Win32/Cryptor

Its alright I just wanted to check if you were running more then one AV, tell me, which AV do you have on your system? I am asking this because ComboFix shows two anti viruses, AVG 8 and Kaspersky.

Hello,

I saw that in the report too! I'm only running AVG Anti-Virus 8.5 on my system. No idea where the Kaspersky thing came from.

Hope this helps.

mday01376

No worries, please do the following:

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
c:\users\Mark & Adriana\AppData\Local\Little_Apps_(http___www.l

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Hello there,

Been away from laptop for a couple of days. I think we're making progress, as the Bad Image error messages were less prevalent than previously. Here's the Combofix log:


ComboFix 09-08-03.A2 - Mark & Adriana 04/08/2009 7:48.3.2 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.44.1033.18.1917.1330 [GMT -6:00]
Running from: c:\users\Mark & Adriana\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Mark & Adriana\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.dat
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.lan
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.msi
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.par
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.res
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\instance.dat
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\mia.lib
c:\users\Mark & Adriana\AppData\Local\Little_Apps_(http___www.l
c:\users\Mark & Adriana\AppData\Local\Little_Apps_(http___www.l\Little_Registry_Cleaner.e_Url_xdygii0eex4buydfojhmrm2cgozfjg1s\1.3.3481.23265\user.config

.
((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.

