Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Everyday I find a new trojan?


  • This topic is locked This topic is locked
3 replies to this topic

#1 xXConfusedXx

xXConfusedXx

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 03 December 2009 - 01:55 AM

[Sorry for posting here, I just noticed that we aren't suppose to post logs in this section.. Please don't delete my thread, move it to the proper section if possible, thanx n sorry once again -Juan]

I want to just say Hi and thanks to all those who take the time to read this post and reply. I'm in love with the tech tips on this site, which is the reason I now come to you all in need of help.

Recently I was infected with the 'Anti-virus Plus' malware, but found a topic on the forum dealing with the removal and it worked wonderfully. I admit that the reason I even got the malware/worms on my PC was because I edited my TCP/IP file and bumped my half-open connections limit up to 500, but since the infection I have replaced it back to the original half-open connections of 10.

But while it was up around 500, I had restarted my PC and forgot that I left uTorrent to startup with windows and I'm assuming thats how I got that Anti-Virus Plus and all the other little nasty worms and Trojans on my PC. I used the 'Malwarebites Anti-Malware' program and it detected over 100 infections on my PC. It erased them all, or atleast I thought it did.. after that restart I ran Dr.Web virus scanner and picked up about 20 more infections and removed them all. Then I ran my AVG 9.0 virus scanner and it found a few more. I ran the Malwarebites again to see if anything was detected, and it came out clean.. My Dr.Web comes out clean, but every now and then my AVG Resident Shield tends to pick up 1-5 infections usually located in my system volume folder everyday. No matter how many times I run the Virus scanners it shows that my PC is clean.

I have Windows XP with fully Updated SP3, AMD Athlon 64x2 dual core processor with AVG 9.0, Spyware Blaster, Windows Defender, Peer Guardian 2 with updated IP Blocklist.

I added the AVG 9.0, Malwarebytes, and Combofix results so that you guys can take a look.. NOTICE: Malwarebytes, and Dr.Web currently show my PC as being "Clean". AVG 9.0 scans clean as well, its just the Resident Shield pops up 1-5times a day deleting trojans that I had no clue were on my system.


Main Question:
So does my PC have a serious Virus on it? If not why does my Resident Shield continue to delete trojans and worms clearly after showing no viruses were to be found on my system?


AVG 9.0 Virus Vault Results As you can see, I just recently added 6 more to my Virus vault in the middle of me typing this post..

