WiredWX Hobby Weather ToolsLog in

 


descriptionWindows Police Pro Infection EmptyWindows Police Pro Infection

more_horiz
Hello Geek Police,
I was recently infected with Windows Police Pro. I followed a malware removal how-to, and I thought I had gotten rid of it. Apparently not. I now have my computer running in safe mode with networking, but I can't download anything without the browser crashing. I tried downloading the updates you suggested (Java/Adobe/Microsoft) to a usb drive and transfering them to the infected computer, but I get an error message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Same lovely message pops up when I tried to run the winlogon scan, so it didn't save a file for me to cut and paste here.
I'm ready to throw the bloody thing out the window!
Please help!
With gratitude, elluna

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
Please download ComboFix Windows Police Pro Infection Combofix from BleepingComputer.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Windows Police Pro Infection Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Windows Police Pro Infection RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

In your next reply, please include the ComboFix log and the Add-Remove Programs log.

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
Ok, here is the Combofix log:

ComboFix 09-10-22.01 - Bronwyn Krause 10/23/2009 15:14.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.450 [GMT -7:00]
Running from: c:\documents and settings\Bronwyn Krause\desktop\commy.exe
Command switches used :: /stepdel
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Start Menu\Programs\Windows Police Pro
c:\windows\system32\drivers\rotscxvnxteooe.sys
c:\windows\system32\rotscxfoyumiyl.dll
c:\windows\system32\rotscxkvnsdhmd.dll
c:\windows\system32\rotscxojnvurdw.dll
c:\windows\system32\rotscxprvhawfh.dat
c:\windows\system32\rotscxqxvmykri.dll
c:\windows\system32\rotscxrrfwbwuy.dll
c:\windows\system32\rotscxweojliew.dll
c:\windows\system32\rotscxxduxtwim.dat
c:\windows\system32\schtml
c:\documents and settings\LocalService\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\msa.exe
c:\windows\svohost.exe
c:\windows\system32\bincd32.dat
c:\windows\system32\c2d.dat
c:\windows\system32\drivers\rotscxvnxteooe.sys
c:\windows\system32\idm.dat
c:\windows\system32\nuar.old
c:\windows\system32\pump.exe
c:\windows\system32\rotscxfoyumiyl.dll
c:\windows\system32\rotscxkvnsdhmd.dll
c:\windows\system32\rotscxojnvurdw.dll
c:\windows\system32\rotscxprvhawfh.dat
c:\windows\system32\rotscxqxvmykri.dll
c:\windows\system32\rotscxrrfwbwuy.dll
c:\windows\system32\rotscxweojliew.dll
c:\windows\system32\rotscxxduxtwim.dat
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\skynet.dat
c:\windows\uharofibo.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_rotscxtnnbsmba
-------\Legacy_rotscxtnnbsmba
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_WDefend
-------\Service_WDefend