2009-07-30 03:08 . 2009-08-01 01:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-30 03:08 . 2009-08-01 01:02 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-07-30 02:45 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-30 02:41 . 2009-07-30 02:44 -------- d-----w- c:\progra~2\Lavasoft
2009-07-30 02:41 . 2009-07-30 02:41 -------- d-----w- c:\program files\Lavasoft
2009-07-30 02:05 . 2009-07-30 02:05 -------- d-----w- c:\program files\FileHippo.com
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Malwarebytes
2009-07-28 11:57 . 2009-07-13 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\progra~2\Malwarebytes
2009-07-28 11:57 . 2009-07-13 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 04:03 . 2009-07-25 04:58 -------- d-----w- c:\program files\Common Files\Little Registry Cleaner
2009-07-25 04:03 . 2009-07-25 04:03 -------- d-----w- c:\program files\Little Registry Cleaner
2009-07-25 03:45 . 2009-07-25 03:52 -------- d-----w- c:\program files\Registry Clean Expert
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Foxit
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\program files\Foxit Software
2009-07-21 03:36 . 2009-07-21 03:36 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\iExpert Software
2009-07-15 14:14 . 2009-07-15 14:18 -------- d-----w- c:\progra~2\Ten Thumbs Typing Tutor
2009-07-15 14:12 . 2009-07-15 14:12 -------- d-----w- c:\program files\Ten Thumbs Typing Tutor 4.7
2009-07-14 18:06 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-14 18:06 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-14 18:06 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-14 18:06 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-14 18:06 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-04 11:37 . 2007-12-28 00:56 -------- d-----w- c:\progra~2\Google Updater
2009-08-01 02:11 . 2008-12-03 04:01 -------- d-----w- c:\progra~2\Avg8
2009-07-31 01:36 . 2008-09-10 07:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 01:48 . 2007-08-22 20:26 -------- d-----w- c:\program files\Java
2009-07-30 01:45 . 2009-05-23 05:18 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 21:52 . 2009-07-28 19:58 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 19:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 19:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 19:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 04:00 . 2008-04-23 14:55 -------- d-----w- c:\program files\HP
2009-07-21 03:53 . 2008-04-23 14:53 -------- d-----w- c:\progra~2\HP
2009-07-21 03:52 . 2008-06-05 02:08 -------- d-----w- c:\program files\mozilla.org
2009-07-19 05:25 . 2007-08-22 20:03 -------- d-----w- c:\program files\Google
2009-07-17 02:26 . 2007-12-27 13:01 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Skype
2009-07-14 23:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-14 23:44 . 2007-09-19 01:18 -------- d-----w- c:\progra~2\Microsoft Help
2009-07-01 06:23 . 2008-10-07 23:36 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Thinstall
2009-06-27 13:22 . 2008-07-28 07:26 -------- d-----w- c:\program files\PhotoScape
2009-06-27 13:07 . 2009-05-17 21:55 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\FUJIFILM
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-12 03:42 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-12 03:29 . 2006-11-02 12:37 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-06-11 01:45 . 2007-09-19 01:15 -------- d-----w- c:\program files\Microsoft Works
2009-06-11 01:01 . 2009-06-11 01:01 -------- d-----w- c:\program files\Paint.NET
2009-06-10 21:55 . 2008-12-06 04:48 -------- d-----w- c:\progra~2\Rosetta Stone
2009-06-10 20:53 . 2009-06-10 20:53 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-05-14 00:58 . 2008-12-10 01:26 123408 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-05-31 13:41 . 2007-12-29 12:50 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-05-31 13:41 . 2007-12-29 12:50 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-05-31 13:41 . 2007-12-29 12:50 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-05-31 13:41 . 2007-12-29 12:50 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-05-31 13:41 . 2007-12-29 12:50 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-07-31_23.05.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-22 20:40 . 2009-08-04 14:12 75654 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-04 14:12 87602 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-24 21:54 . 2009-08-04 14:12 14490 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3184346778-380610952-3069833314-1000_UserData.bin
+ 2007-12-24 21:42 . 2009-08-04 13:44 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-24 21:42 . 2009-08-04 13:44 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-24 21:42 . 2009-08-04 13:44 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-04 05:32 . 2009-08-04 13:44 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-04 05:32 . 2009-07-30 02:47 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2007-08-22 20:49 . 2009-07-31 22:49 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-08-22 20:49 . 2009-08-04 14:08 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-28 68856]
"Google Update"="c:\users\Mark & Adriana\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-30 148888]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-5-17 303104]
PDFCreator.lnk - c:\program files\PDFCreator\PDFCreator.exe [2008-6-27 2641920]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-5-3 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Mark & Adriana^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^realshed.old]
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):27,bf,f9,b7,11,eb,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3184346778-380610952-3069833314-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{66DD937E-AE3C-4248-8276-E03B0E662FC4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5A419130-C26E-4A4D-95D9-EA35767E4F2C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D1266DD3-3A9B-4EB2-9CE7-88D472AF7EF7}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{2E15ED65-ABB2-4DDE-AE38-1D4D7D2E9AAA}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= UDP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{A022D2AA-4EFE-4FDB-BA2E-1D99FE6B21EB}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= TCP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"TCP Query User{4DCE4B7C-3F06-4B9F-A0F1-8D893C290A69}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{48F8ABC9-AF9C-43D5-A12E-B134139A5FF3}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{020FC91C-96A9-4C91-B3A0-F29D11107746}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{6B92138C-67A5-4CBE-897A-6DF31C6689F7}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{4B71DD2E-475F-4A17-AB05-5C57A59EC1D6}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{371BF024-100B-4DE6-9863-47BC453D9E9A}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{A0F9FC39-EBE6-49EC-B900-EBFCF158336A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{A1A5E757-DF8A-4A37-AAE2-0FAAEC044513}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{89288A4F-B931-444A-B74F-701B2BF28AC2}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{65127F06-2351-4BB3-B308-E0BAAA0D8C0A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{F2E131E7-AD40-4103-ADD2-2DE4F67D3340}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= UDP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"UDP Query User{EBBD88EB-EA08-4DCE-B9BE-AA69636D6C48}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= TCP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"TCP Query User{AAD24E5F-CA5A-47FF-A83B-0D8A2C8D6E18}c:\\program files\\acoo browser\\acoobrowser.exe"= UDP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"UDP Query User{1EBE616F-AF7E-41B2-8335-E53200C5A3E8}c:\\program files\\acoo browser\\acoobrowser.exe"= TCP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"{726022BF-3003-4960-A583-9B25E32F0059}"= UDP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{E8286F86-E4BE-4F29-A229-1837B0AD7A7A}"= TCP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{4C0EF1F6-2C01-4971-ADD9-1F8DD1294879}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{A4C07ECF-D017-4649-B8B2-C970E2E04BA7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{571BC4B4-0AAF-47E6-9561-18C2CFA42A97}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{40E2B9D4-F3A2-4102-9E6F-91BE519FB1EE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{50A18888-BBD9-4202-B406-9FFAD309735C}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5CE03319-483A-45BD-BBD7-1AD9D875D94F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{AE9FABBC-3704-4057-8378-67E0D627B3BF}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{EE0BEC18-39EA-46C8-993C-24E184969E99}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= UDP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"UDP Query User{20CEC1CB-DCB2-4582-BEC9-272E74CC827F}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= TCP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"TCP Query User{722DAD41-54E8-410A-83FC-42318CE5BFCD}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{44A2D863-79A0-444A-942D-FA63A34B9A3E}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"TCP Query User{D42D54D3-E89C-4E7A-A657-30B1A005C81B}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= UDP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"UDP Query User{BC2A4E12-53E8-4496-B829-9256BAB54560}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= TCP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"TCP Query User{5D049E69-6B76-45B3-99CA-7E59C4842937}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{ED8DCD26-C8E0-4539-83F2-6B029E44A121}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"{F442AE91-7D56-4ACD-9219-9139DCE7464E}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5F7BB48E-7A01-41AE-962A-BCA285F5D966}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{D08CA669-8B62-4611-819F-58D394FC5EE5}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{9A400437-A316-4CBD-B140-63A06361ECE9}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [29/07/2009 20:45 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 08:49 1029456]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [22/08/2007 13:53 7168]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [03/05/2009 23:06 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 11:08 533360]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [28/07/2009 05:57 38160]
S3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [28/03/2007 08:51 43008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.