"PUP";"Potentially harmful program HackTool.AB";"F:\Papo\Updates and Program Files\EvID4226Patch223d-en.zip";"";"11/26/2009, 5:53:58 AM"
"Infection";"May be infected by unknown virus Win32/DH.CAFF820048";"F:\resycled\boot.com";"";"11/26/2009, 6:05:05 AM"
"Infection";"Virus found Worm/AutoRun";"D:\autorun.inf";"";"11/26/2009, 3:59:40 PM"
"PUP";"Potentially harmful program HackTool.AB";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP71\A0017022.exe";"";"11/27/2009, 12:30:28 PM"
"PUP";"Potentially harmful program HackTool.AB";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP71\A0017029.exe";"";"11/27/2009, 3:47:07 PM"
"Infection";"May be infected by unknown virus Win32/DH.CAFF820048";"F:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP71\A0017031.com";"";"11/27/2009, 6:23:06 PM"
"PUP";"Potentially harmful program HackTool.AB";"C:\Documents and Settings\Juan Serafin\Desktop\EvID4226Patch223d-en\EvID4226Patch.exe";"";"11/30/2009, 5:58:15 PM"
"PUP";"Potentially harmful program HackTool.AB";"C:\Documents and Settings\Juan Serafin\Desktop\EvID4226Patch223d-en.zip";"";"11/30/2009, 5:58:19 PM"
"PUP";"Potentially harmful program HackTool.AB";"C:\RECYCLER\S-1-5-21-1123561945-1757981266-725345543-1004\Dc1.zip";"";"11/30/2009, 6:10:52 PM"
"Infection";"Trojan horse SHeur2.BVVA";"C:\Documents and Settings\Juan Serafin\Local Settings\Temporary Internet Files\Content.IE5\3ICGTFDH\SetupAdvancedVirusRemover[1].exe";"";"11/30/2009, 8:23:52 PM"
"Infection";"Trojan horse Generic15.BVUZ";"C:\Documents and Settings\Juan Serafin\Local Settings\Temp\avgavi.exe";"";"11/30/2009, 8:23:55 PM"
"Infection";"May be infected by unknown virus Win32/DH.CAFF820048";"F:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP25\A0015012.com";"";"12/1/2009, 12:29:55 AM"
"Infection";"Virus found Worm/AutoRun";"F:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP25\A0015011.inf";"";"12/1/2009, 12:29:56 AM"
"Infection";"Virus found Worm/AutoRun";"F:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP25\A0015014.inf";"";"12/1/2009, 12:29:56 AM"
"PUP";"Potentially harmful program HackTool.AB";"C:\RECYCLER\S-1-5-21-1123561945-1757981266-725345543-1004\Dc13\EvID4226Patch.exe";"";"12/1/2009, 3:14:11 AM"
"PUP";"Potentially harmful program HackTool.AB";"C:\RECYCLER\S-1-5-21-1123561945-1757981266-725345543-1004\Dc14\EvID4226Patch.exe";"";"12/1/2009, 3:14:37 AM"
"PUP";"Potentially harmful program HackTool.AB";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP75\A0022409.exe";"";"12/1/2009, 10:21:29 AM"
"PUP";"Potentially harmful program HackTool.AB";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP75\A0022410.exe";"";"12/1/2009, 10:21:29 AM"
"Infection";"Trojan horse Generic_c.ARNS";"C:\Program Files\CIB\RYL\Login.exe";"";"12/2/2009, 12:47:26 AM"
"Infection";"Trojan horse SHeur2.BVXM";"C:\RECYCLER\S-1-5-21-1123561945-1757981266-725345543-1004\Dc20.exe";"";"12/2/2009, 12:47:58 AM"
"Infection";"Trojan horse Generic13.BVWU";"C:\Program Files\CIB\RYL\csrss.exe";"";"12/2/2009, 12:50:26 AM"
"Infection";"Trojan horse Generic15.BXOW";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP75\A0022425.exe";"";"12/2/2009, 9:11:10 AM"
"Infection";"Trojan horse SHeur2.BVXM";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP75\A0023536.exe";"";"12/2/2009, 9:12:32 AM"
"Infection";"Trojan horse Downloader.Generic9.VQA";"C:\WINDOWS\system32\yudovulu.exe";"";"12/2/2009, 10:33:21 PM"
"Infection";"Trojan horse Downloader.Generic9.VQA";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP77\A0030669.exe";"";"12/3/2009, 1:12:08 PM"
"Infection";"Trojan horse Downloader.Generic9.VQA";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP73\A0022208.exe";"";"12/3/2009, 1:29:15 PM"
"Infection";"Trojan horse Downloader.Generic9.VQA";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP73\A0021208.exe";"";"12/3/2009, 1:29:15 PM"
"Infection";"Trojan horse Downloader.Generic9.VQA";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP73\A0020207.exe";"";"12/3/2009, 1:29:15 PM"
"Infection";"Trojan horse Downloader.Generic9.VQA";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP73\A0019208.exe";"";"12/3/2009, 1:29:16 PM"
"Infection";"Trojan horse Downloader.Generic9.VQA";"C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP73\A0018208.exe";"";"12/3/2009, 1:29:16 PM"






This is the Malwarebite Anti-Malware results from the 1st scan...

