EXE c:\windows\system32\msxm192z.dll,w
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\dave\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\dave\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueyo~1.lnk - c:\program files\blueyonder ist\bin\matcli.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: Search Using Copernic - file://c:\program files\copernic 2000 pro\Search Extension.htm
IE: {2A465934-E5F0-11D2-91B5-00104B9C4765} - c:\program files\copernic 2000 pro\Copernic.exe
IE: {2A465936-E5F0-11D2-91B5-00104B9C4765} - c:\program files\copernic 2000 pro\Copernic.exe
IE: {99EFB53C-C965-43CF-9F45-52242D134187} - c:\program files\copernic 2000 pro\Translate.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: f3dsl - lsd_f3.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\6vriaue5.default\
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

R?2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2002-5-19 14336]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-9-29 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2005-11-3 4224]
R1 Avg7RsXP;AVG7 Rezident Driver;c:\windows\system32\drivers\avg7rsxp.sys [2006-4-24 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-2-17 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-2-17 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-2-17 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-2-17 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2005-6-30 4960]
R3 ham50;Creatix V.92 HAM Data Fax Modem;c:\windows\system32\drivers\CTXH51.sys [2002-4-22 471407]
S1 iesprt;KeIE;\??\c:\windows\system32\iesprt.sys --> c:\windows\system32\iesprt.sys [?]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2005-1-13 152576]
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;c:\windows\system32\drivers\UsbMicfilt.sys [2004-3-7 22571]
S3 ZSMC302;PCL-W310;c:\windows\system32\drivers\usbVM302.sys [2004-3-7 93962]

=============== Created Last 30 ================

2009-07-30 04:16 <DIR> --d----- c:\docume~1\dave\applic~1\Malwarebytes
2009-07-30 04:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-30 03:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\18048904
2009-07-30 03:21 142,852 a------- c:\windows\system32\msxml71.dll
2009-07-30 03:20 37,148 a------- c:\windows\system32\net.net
2009-07-02 05:35 <DIR> --dsh--- c:\documents and settings\dave\IECompatCache
2009-07-01 09:04 <DIR> --dsh--- c:\documents and settings\dave\PrivacIE
2009-07-01 08:52 <DIR> --dsh--- c:\documents and settings\dave\IETldCache
2009-07-01 08:48 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-01 08:47 <DIR> --d----- c:\windows\ie8updates
2009-07-01 08:45 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-01 08:45 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-01 08:41 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-03-04 21:55 16,320,472 a------- c:\program files\vlc-0.9.8a-win32.exe
2009-02-03 20:58 763 a------- c:\program files\dizzy.ini
2008-05-14 23:55 498 a------- c:\documents and settings\dave\mpr2.dat
2008-05-14 23:55 498 a------- c:\documents and settings\dave\mpr.dat
2008-04-26 06:14 148,992 a------- c:\program files\ms_setup.exe
2007-11-17 10:43 389,784 a------- c:\program files\switchsetup.exe
2007-06-23 22:44 6,820,528 a------- c:\program files\FirefoxGoogleToolbarSetup.exe
2007-04-22 08:16 788,153 a------- c:\program files\pdf_image_extraction_wizard_11_setup.exe
2007-03-17 15:05 1,898 a------- c:\program files\dizzyreadme.txt
2007-03-17 14:59 532,480 a------- c:\program files\setup.exe
2007-03-17 14:55 947,083 a------- c:\program files\dizzy.pak
2007-03-08 11:38 7,223 a------- c:\program files\Lost.3x11.(HDTV-NoTV)[VTV].torrent
2007-02-17 02:13 19,170,000 a------- c:\program files\avg75free_441a944.exe
2006-10-17 22:14 1,097,783 a------- c:\program files\dizzy.exe
2006-08-23 08:29 1,969 a------- c:\program files\NESten.INI
2006-08-12 19:59 7,206 a------- c:\program files\the[1].shield.507.dsr-loki.[VTV].=mininova.org=.torrent
2006-07-20 20:44 648,594 a------- c:\program files\NESten061B1.exe
2006-06-09 18:20 1,033,987 a------- c:\program files\wrar36b4.exe
2005-06-11 07:04 3,899,239 a------- c:\program files\BitTorrent-4.1.2-Beta.exe
2005-05-24 00:12 3,597,968 a------- c:\program files\aimUK55.exe
2004-06-11 01:53 47,503 a------- c:\program files\KillBox.zip
2004-06-07 02:46 31,232 a--sh--- c:\program files\Thumbs.db
2004-05-31 17:11 402,564 a------- c:\program files\bhblastersetup.exe
2004-05-29 17:50 79 a------- c:\program files\adios.reg
2004-05-07 16:21 3,684,032 a------- c:\program files\spybotsd12.exe
2003-01-15 18:08 8,365,240 a------- c:\program files\RealOnePlayerV2GOLD.exe
2008-02-02 08:09 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-09 11:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 3:29:08.90 ===============