((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-22 03:34 . 2009-10-22 03:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-10-22 03:22 . 2009-10-23 18:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-10-22 01:27 . 2009-10-22 01:27 45 ----a-w- c:\windows\system32\ca.dat
2009-10-20 00:24 . 2009-10-20 00:24 34304 ----a-w- c:\windows\system32\nsr01.dll
2009-10-20 00:00 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 00:00 . 2009-10-22 03:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 00:00 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-19 22:26 . 2009-10-19 22:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-19 22:25 . 2009-10-19 22:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-19 21:45 . 2009-10-19 21:45 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\Malwarebytes
2009-10-19 21:44 . 2009-10-19 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-19 04:15 . 2009-10-23 21:42 120 ----a-w- c:\windows\Xfavo.dat
2009-10-19 04:15 . 2009-10-23 18:15 0 ----a-r- c:\windows\Atexutilesolasi.bin
2009-10-19 04:15 . 2009-10-19 04:15 -------- d-----w- c:\documents and settings\Bronwyn Krause\Local Settings\Application Data\{77E70BE5-F789-49BF-9E98-30DBAEA43B6F}
2009-10-19 03:58 . 2009-10-19 21:51 58 ----a-w- c:\windows\wp4.dat
2009-10-19 03:58 . 2009-10-19 21:51 2 ----a-w- c:\windows\wp3.dat
2009-10-19 03:58 . 2009-10-19 21:48 561664 ----a-w- c:\windows\system32\plugie.dll
2009-10-19 03:52 . 2009-10-19 03:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-19 03:40 . 2009-10-19 03:40 -------- d-----w- c:\temp\ext23872
2009-10-19 03:40 . 2009-10-19 03:40 -------- d-----w- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 21:55 . 2009-10-23 21:55 85504 --sh--w- c:\documents and settings\Bronwyn Krause\Application Data\xlscheck332.exe
2009-10-23 21:52 . 2009-04-26 01:06 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\U3
2009-10-23 21:49 . 2009-04-26 05:09 23688 ----a-w- c:\documents and settings\Bronwyn Krause\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 21:45 . 2009-09-19 04:32 0 ----a-r- c:\windows\win32k.sys
2009-10-20 00:38 . 2009-09-06 02:00 -------- d-----w- c:\program files\DivX
2009-10-20 00:35 . 2009-04-21 16:54 -------- d-----w- c:\program files\Google
2009-10-19 22:23 . 2009-10-19 22:23 75776 --sh--w- c:\documents and settings\Bronwyn Krause\Application Data\xlsupdate332.exe
2009-10-19 21:53 . 2009-09-11 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-19 03:45 . 2009-10-19 03:45 94720 --sh--w- c:\documents and settings\Bronwyn Krause\Application Data\mls_checker.exe
2009-10-11 00:20 . 2009-07-29 03:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-02 04:57 . 2009-09-07 03:24 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\Big Fish Games
2009-09-20 01:50 . 2009-09-20 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Awem
2009-09-18 03:13 . 2009-09-18 03:13 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\Merscom
2009-09-18 03:13 . 2009-09-18 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2009-09-16 23:31 . 2009-09-16 23:31 33280 ----a-w- c:\windows\system32\yxhls0.dll
2009-09-15 22:47 . 2009-09-15 22:47 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\V-Games
2009-09-13 03:37 . 2009-09-13 03:00 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\VampireSaga
2009-09-12 00:10 . 2009-09-12 00:10 -------- d-----w- c:\program files\GRETECH
2009-09-11 23:42 . 2009-09-06 01:27 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-11 23:28 . 2009-09-11 23:25 -------- d-----w- c:\program files\Defraggler
2009-09-11 21:52 . 2009-09-11 21:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 14:18 . 2002-08-29 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:29 . 2009-09-10 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-09-10 03:11 . 2009-09-06 02:01 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\DivX
2009-09-06 02:00 . 2009-09-06 02:00 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-04 21:03 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 18:09 . 2009-09-02 18:09 61440 --sh--w- c:\windows\system32\googletoolbar_download.exe
2009-08-31 01:14 . 2009-08-31 01:14 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\SulusGames
2009-08-31 01:14 . 2009-08-31 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2009-08-30 22:55 . 2009-08-30 22:55 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\PoBros
2009-08-30 22:55 . 2009-08-30 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\PoBros
2009-08-30 21:31 . 2009-08-30 21:31 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\MA
2009-08-29 08:08 . 2006-06-23 18:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 01:31 . 2009-08-29 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Princess Isabella
2009-08-28 03:33 . 2009-08-28 03:33 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\Artogon
2009-08-26 08:00 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 00:43 . 2009-08-25 00:43 -------- d-----w- c:\program files\ReflexiveArcade
2009-08-19 00:45 . 2009-04-27 03:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-19 00:45 . 2009-04-27 03:31 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-19 00:45 . 2009-04-27 03:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-07 02:24 . 2009-04-21 00:09 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2008-10-16 21:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2009-04-21 00:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2009-04-21 00:09 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2009-04-20 20:38 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2002-08-29 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2009-04-21 00:09 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-04-27 03:08 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2009-04-20 20:38 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 02:23 . 2008-10-16 21:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2002-08-29 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44 . 2002-08-29 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-05 02:52 . 2009-08-05 02:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02}]
2009-10-19 21:48 561664 ----a-w- c:\windows\system32\plugie.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 18:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2006-11-01 1392640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"WinsysMon"="c:\windows\system32\googletoolbar_download.exe" [2009-09-02 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-19 00:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli snhipkm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/26/2009 8:31 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/26/2009 8:32 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/26/2009 8:31 PM 297752]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [4/20/2009 3:57 PM 92550]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;c:\windows\system32\drivers\NetWlan5.sys [4/20/2009 11:30 PM 132695]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Bronwyn Krause\Application Data\Mozilla\Firefox\Profiles\lf5yow59.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig#min7|http://www.google.com/calendar/render
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Bronwyn Krause\Application Data\Mozilla\Firefox\Profiles\lf5yow59.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - hȋdden: XULRunner: {77E70BE5-F789-49BF-9E98-30DBAEA43B6F} - c:\documents and settings\Bronwyn Krause\Local Settings\Application Data\{77E70BE5-F789-49BF-9E98-30DBAEA43B6F}
FF - hȋdden: XULRunner: {A139F3A6-F214-46CB-8F12-AADF67141591} - c:\documents and settings\Administrator\Local Settings\Application Data\{A139F3A6-F214-46CB-8F12-AADF67141591}
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Nhizozuneseyo - c:\windows\uharofibo.dll
AddRemove-HijackThis - c:\documents and settings\Administrator\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 15:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,a3,09,38,3e,b0,6f,45,86,d3,dc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,a3,09,38,3e,b0,6f,45,86,d3,dc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\WININET.dll
c:\windows\snhipkm.dll