Malwarebytes' Anti-Malware 1.41
Database version: 3264
Windows 5.1.2600 Service Pack 3

11/30/2009 8:06:02 PM
mbam-log-2009-11-30 (20-06-02).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 203771
Time elapsed: 1 hour(s), 2 minute(s), 35 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 4
Registry Keys Infected: 7
Registry Values Infected: 14
Registry Data Items Infected: 20
Folders Infected: 4
Files Infected: 66

Memory Processes Infected:
C:\Documents and Settings\Juan Serafin\Application Data\Microsoft\svchost.exe (Trojan.VbBinder) -> Failed to unload process.
C:\Program Files\AdvancedVirusRemover\AVR.exe (Rogue.AdvancedVirusRemover) -> Unloaded process successfully.
C:\WINDOWS\System.exe (Worm.AutoRun) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\nunawula.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\mibasiwa.dll (Trojan.FakeAlert) -> Delete on reboot.
c:\WINDOWS\system32\pibosuse.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vebayene.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5586ab48-c0aa-462a-8fc0-44a9797d655b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2bc390ae-6494-48b1-b462-614489916e85} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{efbb6d22-54d7-4d7a-b7b1-aa498c9794e8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c2b5aab8-2183-4be7-81a6-f11493c45872} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2b5aab8-2183-4be7-81a6-f11493c45872} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2b5aab8-2183-4be7-81a6-f11493c45872} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AVR (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jilavedig (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{5586ab48-c0aa-462a-8fc0-44a9797d655b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\jikodiwat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{2bc390ae-6494-48b1-b462-614489916e85} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\heluzemin (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{efbb6d22-54d7-4d7a-b7b1-aa498c9794e8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\daletojek (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.VbBinder) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advanced virus remover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msn messanger (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Plus (Rogue.Antivirus Plus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Plus (Rogue.Antivirus Plus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\mibasiwa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\mibasiwa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\pibosuse.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\pibosuse.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon86.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon86.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\winlogon86.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1d93f74c-dde6-4a4c-886e-bbef70de85ef}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{312a578d-6813-4c38-9593-9da99effa38f}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1d93f74c-dde6-4a4c-886e-bbef70de85ef}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{312a578d-6813-4c38-9593-9da99effa38f}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1d93f74c-dde6-4a4c-886e-bbef70de85ef}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{312a578d-6813-4c38-9593-9da99effa38f}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AdvancedVirusRemover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Start Menu\Programs\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Application Data\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\pibosuse.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nunawula.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\mibasiwa.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\vebayene.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Juan Serafin\Application Data\Microsoft\svchost.exe (Trojan.VbBinder) -> Delete on reboot.
C:\Documents and Settings\Juan Serafin\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\cvshned.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\dgkb.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\mslc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\ttbwnfj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Local Settings\Temp\lanmgr.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Local Settings\Temp\eraseme_38716.exe (Trojan.VbBinder) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Local Settings\Temp\eraseme_41314.exe (Trojan.VbBinder) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Local Settings\Temporary Internet Files\Content.IE5\3ICGTFDH\logo[1].htm (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Local Settings\Temporary Internet Files\Content.IE5\43KUH1G3\avplus[1].dll (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Local Settings\Temporary Internet Files\Content.IE5\AVCDPPPZ\MyBot[1].exe (Trojan.VbBinder) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Local Settings\Temporary Internet Files\Content.IE5\AVCDPPPZ\MYBOT[2].exe (Trojan.VbBinder) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Local Settings\Temporary Internet Files\Content.IE5\C0AP0CXK\tmcerfsg[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Local Settings\Temporary Internet Files\Content.IE5\C0AP0CXK\tmcerfsg[2].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Local Settings\Temporary Internet Files\Content.IE5\C0AP0CXK\dfghfghgfj[1].dll (Trojan.Fakeinit) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C7313-2445-4B58-A1AF-B9B3E3536BE0}\RP73\A0018220.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dolamege.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fibetehe.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mawozajo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mehoyosu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vubayeti.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vulutena.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper86.dll (Trojan.Fakeinit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\renepupu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zijubeha.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zukofazi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jamoyiye.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\77276336-d59f-4baa-889d-80df5c07cf90.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\697da727-2075-4aa4-9af9-c59403d6e938.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\c80f86f3-2454-4773-b047-4cd0791105a7.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-1417001333-1275210071-725345543-1003\De1\explorer.exe (Worm.Autorun.B ) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-1417001333-1275210071-725345543-1003\De1\system32\userinit.exe (Worm.Autorun.B ) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-1417001333-1275210071-725345543-1003\De1\system32\csrss.exe (Worm.Autorun.B ) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-1417001333-1275210071-725345543-1003\De1\system32\dllhost.exe (Worm.Autorun.B ) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-1417001333-1275210071-725345543-1003\De1\system32\lsass.exe (Worm.Autorun.B ) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-1417001333-1275210071-725345543-1003\De1\system32\services.exe (Worm.Autorun.B ) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-1417001333-1275210071-725345543-1003\De1\system32\rundll32.exe (Worm.Autorun.B ) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-1417001333-1275210071-725345543-1003\De1\system32\smss.exe (Worm.Autorun.B ) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-1417001333-1275210071-725345543-1003\De1\system32\svchost.exe (Worm.Autorun.B ) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-1417001333-1275210071-725345543-1003\De1\system32\winlogon.exe (Worm.Autorun.B ) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-789336058-507921405-1957994488-1004\Dg1\i386\system32\smss.exe (Worm.Autorun.B ) -> Quarantined and deleted successfully.
C:\Program Files\AdvancedVirusRemover\AVR.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus\EULA.url (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Start Menu\Programs\AntiVirus Plus\EULA.url (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\systerm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Application Data\avp.ico (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Desktop\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Start Menu\Programs\Startup\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loluwuke.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\System.exe (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Juan Serafin\Local Settings\Temp\managerapp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.



I ran Combofix just recently (this is after I re-scanned and Malwarebites/Dr.web comes out clean)

ComboFix 09-12-02.05 - Juan Serafin 12/02/2009 23:24.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.362 [GMT -5:00]
Running from: c:\documents and settings\Juan Serafin\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\6334.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\nonowoda.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\Tasks\lcfhbenj.job
F:\resycled

.
((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-12-03 03:30 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-03 03:08 . 2009-12-03 03:08 -------- d-----w- c:\program files\Windows Defender
2009-12-01 16:26 . 2009-12-02 17:07 -------- d-----w- c:\program files\SpywareBlaster
2009-12-01 06:46 . 2009-12-01 06:46 152576 ----a-w- c:\documents and settings\Juan Serafin\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-01 06:45 . 2009-12-01 06:45 79488 ----a-w- c:\documents and settings\Juan Serafin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-30 23:57 . 2009-11-30 23:57 -------- d-----w- c:\documents and settings\Juan Serafin\Application Data\Malwarebytes
2009-11-30 23:54 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-30 23:54 . 2009-12-01 01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 23:54 . 2009-11-30 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-30 23:54 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 22:35 . 2009-12-03 04:38 920 ----a-w- c:\windows\system32\ATIDHC.dat
2009-11-30 22:35 . 2009-12-03 04:38 920 ----a-w- c:\windows\system32\pstorsvb.dat
2009-11-30 22:35 . 2009-12-03 04:38 912 ----a-w- c:\windows\system32\wuauenn1.dat
2009-11-30 22:35 . 2009-12-03 04:36 0 ----a-w- c:\windows\system32\kbdnzcd.dat
2009-11-30 22:02 . 2009-12-03 04:41 328 ----a-w- c:\windows\system32\adsnh.dat
2009-11-30 22:02 . 2009-12-03 04:41 2384 ----a-w- c:\windows\system32\wuauengq.dat
2009-11-30 22:02 . 2009-12-03 04:41 2384 ----a-w- c:\windows\system32\mfc4lu.dat
2009-11-30 22:02 . 2009-12-03 04:40 0 ----a-w- c:\windows\system32\ntmsrvt.dat
2009-11-30 22:02 . 2009-11-30 22:43 294 ----a-w- c:\windows\system32\kbdest.dat
2009-11-26 19:47 . 2009-11-26 19:47 -------- d-----w- c:\program files\uTorrent
2009-11-26 19:46 . 2009-11-30 18:06 -------- d-----w- c:\documents and settings\Juan Serafin\Application Data\uTorrent
2009-11-26 19:45 . 2009-11-26 19:48 -------- d-----w- c:\program files\BitLord
2009-11-26 19:39 . 2009-12-02 05:56 361600 -c--a-w- c:\windows\system32\dllcache\tcpip.sys
2009-11-26 10:11 . 2009-11-26 10:07 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-26 10:11 . 2009-11-26 10:07 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-26 10:10 . 2009-11-26 10:07 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-26 10:10 . 2009-11-26 10:07 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-26 10:08 . 2009-11-26 10:25 -------- d-----w- C:\$AVG
2009-11-26 10:07 . 2009-11-26 10:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-26 10:07 . 2009-11-26 10:07 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-26 10:07 . 2009-11-26 10:07 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-26 10:07 . 2009-11-26 10:07 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-26 10:07 . 2009-12-02 22:43 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-26 10:07 . 2009-11-26 10:07 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-26 10:07 . 2009-11-26 10:07 -------- d-----w- c:\program files\AVG
2009-11-26 09:33 . 2009-12-01 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-26 08:43 . 2009-11-26 08:43 98048400 ----a-w- C:\AVG_90_707a1765.exe
2009-11-26 07:59 . 2009-11-26 07:59 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-26 07:59 . 2007-10-09 18:13 38144 ----a-w- c:\windows\system32\drivers\EAPPkt.sys
2009-11-26 07:59 . 2009-11-26 07:59 -------- d-----w- c:\program files\TRENDnet
2009-11-26 07:59 . 2008-05-21 19:38 465664 ----a-w- c:\windows\system32\drivers\rtl8190p.sys
2009-11-26 07:59 . 2009-11-26 07:59 -------- d-----w- c:\documents and settings\Juan Serafin\Application Data\InstallShield
2009-11-24 21:55 . 2009-11-24 21:55 -------- d-----w- c:\windows\Sun
2009-11-24 07:32 . 2009-11-24 07:32 -------- d-----w- c:\documents and settings\Juan Serafin\DoctorWeb
2009-11-19 10:11 . 2009-11-19 11:30 -------- d-----w- c:\program files\WMCap
2009-11-19 08:20 . 2009-11-20 04:18 -------- d-----w- c:\documents and settings\Juan Serafin\Local Settings\Application Data\Yahoo
2009-11-19 08:18 . 2009-11-10 19:39 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-11-19 07:37 . 2009-11-19 07:37 -------- d-----w- c:\documents and settings\Juan Serafin\Local Settings\Application Data\Yahoo!
2009-11-19 07:37 . 2009-11-20 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-19 07:37 . 2009-11-19 08:20 -------- d-----w- c:\documents and settings\Juan Serafin\Application Data\Yahoo!
2009-11-19 07:37 . 2009-11-19 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-19 07:32 . 2009-11-19 08:18 -------- d-----w- c:\program files\Yahoo!
2009-11-19 06:25 . 2009-10-11 09:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-19 06:25 . 2009-12-01 06:46 -------- d-----w- c:\program files\Java
2009-11-19 06:25 . 2009-11-19 06:25 152576 ----a-w- c:\documents and settings\Juan Serafin\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-11-19 06:25 . 2009-12-01 16:12 -------- d-----w- c:\program files\PeerGuardian2
2009-11-19 06:23 . 2009-11-26 08:14 -------- d-----w- c:\program files\LimeWire
2009-11-19 06:22 . 2009-11-19 06:22 -------- d-----w- c:\program files\MP3SPLITTER
2009-11-06 22:37 . 2009-11-19 03:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 22:32 . 2009-11-06 22:33 -------- d-----w- C:\Adobe Photoshop Elements
2009-11-06 22:25 . 2009-11-08 17:52 -------- d-----w- c:\documents and settings\Juan Serafin\Application Data\Ahead
2009-11-06 22:24 . 2009-11-06 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-11-06 22:23 . 2009-11-06 22:24 -------- d-----w- c:\program files\Common Files\Ahead
2009-11-06 22:23 . 2009-11-06 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-11-06 22:23 . 2009-11-06 22:23 -------- d-----w- c:\program files\Nero
2009-11-06 22:09 . 2009-11-06 22:09 -------- d-sh--w- c:\documents and settings\Juan Serafin\IETldCache
2009-11-06 22:02 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-06 22:02 . 2009-11-06 22:02 -------- d-----w- c:\windows\ie8updates
2009-11-06 22:01 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-06 22:01 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-06 22:01 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-06 22:01 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-11-06 22:01 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-06 22:01 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-11-06 22:01 . 2006-10-27 00:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2009-11-06 22:01 . 2006-10-27 00:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-11-06 22:00 . 2009-11-06 22:01 -------- dc-h--w- c:\windows\ie8
2009-11-06 22:00 . 2009-11-06 22:00 -------- d-----w- c:\program files\Microsoft Works
2009-11-06 21:59 . 2009-11-06 21:59 -------- d-----w- c:\program files\Microsoft.NET
2009-11-06 21:58 . 2009-11-06 21:58 -------- d-----w- c:\windows\SHELLNEW
2009-11-06 21:57 . 2009-11-06 21:57 -------- d-----w- c:\documents and settings\Juan Serafin\Local Settings\Application Data\Microsoft Help
2009-11-06 21:57 . 2009-11-20 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-06 21:57 . 2009-11-06 21:57 -------- d-----r- C:\MSOCache
2009-11-06 21:42 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-06 21:35 . 2009-11-06 21:35 -------- d-----w- c:\program files\directx
2009-11-06 21:29 . 2009-11-19 01:15 -------- d-----w- c:\program files\CIB
2009-11-06 20:52 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-11-06 20:43 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-11-06 20:43 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-11-06 20:43 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-11-06 20:43 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-11-06 20:43 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-11-06 20:43 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-11-06 20:43 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-06 20:43 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-11-06 20:41 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-11-06 20:41 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-11-06 20:41 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-11-06 20:41 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-11-06 20:41 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-11-06 20:41 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-11-06 20:41 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-11-06 20:41 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-11-06 20:41 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-11-06 20:41 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-06 20:41 . 2009-08-05 01:44 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-11-06 20:41 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-06 20:40 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-11-06 20:39 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-11-06 20:39 . 2009-12-03 04:40 -------- d-----w- c:\documents and settings\Juan Serafin\Tracing
2009-11-06 20:39 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-06 20:38 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-11-06 20:38 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-11-06 20:38 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-11-06 20:38 . 2009-11-06 20:48 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-06 20:38 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-11-06 20:37 . 2009-11-06 20:37 -------- d-----w- c:\program files\Microsoft
2009-11-06 20:37 . 2009-11-06 20:37 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-06 20:36 . 2009-11-06 20:38 -------- d-----w- c:\program files\Windows Live
2009-11-06 20:32 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-11-06 20:32 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-11-06 20:31 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-06 20:31 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-11-06 20:27 . 2009-11-06 20:27 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-06 19:55 . 2009-11-06 19:55 -------- d-----w- c:\windows\system32\scripting

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 04:41 . 2009-11-19 06:26 -------- d-----w- c:\documents and settings\Juan Serafin\Application Data\LimeWire
2009-12-02 05:56 . 2002-08-29 12:00 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-11-26 16:24 . 2009-11-26 16:24 8 ----a-w- c:\windows\system32\SystemDirectory.tmp
2009-11-26 07:59 . 2009-11-05 23:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-24 07:13 . 2009-11-24 07:13 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-11-19 00:18 . 2009-11-19 00:18 -------- d-----w- c:\program files\MSXML 4.0
2009-11-06 22:41 . 2009-11-05 23:51 30616 ----a-w- c:\documents and settings\Juan Serafin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 22:39 . 2009-11-06 22:39 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-11-06 22:37 . 2009-11-06 22:37 -------- d-----w- c:\windows\Fonts\Fonts
2009-11-06 22:37 . 2009-11-06 22:37 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-11-06 22:37 . 2009-11-06 22:37 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-11-06 22:37 . 2009-11-06 22:37 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-11-06 22:37 . 2009-11-06 22:37 129784 ------w- c:\windows\system32\pxafs.dll
2009-11-06 22:37 . 2009-11-06 22:37 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-06 22:37 . 2009-11-06 22:37 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-06 21:17 . 2009-11-06 21:17 -------- d-----w- c:\program files\MSBuild
2009-11-06 21:17 . 2009-11-06 21:17 -------- d-----w- c:\program files\Reference Assemblies
2009-11-06 19:56 . 2009-11-05 23:27 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-11-06 03:07 . 2009-11-06 03:07 -------- d-----w- c:\program files\Analog Devices
2009-11-05 23:58 . 2009-11-05 23:58 0 ----a-w- c:\windows\ativpsrm.bin
2009-11-05 23:56 . 2009-11-05 23:56 -------- d-----w- c:\program files\VideoLAN
2009-11-05 23:55 . 2009-11-05 23:53 -------- d-----w- c:\program files\ATI Technologies
2009-11-05 23:54 . 2009-11-05 23:53 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-05 23:28 . 2009-11-05 23:28 -------- d-----w- c:\program files\microsoft frontpage
2009-11-05 23:28 . 2009-11-05 23:28 558142 ----a-w- c:\windows\java\Packages\R53Z3PNT.ZIP
2009-11-05 23:28 . 2009-11-05 23:28 2678 ----a-w- c:\windows\java\Packages\Data\CRNHNPV1.DAT
2009-11-05 23:27 . 2009-11-05 23:27 2678 ----a-w- c:\windows\java\Packages\Data\A3R531ZJ.DAT
2009-11-05 23:27 . 2009-11-05 23:27 155995 ----a-w- c:\windows\java\Packages\FXBJLB7T.ZIP
2009-11-05 23:27 . 2009-11-05 23:27 2678 ----a-w- c:\windows\java\Packages\Data\NZLRRJX7.DAT
2009-11-05 23:27 . 2009-11-05 23:27 2678 ----a-w- c:\windows\java\Packages\Data\7FF35Z9F.DAT
2009-11-05 23:27 . 2009-11-05 23:27 2678 ----a-w- c:\windows\java\Packages\Data\1R1RN3ZF.DAT
2009-11-05 23:26 . 2009-11-05 23:26 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-25 05:37 . 2009-09-25 05:37 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2002-08-29 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 6DD101794AEB73CD49F78DAD7611E868 . 617472 . . [5.82] . . c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 . 6DD101794AEB73CD49F78DAD7611E868 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtServicePackUninstall$\comctl32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\kbdest]
@="{99218C98-5F3D-527D-932D-E9D436FEB51F}"
[HKEY_CLASSES_ROOT\CLSID\{99218C98-5F3D-527D-932D-E9D436FEB51F}]
2002-08-29 12:00 131072 ----a-w- c:\windows\system32\kbdest.ocx

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Aim"="c:\program files\AIM\aim.exe" [2009-10-01 3634024]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-11-30 1312080]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-26 2020120]

c:\documents and settings\Juan Serafin\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-641PC_TEW-643PI\WlanCU.exe [2009-11-26 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-26 10:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/26/2009 5:07 AM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/26/2009 5:07 AM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/26/2009 5:07 AM 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/26/2009 5:07 AM 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/26/2009 5:07 AM 285392]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [11/26/2009 2:59 AM 38144]
R2 WLNdis50;WLan NDIS 5.0 I/O Control;c:\windows\system32\drivers\WLNdis50.sys [11/18/2009 5:58 PM 20480]
R3 rtl8190p;TRENDnet Wireless N PC Card/PCI Adapter Driver;c:\windows\system32\drivers\rtl8190p.sys [11/26/2009 2:59 AM 465664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Juan Serafin\Application Data\Mozilla\Firefox\Profiles\h4kzsi0e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Juan Serafin\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-NVIDIA Drivers - c:\windows\system32\nvuide.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 23:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5600)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-12-02 23:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-03 04:43

Pre-Run: 99,668,983,808 bytes free
Post-Run: 99,768,774,656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - AF95119F62E76CDCE5DF114819820314

Edited by xXConfusedXx, 03 December 2009 - 02:07 AM.


BC AdBot (Login to Remove)

 


#2 xXConfusedXx

xXConfusedXx
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 03 December 2009 - 02:51 PM

any help on this matter please?

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 03 December 2009 - 11:23 PM.


#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:42 AM

Posted 16 December 2009 - 02:09 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:42 AM

Posted 26 December 2009 - 02:47 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users