Another victim of Antivirus System Pro

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will uninstall ComboFix, now download it again without renaming it:

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

now it's telling me that it can't find combofix.

Is combo-fix a background operation that wouldn't show up as an active application on task manager? is it running slowly in the background and i'm being too hasty?

Restart your computer and now see if you can download/run ComboFix.

OK, looks like we are back on track. combofix ran properly after re-instal. here is the log.

ComboFix 09-07-08.04 - Owner 09/07/2009 10:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.242 [GMT 8:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\15d0b0e.msp
c:\windows\Installer\15d0b27.msp
c:\windows\Installer\4ac9b.msp
c:\windows\Installer\4aca3.msp
c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 03:04 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-09 03:04 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-08 18:22 . 2009-07-08 18:29 -------- d-----w- C:\Lop SD
2009-07-08 18:12 . 2009-07-08 18:12 -------- d-----w- C:\_OTM
2009-07-08 15:18 . 2009-07-08 15:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-08 15:18 . 2009-06-17 03:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 15:18 . 2009-07-08 15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 15:18 . 2009-07-08 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-08 15:18 . 2009-06-17 03:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-08 08:05 . 2009-07-08 08:05 -------- d-----w- c:\program files\Trend Micro
2009-07-07 11:35 . 2009-07-07 18:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-07 08:03 . 2009-07-07 08:17 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-07-05 13:18 . 2009-07-05 13:27 -------- d-----w- c:\documents and settings\Boys\Local Settings\Application Data\BingoLiner
2009-07-04 01:12 . 2009-06-22 01:03 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-04 01:12 . 2009-06-22 01:02 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-04 01:12 . 2009-06-22 01:02 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-04 01:12 . 2009-06-22 01:02 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-04 01:12 . 2009-06-22 01:02 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-04 01:12 . 2009-06-22 01:02 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-04 01:12 . 2009-07-04 01:09 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-04 01:08 . 2009-06-22 01:02 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-04 01:08 . 2009-06-22 01:02 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-26 00:28 . 2009-07-04 01:10 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-22 03:31 . 2009-06-22 03:31 -------- d-sh--w- c:\windows\ftpcache
2009-06-22 01:14 . 2009-06-14 08:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-22 01:05 . 2009-07-07 20:09 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-22 01:03 . 2009-06-22 01:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-22 01:03 . 2009-06-22 01:03 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-22 01:03 . 2009-07-04 01:10 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 01:03 . 2009-06-22 01:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-22 01:02 . 2009-07-09 01:54 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-22 01:02 . 2009-06-22 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-22 01:02 . 2009-06-22 01:02 -------- d-----w- c:\program files\AVG
2009-06-22 01:02 . 2009-06-22 09:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-18 11:07 . 2009-06-20 11:49 -------- d-----w- C:\AVG
2009-06-17 01:24 . 2009-06-17 01:24 -------- d-sh--r- C:\Gazma

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 18:08 . 2008-04-29 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-08 18:08 . 2007-01-02 04:21 -------- d-----w- c:\program files\Java
2009-07-08 18:07 . 2009-07-08 18:07 0 ----a-w- c:\windows\system32\REN25.tmp
2009-07-08 18:07 . 2009-07-08 18:07 0 ----a-w- c:\windows\system32\REN24.tmp
2009-07-08 18:07 . 2009-07-08 18:07 0 ----a-w- c:\windows\system32\REN23.tmp
2009-05-23 01:03 . 2009-05-23 01:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 02:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-08 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-06 114688]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-04-03 777424]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-21 40960]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-22 1948440]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2002-11-19 46592]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2004-06-29 569344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-22 01:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/06/2009 9:03 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/06/2009 9:03 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/06/2009 9:02 AM 298776]
R3 ZSMC302;Audio Web Cam 31;c:\windows\system32\drivers\usbvm302.sys [16/02/2007 11:45 PM 90559]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [3/04/2006 6:12 PM 14032]
.
Contents of the 'Scheduled Tasks' folder

2009-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1547161642-1417001333-1004Core.job
- c:\documents and settings\Boys\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-27 09:34]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1547161642-1417001333-1004UA.job
- c:\documents and settings\Boys\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-27 09:34]

2009-07-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 10:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_01\bin\jusched.exe
HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.carltonfc.com.au/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.1.11/cfweb_activex.camfrogweb.com-advanced-2.0.1.11_instmodule.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 11:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-07-09 11:17
ComboFix-quarantined-files.txt 2009-07-09 03:15

Pre-Run: 15,346,884,608 bytes free
Post-Run: 16,828,112,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

155 --- E O F --- 2009-07-07 05:51

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint

File::
c:\windows\system32\REN25.tmp
c:\windows\system32\REN24.tmp
c:\windows\system32\REN23.tmp

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

I'm gettin good at this!!! LOL ok, here is the log

ComboFix 09-07-08.04 - Owner 09/07/2009 12:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.286 [GMT 8:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\REN23.tmp"
"c:\windows\system32\REN24.tmp"
"c:\windows\system32\REN25.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\windows\system32\REN23.tmp
c:\windows\system32\REN24.tmp
c:\windows\system32\REN25.tmp