Hello!
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Make sure that you save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Combofix wouldn't run. Double-clicked the icon and got the prompt to run it, clicked run, nothing happened.

Ok, let's try to work around that. Go ahead and delete combofix.exe from your desktop.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

Should I also turn off the windows firewall and my screen-saver before running? And should I disable my internet connection so the malware can't open any windows?

No reason to disconnect your firewall or your screen saver. And at this point keep your connection active.

Ran all the way through that time.

b.exe hasn't appeared as a running process after the reboot this time, and neither did IE - which hasn't opened any windows as I've been typing this.

These are the paths it asked me to note myself:

C:\WINDOWS\system32\drivers\UACqbavwlymhl.sys
C:\WINDOWS\system32\UACtepqpqjdqq.dll
C:\WINDOWS\system32\UACowyufdrgit.dll
C:\WINDOWS\system32\UACbaiqjxfqhn.dat
C:\WINDOWS\system32\UACorswwltipx.db
C:\WINDOWS\system32\UACrrowpkbymj.dll
C:\WINDOWS\system32\UACenyxujugxt.dll
C:\WINDOWS\system32\UACegwnkvvmyl.dll

(I think I noticed it delete some of those afterwards)



Here's the log:



ComboFix 09-07-31.04 - Dave 01/08/2009 19:34.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.283 [GMT 1:00]
Running from: c:\documents and settings\Dave\Desktop\Combo-Fix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\18048904
c:\docume~1\ALLUSE~1\APPLIC~1\18048904\18048904.exe
c:\docume~1\Dave\LOCALS~1\Temp\tmp2.tmp
c:\program files\\setup.exe
c:\recycler\S-1-5-21-1244716356-905303659-963918322-1003
c:\recycler\S-1-5-21-3479383672-1987657003-3825228898-1003
c:\windows\hosts
c:\windows\Install.txt
c:\windows\run.log
c:\windows\system32\drivers\UACqbavwlymhl.sys
c:\windows\system32\Install.txt
c:\windows\system32\msncache.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\net.net
c:\windows\system32\UACbaiqjxfqhn.dat
c:\windows\system32\UACegwnkvvmyl.dll
c:\windows\system32\UACenyxujugxt.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACorswwltipx.db
c:\windows\system32\UACowyufdrgit.dll
c:\windows\system32\UACrrowpkbymj.dll
c:\windows\system32\UACtepqpqjdqq.dll
c:\windows\system32\wiawow32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_IESPRT
-------\Legacy_MSNCACHE
-------\Service_iesprt
-------\Service_msncache