- - - - - - - > 'explorer.exe'(3020)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\snhipkm.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\windows\System32\bcmwltry.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\commy\CF26627.exe
c:\commy\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 15:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 22:33

Pre-Run: 24,992,923,648 bytes free
Post-Run: 26,230,816,768 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - FFD97DBD03C70BB39014325EE2952D7F


And here is the Add-Remove Programs log:

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.2
Adobe Shockwave Player 11.5
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
AVG 8.5
Broadcom Gigabit Integrated Controller
BroadJump Client Foundation
C-Major Audio
Canon iP1600
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
Conexant D480 MDC V.92 Modem
Dell Wireless WLAN Card
DivX Codec
DivX Version Checker
Free Sound Recorder
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
IrfanView (remove only)
Legacy 7.0
Legacy Charting 7.0
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.14)
Nero - Burning Rom
O2Micro Smartcard Driver
QuickSet
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Spybot - Search & Destroy
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Internet Explorer 8 Multilingual User Interface (MUI)
Windows Media Format 11 runtime
Windows XP Service Pack 3


Thanks for replying so quickly to my first message, elluna

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\nsr01.dll
    c:\windows\Xfavo.dat
    c:\windows\Atexutilesolasi.bin
    c:\windows\wp4.dat
    c:\windows\wp3.dat
    c:\documents and settings\Bronwyn Krause\Application Data\xlscheck332.exe
    c:\documents and settings\Bronwyn Krause\Application Data\xlsupdate332.exe
    c:\windows\snhipkm.dll

    DirLook::
    C:\Temp
    c:\temp\ext23872
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Windows Police Pro Infection 2v3rg44

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
Ok, here you go:

ComboFix 09-10-22.01 - Bronwyn Krause 10/23/2009 21:02.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.441 [GMT -7:00]
Running from: c:\documents and settings\Bronwyn Krause\Desktop\commy.exe
Command switches used :: c:\documents and settings\Bronwyn Krause\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\Bronwyn Krause\Application Data\xlscheck332.exe"
"c:\documents and settings\Bronwyn Krause\Application Data\xlsupdate332.exe"
"c:\windows\Atexutilesolasi.bin"
"c:\windows\snhipkm.dll"
"c:\windows\system32\nsr01.dll"
"c:\windows\wp3.dat"
"c:\windows\wp4.dat"
"c:\windows\Xfavo.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bronwyn Krause\Application Data\xlscheck332.exe
c:\documents and settings\Bronwyn Krause\Application Data\xlsupdate332.exe
c:\windows\Atexutilesolasi.bin
c:\windows\snhipkm.dll
c:\windows\system32\nsr01.dll
c:\windows\wp3.dat
c:\windows\wp4.dat
c:\windows\Xfavo.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-23 21:56 . 2009-10-23 22:33 -------- d-----w- C:\commy
2009-10-22 03:34 . 2009-10-22 03:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-10-22 03:22 . 2009-10-23 18:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-10-22 01:27 . 2009-10-22 01:27 45 ----a-w- c:\windows\system32\ca.dat
2009-10-20 00:00 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 00:00 . 2009-10-22 03:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 00:00 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-19 22:26 . 2009-10-19 22:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-19 22:25 . 2009-10-19 22:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-19 21:45 . 2009-10-19 21:45 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\Malwarebytes
2009-10-19 21:44 . 2009-10-19 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-19 04:15 . 2009-10-19 04:15 -------- d-----w- c:\documents and settings\Bronwyn Krause\Local Settings\Application Data\{77E70BE5-F789-49BF-9E98-30DBAEA43B6F}
2009-10-19 03:58 . 2009-10-19 21:48 561664 ----a-w- c:\windows\system32\plugie.dll
2009-10-19 03:52 . 2009-10-19 03:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-19 03:40 . 2009-10-19 03:40 -------- d-----w- c:\temp\ext23872
2009-10-19 03:40 . 2009-10-19 03:40 -------- d-----w- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 21:52 . 2009-04-26 01:06 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\U3
2009-10-23 21:49 . 2009-04-26 05:09 23688 ----a-w- c:\documents and settings\Bronwyn Krause\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 21:45 . 2009-09-19 04:32 0 ----a-r- c:\windows\win32k.sys
2009-10-20 00:38 . 2009-09-06 02:00 -------- d-----w- c:\program files\DivX
2009-10-20 00:35 . 2009-04-21 16:54 -------- d-----w- c:\program files\Google
2009-10-19 21:53 . 2009-09-11 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-19 03:45 . 2009-10-19 03:45 94720 --sh--w- c:\documents and settings\Bronwyn Krause\Application Data\mls_checker.exe
2009-10-11 00:20 . 2009-07-29 03:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-02 04:57 . 2009-09-07 03:24 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\Big Fish Games
2009-09-20 01:50 . 2009-09-20 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Awem
2009-09-18 03:13 . 2009-09-18 03:13 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\Merscom
2009-09-18 03:13 . 2009-09-18 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2009-09-16 23:31 . 2009-09-16 23:31 33280 ----a-w- c:\windows\system32\yxhls0.dll
2009-09-15 22:47 . 2009-09-15 22:47 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\V-Games
2009-09-13 03:37 . 2009-09-13 03:00 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\VampireSaga
2009-09-12 00:10 . 2009-09-12 00:10 -------- d-----w- c:\program files\GRETECH
2009-09-11 23:42 . 2009-09-06 01:27 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-11 23:28 . 2009-09-11 23:25 -------- d-----w- c:\program files\Defraggler
2009-09-11 21:52 . 2009-09-11 21:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 14:18 . 2002-08-29 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:29 . 2009-09-10 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-09-10 03:11 . 2009-09-06 02:01 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\DivX
2009-09-06 02:00 . 2009-09-06 02:00 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-04 21:03 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 18:09 . 2009-09-02 18:09 61440 --sh--w- c:\windows\system32\googletoolbar_download.exe
2009-08-31 01:14 . 2009-08-31 01:14 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\SulusGames
2009-08-31 01:14 . 2009-08-31 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2009-08-30 22:55 . 2009-08-30 22:55 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\PoBros
2009-08-30 22:55 . 2009-08-30 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\PoBros
2009-08-30 21:31 . 2009-08-30 21:31 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\MA
2009-08-29 08:08 . 2006-06-23 18:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 01:31 . 2009-08-29 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Princess Isabella
2009-08-28 03:33 . 2009-08-28 03:33 -------- d-----w- c:\documents and settings\Bronwyn Krause\Application Data\Artogon
2009-08-26 08:00 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-19 00:45 . 2009-04-27 03:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-19 00:45 . 2009-04-27 03:31 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-19 00:45 . 2009-04-27 03:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-07 02:24 . 2009-04-21 00:09 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2008-10-16 21:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2009-04-21 00:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2009-04-21 00:09 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2009-04-20 20:38 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2002-08-29 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2009-04-21 00:09 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-04-27 03:08 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2009-04-20 20:38 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 02:23 . 2008-10-16 21:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2002-08-29 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44 . 2002-08-29 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-05 02:52 . 2009-08-05 02:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\Temp ----