.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 03:04 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-09 03:04 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-08 18:22 . 2009-07-08 18:29 -------- d-----w- C:\Lop SD
2009-07-08 18:12 . 2009-07-08 18:12 -------- d-----w- C:\_OTM
2009-07-08 15:18 . 2009-07-08 15:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-08 15:18 . 2009-06-17 03:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 15:18 . 2009-07-08 15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 15:18 . 2009-07-08 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-08 15:18 . 2009-06-17 03:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-08 08:05 . 2009-07-08 08:05 -------- d-----w- c:\program files\Trend Micro
2009-07-07 11:35 . 2009-07-07 18:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-07 08:03 . 2009-07-07 08:17 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-07-05 13:18 . 2009-07-05 13:27 -------- d-----w- c:\documents and settings\Boys\Local Settings\Application Data\BingoLiner
2009-07-04 01:12 . 2009-06-22 01:03 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-04 01:12 . 2009-06-22 01:02 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-04 01:12 . 2009-06-22 01:02 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-04 01:12 . 2009-06-22 01:02 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-04 01:12 . 2009-06-22 01:02 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-04 01:12 . 2009-06-22 01:02 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-04 01:12 . 2009-07-04 01:09 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-04 01:08 . 2009-06-22 01:02 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-04 01:08 . 2009-06-22 01:02 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-26 00:28 . 2009-07-04 01:10 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-22 03:31 . 2009-06-22 03:31 -------- d-sh--w- c:\windows\ftpcache
2009-06-22 01:14 . 2009-06-14 08:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-22 01:05 . 2009-07-07 20:09 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-22 01:03 . 2009-06-22 01:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-22 01:03 . 2009-06-22 01:03 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-22 01:03 . 2009-07-04 01:10 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 01:03 . 2009-06-22 01:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-22 01:02 . 2009-07-09 01:54 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-22 01:02 . 2009-06-22 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-22 01:02 . 2009-06-22 01:02 -------- d-----w- c:\program files\AVG
2009-06-22 01:02 . 2009-06-22 09:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-18 11:07 . 2009-06-20 11:49 -------- d-----w- C:\AVG
2009-06-17 01:24 . 2009-06-17 01:24 -------- d-sh--r- C:\Gazma

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 18:08 . 2007-01-02 04:21 -------- d-----w- c:\program files\Java
2009-05-23 01:03 . 2009-05-23 01:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 02:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-08 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-06 114688]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-04-03 777424]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-21 40960]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-22 1948440]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2002-11-19 46592]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2004-06-29 569344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-22 01:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/06/2009 9:03 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/06/2009 9:03 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/06/2009 9:02 AM 298776]
R3 ZSMC302;Audio Web Cam 31;c:\windows\system32\drivers\usbvm302.sys [16/02/2007 11:45 PM 90559]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [3/04/2006 6:12 PM 14032]
.
Contents of the 'Scheduled Tasks' folder

2009-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1547161642-1417001333-1004Core.job
- c:\documents and settings\Boys\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-27 09:34]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1547161642-1417001333-1004UA.job
- c:\documents and settings\Boys\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-27 09:34]

2009-07-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 10:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.carltonfc.com.au/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.1.11/cfweb_activex.camfrogweb.com-advanced-2.0.1.11_instmodule.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 12:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-07-09 12:46
ComboFix-quarantined-files.txt 2009-07-09 04:44
ComboFix2.txt 2009-07-09 03:17

Pre-Run: 16,814,211,072 bytes free
Post-Run: 16,846,454,784 bytes free

144 --- E O F --- 2009-07-07 05:51

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Malwarebytes' Anti-Malware 1.38
Database version: 2393
Windows 5.1.2600 Service Pack 3

9/07/2009 1:19:31 PM
mbam-log-2009-07-09 (13-19-31).txt

Scan type: Quick Scan
Objects scanned: 100565
Time elapsed: 6 minute(s), 15 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Hello.
This should be fine now, how is the machine running?

Hi yes it does thanks.

Can I thank both you and origin very much for ur help. I'm not in a financial position to be able to afford to go to a computer shop, so U saved my arse!!

I have already started telling everyone about geekpolice!!! Thanks again. I hope I'm not a repeat customer! hahaha

Cheers!

There is just one thing, I have just found that I can't turn my firewall back on??? Any ideas?

Hello.
Did you buy the pro version of Windows Defender or AVG8?

Hi again, No, I only have the free version of AVG, and I think defender was on the comp with XP when I got it, but I don't think defender is working, when I boot the comp each time it has a message saying "Application failed to initialize:0x800106ba. A problem caused Windows Defender Service to stop. To start the service, restart your computer or search help and support on how to start a service manually"

Uninstall Windows Defender then, probably corrupted from the malware.

Is defender worth re-installing?

Yeah, re-install it, see if it runs normally now.