Sorry about that had to divide into 3 parts:

------- Supplementary Scan -------
.
uStart Page = hxxp://edit.europe.yahoo.com/config/login?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f
uInternet Settings,ProxyServer = 85.31.89.222:8080
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.17\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
FF - ProfilePath - c:\users\MARK&A~1\AppData\Roaming\Mozilla\Firefox\Profiles\6optvrgw.default\
FF - prefs.js: browser.startup.homepage - hxxp://edit.europe.yahoo.com/config/login?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 08:12
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\System32\conime.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\windows\System32\Locator.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Common Files\microsoft shared\Source Engine\OSE.EXE
.
**************************************************************************
.
Completion time: 2009-08-04 8:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-04 14:43
ComboFix2.txt 2009-08-01 01:31

Pre-Run: 168,771,829,760 bytes free
Post-Run: 168,755,953,664 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=9 Sets=1,5,6,7,8,9
280 --- E O F --- 2009-08-04 11:41

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Hello,

Keep getting Bad Image error message on log on & whenever a program is opened (either on start up or manually) Sorry have not managed to get the hand of posting an image here. Error message says:

LogonUI.exe - bad Image

globalroot\systemroot\system32\geyekrwiigvcwd.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or other software vendor for support.

Have not tried machine with AVG 8.5, Spybot or Ad-Aware running. Will let you know after I start it with those loaded onto machine.

mday01376

Hi there,

Finally managed to install Super Anti-Spyware & Avast Free. (AVG free could not install as was unable to write registry entry). Ran MBAM - no result. Then SAS - no result. Avast detected Win32-Alueron-CE [Rtk] at the following file location C:/windows/system32/geyeroswbvuto.dll - tried to follow recommended action by moving to chest - could not as file was in use by another process.

BTW - still getting that bad image error message whenever an executable file is started (either on start up or manually).

Have you any more thoughts?

Many thanks for all so far.

mday01376

Hello.
Please re-run Combofix and post a new log.

ComboFix 09-08-03.A2 - Mark & Adriana 05/08/2009 20:35.4.2 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.44.1033.18.1917.1304 [GMT -6:00]
Running from: c:\users\Mark & Adriana\Desktop\Combo-Fix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Yahoo!
2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\progra~2\Yahoo! Companion
2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\program files\Yahoo!
2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\program files\CCleaner
2009-08-05 02:39 . 2009-08-06 03:32 117760 ----a-w- c:\users\Mark & Adriana\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-05 02:37 . 2009-08-05 02:37 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2009-08-05 02:37 . 2009-08-05 02:37 65024 ----a-r- c:\users\Mark & Adriana\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-08-05 02:37 . 2009-08-05 02:37 18944 ----a-r- c:\users\Mark & Adriana\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-08-05 02:37 . 2009-08-05 02:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-05 02:37 . 2009-08-05 02:37 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\SUPERAntiSpyware.com
2009-08-05 02:36 . 2009-08-05 02:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-04 22:25 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-04 22:25 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-04 22:25 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-04 22:25 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-04 22:25 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-04 22:25 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-04 22:25 . 2009-02-05 21:06 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-04 22:24 . 2009-08-04 22:24 -------- d-----w- c:\program files\Alwil Software
2009-08-04 21:38 . 2009-08-04 21:38 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\AVG8
2009-07-30 03:08 . 2009-08-01 01:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-30 03:08 . 2009-08-01 01:02 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-07-30 02:45 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-30 02:41 . 2009-07-30 02:44 -------- d-----w- c:\progra~2\Lavasoft
2009-07-30 02:41 . 2009-07-30 02:41 -------- d-----w- c:\program files\Lavasoft
2009-07-30 02:05 . 2009-07-30 02:05 -------- d-----w- c:\program files\FileHippo.com
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Malwarebytes
2009-07-28 11:57 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 11:57 . 2009-08-05 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 11:57 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\progra~2\Malwarebytes
2009-07-25 04:03 . 2009-08-05 02:44 -------- d-----w- c:\program files\Common Files\Little Registry Cleaner
2009-07-25 03:45 . 2009-07-25 03:52 -------- d-----w- c:\program files\Registry Clean Expert
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Foxit
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\program files\Foxit Software
2009-07-21 03:36 . 2009-07-21 03:36 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\iExpert Software
2009-07-15 14:14 . 2009-07-15 14:18 -------- d-----w- c:\progra~2\Ten Thumbs Typing Tutor
2009-07-15 14:12 . 2009-07-15 14:12 -------- d-----w- c:\program files\Ten Thumbs Typing Tutor 4.7
2009-07-14 18:06 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-14 18:06 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-14 18:06 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-14 18:06 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-14 18:06 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 02:13 . 2007-12-28 00:56 -------- d-----w- c:\progra~2\Google Updater
2009-08-04 22:09 . 2008-12-03 04:01 -------- d-----w- c:\progra~2\Avg8
2009-08-04 22:05 . 2007-08-22 20:26 -------- d-----w- c:\program files\Java
2009-07-31 01:36 . 2008-09-10 07:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 11:23 . 2009-05-23 05:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 21:52 . 2009-07-28 19:58 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 19:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 19:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 19:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 04:00 . 2008-04-23 14:55 -------- d-----w- c:\program files\HP
2009-07-21 03:53 . 2008-04-23 14:53 -------- d-----w- c:\progra~2\HP
2009-07-21 03:52 . 2008-06-05 02:08 -------- d-----w- c:\program files\mozilla.org
2009-07-19 05:25 . 2007-08-22 20:03 -------- d-----w- c:\program files\Google
2009-07-17 02:26 . 2007-12-27 13:01 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Skype
2009-07-14 23:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-14 23:44 . 2007-09-19 01:18 -------- d-----w- c:\progra~2\Microsoft Help
2009-07-01 06:23 . 2008-10-07 23:36 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Thinstall
2009-06-27 13:22 . 2008-07-28 07:26 -------- d-----w- c:\program files\PhotoScape
2009-06-27 13:07 . 2009-05-17 21:55 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\FUJIFILM
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-12 03:42 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-12 03:29 . 2006-11-02 12:37 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-06-11 01:45 . 2007-09-19 01:15 -------- d-----w- c:\program files\Microsoft Works
2009-06-11 01:01 . 2009-06-11 01:01 -------- d-----w- c:\program files\Paint.NET
2009-06-10 21:55 . 2008-12-06 04:48 -------- d-----w- c:\progra~2\Rosetta Stone
2009-06-10 20:53 . 2009-06-10 20:53 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-05-14 00:58 . 2008-12-10 01:26 123408 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-05-31 13:41 . 2007-12-29 12:50 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-05-31 13:41 . 2007-12-29 12:50 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-05-31 13:41 . 2007-12-29 12:50 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-05-31 13:41 . 2007-12-29 12:50 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-05-31 13:41 . 2007-12-29 12:50 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-07-31_23.05.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-22 20:40 . 2009-08-06 03:30 77830 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-06 03:30 89052 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-24 21:54 . 2009-08-06 03:30 15240 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3184346778-380610952-3069833314-1000_UserData.bin
+ 2007-12-24 21:42 . 2009-08-06 03:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-24 21:42 . 2009-08-06 03:28 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-24 21:42 . 2009-08-06 03:28 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-04 22:05 . 2009-07-25 11:23 149280 c:\windows\System32\javaws.exe
+ 2009-08-04 22:05 . 2009-07-25 11:23 145184 c:\windows\System32\javaw.exe
+ 2009-08-04 22:05 . 2009-07-25 11:23 145184 c:\windows\System32\java.exe
+ 2009-05-04 05:32 . 2009-08-05 01:46 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-04 05:32 . 2009-07-30 02:47 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2007-08-22 20:49 . 2009-07-31 22:49 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-08-22 20:49 . 2009-08-06 03:25 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-08-05 02:37 . 2009-08-05 02:37 1516544 c:\windows\Installer\2eee09.msi
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-28 68856]
"Google Update"="c:\users\Mark & Adriana\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-5-17 303104]
PDFCreator.lnk - c:\program files\PDFCreator\PDFCreator.exe [2008-6-27 2641920]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-5-3 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Mark & Adriana^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^realshed.old]
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):27,bf,f9,b7,11,eb,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3184346778-380610952-3069833314-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{66DD937E-AE3C-4248-8276-E03B0E662FC4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5A419130-C26E-4A4D-95D9-EA35767E4F2C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D1266DD3-3A9B-4EB2-9CE7-88D472AF7EF7}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{2E15ED65-ABB2-4DDE-AE38-1D4D7D2E9AAA}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= UDP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{A022D2AA-4EFE-4FDB-BA2E-1D99FE6B21EB}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= TCP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"TCP Query User{4DCE4B7C-3F06-4B9F-A0F1-8D893C290A69}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{48F8ABC9-AF9C-43D5-A12E-B134139A5FF3}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{020FC91C-96A9-4C91-B3A0-F29D11107746}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{6B92138C-67A5-4CBE-897A-6DF31C6689F7}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{4B71DD2E-475F-4A17-AB05-5C57A59EC1D6}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{371BF024-100B-4DE6-9863-47BC453D9E9A}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{A0F9FC39-EBE6-49EC-B900-EBFCF158336A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{A1A5E757-DF8A-4A37-AAE2-0FAAEC044513}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{89288A4F-B931-444A-B74F-701B2BF28AC2}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{65127F06-2351-4BB3-B308-E0BAAA0D8C0A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{F2E131E7-AD40-4103-ADD2-2DE4F67D3340}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= UDP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"UDP Query User{EBBD88EB-EA08-4DCE-B9BE-AA69636D6C48}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= TCP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"TCP Query User{AAD24E5F-CA5A-47FF-A83B-0D8A2C8D6E18}c:\\program files\\acoo browser\\acoobrowser.exe"= UDP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"UDP Query User{1EBE616F-AF7E-41B2-8335-E53200C5A3E8}c:\\program files\\acoo browser\\acoobrowser.exe"= TCP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"{726022BF-3003-4960-A583-9B25E32F0059}"= UDP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{E8286F86-E4BE-4F29-A229-1837B0AD7A7A}"= TCP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{4C0EF1F6-2C01-4971-ADD9-1F8DD1294879}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{A4C07ECF-D017-4649-B8B2-C970E2E04BA7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{571BC4B4-0AAF-47E6-9561-18C2CFA42A97}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{40E2B9D4-F3A2-4102-9E6F-91BE519FB1EE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{50A18888-BBD9-4202-B406-9FFAD309735C}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5CE03319-483A-45BD-BBD7-1AD9D875D94F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{AE9FABBC-3704-4057-8378-67E0D627B3BF}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{EE0BEC18-39EA-46C8-993C-24E184969E99}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= UDP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"UDP Query User{20CEC1CB-DCB2-4582-BEC9-272E74CC827F}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= TCP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"TCP Query User{722DAD41-54E8-410A-83FC-42318CE5BFCD}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{44A2D863-79A0-444A-942D-FA63A34B9A3E}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"TCP Query User{D42D54D3-E89C-4E7A-A657-30B1A005C81B}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= UDP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"UDP Query User{BC2A4E12-53E8-4496-B829-9256BAB54560}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= TCP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"TCP Query User{5D049E69-6B76-45B3-99CA-7E59C4842937}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{ED8DCD26-C8E0-4539-83F2-6B029E44A121}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"{F442AE91-7D56-4ACD-9219-9139DCE7464E}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5F7BB48E-7A01-41AE-962A-BCA285F5D966}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{D08CA669-8B62-4611-819F-58D394FC5EE5}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{9A400437-A316-4CBD-B140-63A06361ECE9}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [29/07/2009 20:45 64160]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [04/08/2009 16:25 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28/07/2009 10:53 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/07/2009 10:53 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [04/08/2009 16:25 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [04/08/2009 16:25 51792]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 08:49 1029456]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [22/08/2007 13:53 7168]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/07/2009 10:53 7408]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [03/05/2009 23:06 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 11:08 533360]
S3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [28/03/2007 08:51 43008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://edit.europe.yahoo.com/config/login?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f
uInternet Settings,ProxyServer = 85.31.89.222:8080
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.17\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
FF - ProfilePath - c:\users\MARK&A~1\AppData\Roaming\Mozilla\Firefox\Profiles\6optvrgw.default\
FF - prefs.js: browser.startup.homepage - hxxp://edit.europe.yahoo.com/config/login?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-05 21:31
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\windows\System32\Locator.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\conime.exe
c:\program files\Common Files\microsoft shared\Source Engine\OSE.EXE
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2009-08-06 21:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-06 03:53
ComboFix2.txt 2009-08-04 14:44
ComboFix3.txt 2009-08-01 01:31

Pre-Run: 168,551,661,568 bytes free
Post-Run: 168,552,574,976 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=9 Sets=1,5,6,7,8,9
303 --- E O F --- 2009-08-04 11:41

Not seeing anything.

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

Hi there,

Sorry about that, been away from problem computer for a few days.

Here's GMER log - had to run in Safe Mode:

GMER 1.0.15.15020 [r4h3qvme.exe] - http://www.gmer.net
Rootkit scan 2009-08-09 15:39:58
Windows 6.0.6002 Service Pack 2


---- System - GMER 1.0.15 ----

Code 853782E0 ZwEnumerateKey
Code 85379398 ZwFlushInstructionCache
Code 853732CE ZwSaveKey
Code 8532F4B6 ZwSaveKeyEx
Code 85347515 IofCallDriver
Code 8533E2F6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 82249912 5 Bytes JMP 8534751A
.text ntkrnlpa.exe!IofCompleteRequest 8224997F 5 Bytes JMP 8533E2FB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 823B4EF5 5 Bytes JMP 8537939C
PAGE ntkrnlpa.exe!ZwEnumerateKey 824020BA 5 Bytes JMP 853782E4
PAGE ntkrnlpa.exe!ZwSaveKey 82457969 5 Bytes JMP 853732D2
PAGE ntkrnlpa.exe!ZwSaveKeyEx 82457B07 5 Bytes JMP 8532F4BA

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION E32589FD12BE0D4F597AFD0BE6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79338EDD5E5BE2F6E667A2D97226D213B55504911C3324D50297A7D96BA154257028FB08244BFCE12D69FC4688B236E05809E8777990457CD486DC831D5FFA097129EC6E92BA968DA7BF5EC1BA074A5A6E3D664490F3BCE694177E010CC0A8013179C3229A61055121D06E19A2674128161A519722BB8FA0B5876A554AAE3D0F4677092CBDD69FC2EF36FE7A54358D950895E267F13968CDF14D635C6C8ABCCB8CB3A6E88327E18F313E42E866CB418441DB3978C73416A2C59010400DA7CB629FF3ED8D7652EDF8C0EC523BF37797EA804C55687365086C732F7A03484A3892E332901E254D8451C477AB9B1EF8EB50C97B1DA6427AD507003811F8C1AF6E2E7D1C27F2A17E900323482D890805C0D466AF5A778B17B965B371264B9D06811E58122D3C84C21B09077F9B57D846B9A662E538F025508F0E1BD2717586712A5CA1A901F9E5EA5673DFEDA0AB3D59200D8DCA4A016EAF5C9B89088BC92A87C1F84B2EE683E53A9466611AC780E3CDE0E0FBC406E5C634C33C92F1F26D39D3C7970C9C060227E7CE1C013F812701A90C8F866BC234124F8FB010A60C576A56DE6D5EA469F1CFA1215EFA4C2240CB66D719C78740533

---- Files - GMER 1.0.15 ----

File C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000 0 bytes
File C:\Windows\System32\drivers\geyekrsbmxtfyx.sys 66048 bytes
File C:\Windows\Temp\geyekreqewgtxxti.tmp 18432 bytes
File C:\Windows\Temp\geyekrgrekyqlxqw.tmp 18432 bytes
File C:\Windows\Temp\geyekrnxifftxxsv.tmp 18432 bytes

---- EOF - GMER 1.0.15 ----

Hmm, this again. ¬.¬

We have to put a stop to the main driver file before we can delete it, trust me, tried straight out deleting it with one of our most powerful tools on another machine, doesn't work.

Go to Start and in the little search box, type in "Run", now when the Run command appears, right click, select "Run as administrator".

Now when the run box opens, copy/paste in the following:

notepad "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys"

This opens the rootkits driver file in Notepad, and it just appears as lots of funny characters you can't understand, this is normal.
Highlight everything inside it (Ctrl+A), and press the backspace so it removes everything and leaves it blank.

Now go to File > select "Save" so it saves it blank.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
geyekrfrvqidfd

Drivers to delete:
geyekrfrvqidfd

Files to delete:
C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000
C:\Windows\System32\drivers\geyekrsbmxtfyx.sys
C:\Windows\Temp\geyekreqewgtxxti.tmp
C:\Windows\Temp\geyekrgrekyqlxqw.tmp
C:\Windows\Temp\geyekrnxifftxxsv.tmp

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Hello,

File "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys" not be found in Safe Mode, but successfully run in normal mode.

After Avenger ran, became a little worried as Vista rebooted twice (first time saying couldn't boot due to group policy error). On second reboot Logfile appeared on desktop.

I should add that the nasty dialogue box - bad image has now disappeared. Looks like we are close to a solution...

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

script file opened successfully.
script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "geyekrfrvqidfd" found!
ImagePath: \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "geyekrfrvqidfd" disabled successfully.
Driver "geyekrfrvqidfd" deleted successfully.
File "C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000" deleted successfully.
File "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys" deleted successfully.
File "C:\Windows\Temp\geyekreqewgtxxti.tmp" deleted successfully.
File "C:\Windows\Temp\geyekrgrekyqlxqw.tmp" deleted successfully.
File "C:\Windows\Temp\geyekrnxifftxxsv.tmp" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Hello.
Run MBAM now, post the log when done.

Malwarebytes' Anti-Malware 1.40
Database version: 2594
Windows 6.0.6002 Service Pack 2

10/08/2009 16:04:50
mbam-log-2009-08-10 (16-04-50).txt

Scan type: Quick Scan
Objects scanned: 81572
Time elapsed: 9 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

How is the machine running now?

Hi there,

Computer runs fine & faster than previously.

In addition to MBAM I thought a quick scan of Avast would be a good idea. Avast found following file C:\Windows\System32\geyekroswbvuto.dll which has Malware name of Win32-Alureon-CE [Rtk] - could it be a false positive?

mday01376

Last edited by mday01376 on 11th August 2009, 2:24 am; edited 1 time in total (Reason for editing : Filename entered in incorrect place on reply.)

No, probably a leftover file.
Combofix wasn't getting the rootkit, so we had to use GMER to find it, and if GMER doesn't list EVERY file that comes from the rootkit, then I can't kill it if I can't see it.

Just delete it manually.

Hi there,

I felt that I owed an update on the Win32/Cryptor situation. I have now run full scans of MBAM, Super Anti-Spyware, Ad-Aware & Avast & am pleased to advise that after manually deleting leftover files, my machine now appears clean & more importantly is running as good as new.

Many thanks to all at Geek Police - donation to follow.

mday01376

Not a problem!

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.