((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-30 03:16 . 2009-07-30 03:16 -------- d-----w- c:\documents and settings\Dave\Application Data\Malwarebytes
2009-07-30 03:01 . 2009-07-30 03:01 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-30 02:20 . 2009-07-30 02:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 05:15 . 2004-12-17 01:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG7
2009-07-03 17:09 . 2004-01-08 13:23 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2002-05-19 16:24 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2002-05-19 16:24 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2003-05-13 11:27 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2002-05-19 16:24 345600 ----a-w- c:\windows\system32\localspl.dll
2009-03-04 20:55 . 2009-03-04 20:55 16320472 ----a-w- c:\program files\vlc-0.9.8a-win32.exe
2009-02-03 19:58 . 2009-02-03 02:26 763 ----a-w- c:\program files\dizzy.ini
2008-04-26 05:14 . 2008-04-26 05:14 148992 ----a-w- c:\program files\ms_setup.exe
2007-11-17 09:43 . 2007-11-17 09:43 389784 ----a-w- c:\program files\switchsetup.exe
2007-06-23 21:44 . 2007-06-23 21:44 6820528 ----a-w- c:\program files\FirefoxGoogleToolbarSetup.exe
2007-04-22 07:16 . 2007-04-22 07:16 788153 ----a-w- c:\program files\pdf_image_extraction_wizard_11_setup.exe
2007-03-17 14:05 . 2009-02-03 02:27 1898 ----a-w- c:\program files\dizzyreadme.txt
2007-03-17 13:55 . 2009-02-03 02:26 947083 ----a-w- c:\program files\dizzy.pak
2007-03-08 10:38 . 2007-03-08 10:38 7223 ----a-w- c:\program files\Lost.3x11.(HDTV-NoTV)[VTV].torrent
2007-02-17 01:13 . 2007-02-17 01:13 19170000 ----a-w- c:\program files\avg75free_441a944.exe
2006-10-17 21:14 . 2009-02-03 02:27 1097783 ----a-w- c:\program files\dizzy.exe
2006-08-23 07:29 . 2006-07-21 18:24 1969 ----a-w- c:\program files\NESten.INI
2006-08-12 18:59 . 2006-08-12 18:59 7206 ----a-w- c:\program files\the[1].shield.507.dsr-loki.[VTV].=mininova.org=.torrent
2006-07-20 19:44 . 2006-07-20 19:44 648594 ----a-w- c:\program files\NESten061B1.exe
2006-06-09 17:20 . 2006-06-09 17:20 1033987 ----a-w- c:\program files\wrar36b4.exe
2005-06-11 06:04 . 2005-06-11 06:02 3899239 ----a-w- c:\program files\BitTorrent-4.1.2-Beta.exe
2005-05-23 23:12 . 2005-05-23 23:12 3597968 ----a-w- c:\program files\aimUK55.exe
2004-06-11 00:53 . 2004-06-11 00:53 47503 ----a-w- c:\program files\KillBox.zip
2004-06-07 01:46 . 2004-06-07 01:46 31232 --sha-w- c:\program files\Thumbs.db
2004-05-31 16:11 . 2004-05-31 16:10 402564 ----a-w- c:\program files\bhblastersetup.exe
2004-05-29 16:50 . 2004-05-29 16:50 79 ----a-w- c:\program files\adios.reg
2004-05-07 15:21 . 2004-05-07 15:21 3684032 ----a-w- c:\program files\spybotsd12.exe
2003-01-15 17:08 . 2003-01-15 17:08 8365240 ----a-w- c:\program files\RealOnePlayerV2GOLD.exe
2009-01-23 22:43 . 2007-06-23 21:56 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-23 22:43 . 2007-06-23 21:56 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-23 22:43 . 2007-06-23 21:56 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-23 22:43 . 2007-06-23 21:56 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-23 22:43 . 2007-06-23 21:56 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-02-02 07:09 . 2007-05-02 05:33 10856 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" [2006-06-02 1003520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"CTZDetec.exe"="c:\program files\Creative\Creative Media Lite\CTZDetec.exe" [2007-12-18 401408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"SO5 Integrator Pass Two"="c:\windows\SOINTGR.EXE" [2000-05-08 20480]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-01-15 151597]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-05-07 590848]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2003-09-04 135214]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-06 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"MSxmlHpr"="c:\windows\system32\msxm192z.dll" [2004-08-17 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-01-28 219136]

c:\documents and settings\Dave\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-21 51984]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
blueyonder Instant Support Tool.lnk - c:\program files\blueyonder IST\bin\matcli.exe [2004-5-4 204800]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Sopcast\\SopCast.exe"=
"c:\\Program Files\\Sopcast\\adv\\SopAdver.exe"=

R3 ham50;Creatix V.92 HAM Data Fax Modem;c:\windows\system32\drivers\CTXH51.sys [22/04/2002 14:09 471407]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [13/01/2005 20:13 152576]
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;c:\windows\system32\drivers\UsbMicfilt.sys [07/03/2004 15:58 22571]
S3 ZSMC302;PCL-W310;c:\windows\system32\drivers\usbVM302.sys [07/03/2004 15:58 93962]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-net - c:\windows\system32\net.net


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.blueyonder.co.uk/blueyonder/index.jsp
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Search Using Copernic - file://c:\program files\Copernic 2000 Pro\Search Extension.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\docume~1\Dave\APPLIC~1\Mozilla\Firefox\Profiles\6vriaue5.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 19:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ
*]
@SACL=
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6037"
"DeviceInstanceIds"=multi:"\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2528)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\TRAYHOOK.dll
c:\windows\system32\msxm192z.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\blueyonder IST\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2009-08-01 19:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 18:58

Pre-Run: 5,035,692,032 bytes free
Post-Run: 5,925,089,280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

207 --- E O F --- 2009-07-29 12:10

Just noticed "My recent documents" has disappeared from my start menu.


EDIT: Fixed that ^ easily enough with the customize option.


I've burned a CD again now, so it sorted the Nero problem. Having one minor new issue with a lack of automatic loading prompts with CDs in both CD and DVD drives - a blank used to automatically open a box suggesting a program to use (Nero was one), and a full disc used to bring up a window displaying its contents (or asking if you wanted to see them with explorer), but neither are happening now.

Still not getting IE pop-ups or Google re-directs now.

A new IE shortcut icon appeared on my desktop.

The combofix process seemed to add a little bit more disk space to both main (partitioned) drives.

The Start -> All Programs ->
lists (which I rarely use) are down to 2 columns where there were 3 before. The last option is for AV Care.

Edited by dbmx2, 01 August 2009 - 10:53 PM.

It's much safer to have autorun disabled, but if you really want to re-enable it, check this link for instructions to the settings where you can disable or in your case re-enable autorun for your cd's.

http://support.microsoft.com/kb/126025


It does look like we've removed the main infection, but I'd like to have you run a scan to clean up any remnants that are left over.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Do I remove combofix before or after the MBAM scan?

Don't remove Combofix at this point. We'll take that step later.

MBAM installed fully and ran this time.

I had both Update and Launch checked at the Finish install stage, but it didn't ask me to OK an update.

It didn't ask me to select a drive to scan.

It did need a reboot.

AV Care has now gone from the start -> programs list.


Here's the log:



Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

03/08/2009 23:28:09
mbam-log-2009-08-03 (23-28-09).txt

Scan type: Quick Scan
Objects scanned: 104551
Time elapsed: 10 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\msxm192z.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msxmlhpr (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Dave\Start Menu\Programs\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\msxm192z.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Dave\Start Menu\Programs\AV Care\AV Care.lnk (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\mpr2.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Edited by dbmx2, 03 August 2009 - 06:28 PM.

Looks pretty good to me. As long as you aren't experiencing any other symptoms I'd say you're good to go!


We need to remove Combofix now that we're done with it.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
  
  
• 

==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
  
  You can find instructions on how to enable and reenable system restore here:
  
  Windows XP System Restore Guide
  
  Renable system restore with instructions from tutorial above
  
  
• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online & their stand-alone antivirus programs:
  
  Virus, Spyware, and Malware Protection and Removal Resources
  
  
• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
  
  A tutorial on installing & using this product can be found here:
  
  Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Combofix is uninstalled. Should I keep DDS and MBAM?

I'll be uninstalling AVG soon and going with something else (I don't want to upgrade to 8 as I read the free version loses the e-mail scanner and it's supposedly resource intensive) - should I delete everything in its virus vault first or will it take care of itself when I uninstall?

Should I have a firewall besides/instead of the windows XP firewall?

System Restore I turned off some time ago in case it brought back a previous virus. Should I leave it that way or reenable?


One last question specifically about the actual problem I've just had - when I search now for files created at the time it started, there's just one text doucument in C:\WINDOWS named srun. Anything unusual or unwanted? (I didn't knowingly create it)



Many thanks for the help already given getting things back in working order.

Should I keep DDS and MBAM?

I would definitely recommend keeping MBAM. It's an excellent program. As far as DDS, it doesn't really do anything besides create a log file, so you may as well just delete that one.

I'll be uninstalling AVG soon and going with something else (I don't want to upgrade to 8 as I read the free version loses the e-mail scanner and it's supposedly resource intensive) - should I delete everything in its virus vault first or will it take care of itself when I uninstall?

I'm not 100% certain on this, but I believe it will prompt you and ask if you want to delete the files in this virus vault during uninstallation.

Should I have a firewall besides/instead of the windows XP firewall?

For most people the XP firewall is adequate. There are more robust solutions available though if you feel you need the extra protection.

System Restore I turned off some time ago in case it brought back a previous virus. Should I leave it that way or reenable?

This is the perfect time to turn it back on and set a new restore point that you know is clean.

One last question specifically about the actual problem I've just had - when I search now for files created at the time it started, there's just one text doucument in C:\WINDOWS named srun. Anything unusual or unwanted? (I didn't knowingly create it)

Text files by themselves are not malicious and you should even be able to open it up and look at it without any concern. I'm not familiar with the file so I couldn't tell you what it might be associated with.