2009-10-19 03:40 . 2009-10-19 03:40 788 ---ha-w- c:\temp\ext23872\$shtdwn$.req
2009-10-02 18:01 . 2009-10-02 18:01 25198016 ----a-w- c:\temp\ext23872\mrt.exe
2009-10-02 18:01 . 2009-10-02 18:01 25024 ----a-w- c:\temp\ext23872\mrtstub.exe

---- Directory of c:\temp\ext23872 ----

2009-10-19 03:40 . 2009-10-19 03:40 788 ---ha-w- c:\temp\ext23872\$shtdwn$.req
2009-10-02 18:01 . 2009-10-02 18:01 25198016 ----a-w- c:\temp\ext23872\mrt.exe
2009-10-02 18:01 . 2009-10-02 18:01 25024 ----a-w- c:\temp\ext23872\mrtstub.exe


((((((((((((((((((((((((((((( SnapShot@2009-10-23_22.28.33 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-20 20:45 . 2009-10-23 22:11 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-20 20:45 . 2009-10-24 03:57 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-20 20:45 . 2009-10-24 03:57 65536 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-20 20:45 . 2009-10-23 22:11 65536 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-09-10 04:13 . 2009-10-23 22:11 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-09-10 04:13 . 2009-10-24 03:57 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-04-20 20:45 . 2009-10-24 03:57 1081344 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-20 20:45 . 2009-10-23 22:11 1081344 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02}]
2009-10-19 21:48 561664 ----a-w- c:\windows\system32\plugie.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 18:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2006-11-01 1392640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"WinsysMon"="c:\windows\system32\googletoolbar_download.exe" [2009-09-02 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-19 00:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/26/2009 8:31 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/26/2009 8:32 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/26/2009 8:31 PM 297752]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [4/20/2009 3:57 PM 92550]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;c:\windows\system32\drivers\NetWlan5.sys [4/20/2009 11:30 PM 132695]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Bronwyn Krause\Application Data\Mozilla\Firefox\Profiles\lf5yow59.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig#min7|http://www.google.com/calendar/render
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - hȋdden: XULRunner: {77E70BE5-F789-49BF-9E98-30DBAEA43B6F} - c:\documents and settings\Bronwyn Krause\Local Settings\Application Data\{77E70BE5-F789-49BF-9E98-30DBAEA43B6F}
FF - hȋdden: XULRunner: {A139F3A6-F214-46CB-8F12-AADF67141591} - c:\documents and settings\Administrator\Local Settings\Application Data\{A139F3A6-F214-46CB-8F12-AADF67141591}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 21:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,a3,09,38,3e,b0,6f,45,86,d3,dc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,a3,09,38,3e,b0,6f,45,86,d3,dc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(868)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(672)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\windows\System32\bcmwltry.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\commy17262c\CF30235.exe
c:\commy17262c\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-24 21:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-24 04:19
ComboFix2.txt 2009-10-23 22:33

Pre-Run: 26,238,418,944 bytes free
Post-Run: 26,200,268,800 bytes free

- - End Of File - - 48096F837CC170B37A8DD9891EEBC719

I'll check back again in the am.
Cheers, elluna

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
ok, here's the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6210
# api_version=3.0.2
# EOSSerial=5d80de67c31acf4a831ccedc86dc4554
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-24 05:04:13
# local_time=2009-10-24 10:04:13 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1028 16777190 100 87 0 14678113 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=32718
# found=17
# cleaned=17
# scan_time=1041
C:\Documents and Settings\Bronwyn Krause\Application Data\mls_checker.exe a variant of Win32/Kryptik.AWD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Bronwyn Krause\Application Data\xlsupdate332.exe.vir a variant of Win32/Olmarik.OV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir a variant of Win32/Kryptik.AWD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxkvnsdhmd.dll.vir probably a variant of Win32/Obfuscated trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\rotscxvnxteooe.sys.vir a variant of Win32/Olmarik.LZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\dbsinit.exe.vir Win32/Adware.WinAntiVirus application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\wispex.html.vir Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{76872B16-EDDC-45C2-B480-79DD1F7DB703}\RP180\A0019490.exe Win32/Adware.WinAntiVirus application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{76872B16-EDDC-45C2-B480-79DD1F7DB703}\RP180\A0019494.exe a variant of Win32/Kryptik.AWD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{76872B16-EDDC-45C2-B480-79DD1F7DB703}\RP180\A0019496.dll a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{76872B16-EDDC-45C2-B480-79DD1F7DB703}\RP180\A0019614.exe a variant of Win32/Olmarik.OV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{76872B16-EDDC-45C2-B480-79DD1F7DB703}\RP180\A0019616.dll a variant of Win32/Spy.Ambler.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{76872B16-EDDC-45C2-B480-79DD1F7DB703}\RP180\A0019784.exe a variant of Win32/Kryptik.AWD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\googletoolbar_download.exe Win32/TrojanDownloader.VB.ODV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\yxhls0.dll Win32/Spy.Ambler.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\spool\prtprocs\w32x86\1.tmp a variant of Win32/Olmarik.OV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
Hello
Your log still shows one more infection.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
Ok, here's the log:

GooredFix by jpshortstuff (24.09.09.1)
Log created at 15:17 on 24/10/2009 (Bronwyn Krause)
Firefox version 3.0.14 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{77E70BE5-F789-49BF-9E98-30DBAEA43B6F} -> Success!
Deleting C:\Documents and Settings\Bronwyn Krause\Local Settings\Application Data\{77E70BE5-F789-49BF-9E98-30DBAEA43B6F} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{A139F3A6-F214-46CB-8F12-AADF67141591} -> Success!
Deleting C:\Documents and Settings\Administrator\Local Settings\Application Data\{A139F3A6-F214-46CB-8F12-AADF67141591} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:34 26/04/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [03:31 27/04/2009]
"avg@igeared"="C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared" [00:36 11/10/2009]

-=E.O.F=-

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
Yah! Malware worked this time!

Malwarebytes' Anti-Malware 1.41
Database version: 3027
Windows 5.1.2600 Service Pack 3

10/24/2009 7:13:42 PM
mbam-log-2009-10-24 (19-13-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 131469
Time elapsed: 25 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{77dc0b63-ff35-4ba9-8be8-aa9eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0b63-ff35-4ba9-8be8-aa9eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77dc0b63-ff35-4ba9-8be8-aa9eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{85ce3383-ee2e-4c76-a038-286b273e16c4} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85ce3383-ee2e-4c76-a038-286b273e16c4} (Password.Stealer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\plugie.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bronwyn Krause\Application Data\xlscheck332.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bronwyn Krause\Local Settings\Temporary Internet Files\Content.IE5\NZPRBC6P\xlscheck332[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Bronwyn Krause\Application Data\xlscheck332.exe.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\svohost.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pump.exe.vir (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxfoyumiyl.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxojnvurdw.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxqxvmykri.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxrrfwbwuy.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxweojliew.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{76872B16-EDDC-45C2-B480-79DD1F7DB703}\RP180\A0019487.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{76872B16-EDDC-45C2-B480-79DD1F7DB703}\RP180\A0019489.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{76872B16-EDDC-45C2-B480-79DD1F7DB703}\RP180\A0019613.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{76872B16-EDDC-45C2-B480-79DD1F7DB703}\RP180\A0019615.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{76872B16-EDDC-45C2-B480-79DD1F7DB703}\RP180\A0019786.dll (Trojan.Ambler) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bronwyn Krause\Local Settings\temp\hi.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ca.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Windows Police Pro Infection CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
Done and done.
System is running great now. Thanks for your help!
Cheers, Elluna

descriptionWindows Police Pro Infection EmptyRe: Windows Police Pro Infection

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum