Win32/Cryptor Virus Has a Grip on me! Please Help!!!

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/05/14 14:32
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF439A000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B52000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF141B000 Size: 45056 File Visible: No
Status: -

Name: UACbqhohxllldbbaom.sys
Image Path: C:\WINDOWS\system32\drivers\UACbqhohxllldbbaom.sys
Address: 0xF469A000 Size: 77824 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACbqhqbcrgeoxujrk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdqbwuljiufvoqvf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACepoonjxehuqvngw.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACfsrnxyejglmajyt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpgrcykcjkxtkipj.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrtlwawirgdowgix.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACycmuwqvnylksdpq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACbqhohxllldbbaom.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eric\Local Settings\Temp\UACb50a.tmp
Status: Invisible to the Windows API!

SSDT
-------------------
SYSENTER/INT2E Hooked [0x0046a530]!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: winlogon.exe (PID: 664) Address: 0x006a0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: winlogon.exe (PID: 664) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: services.exe (PID: 720) Address: 0x00660000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: services.exe (PID: 720) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: lsass.exe (PID: 732) Address: 0x006f0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: lsass.exe (PID: 732) Address: 0x007e0000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: Ati2evxx.exe (PID: 936) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: Ati2evxx.exe (PID: 936) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 956) Address: 0x007c0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 956) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 1060) Address: 0x007c0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 1060) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 1168) Address: 0x00800000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 1168) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 1296) Address: 0x007c0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 1296) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 1432) Address: 0x007c0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 1432) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: spoolsv.exe (PID: 1672) Address: 0x00b00000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: spoolsv.exe (PID: 1672) Address: 0x00a30000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: Iexplore.exe (PID: 128) Address: 0x00aa0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: Iexplore.exe (PID: 128) Address: 0x00b70000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: ctfmon.exe (PID: 296) Address: 0x00940000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: ctfmon.exe (PID: 296) Address: 0x00a50000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: ehtray.exe (PID: 116) Address: 0x00a10000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: ehtray.exe (PID: 116) Address: 0x00b30000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: jusched.exe (PID: 324) Address: 0x00cf0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: jusched.exe (PID: 324) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: stsystra.exe (PID: 136) Address: 0x00be0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: stsystra.exe (PID: 136) Address: 0x00cb0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 1140) Address: 0x007e0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 1140) Address: 0x00890000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: DLACTRLW.EXE (PID: 1288) Address: 0x00b20000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: DLACTRLW.EXE (PID: 1288) Address: 0x00a50000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: GoogleDesktop.exe (PID: 1272) Address: 0x00a80000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: GoogleDesktop.exe (PID: 1272) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: hpcmpmgr.exe (PID: 1408) Address: 0x00ae0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: hpcmpmgr.exe (PID: 1408) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: HPWuSchd2.exe (PID: 1416) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: HPWuSchd2.exe (PID: 1416) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: AppleMobileDeviceService.exe (PID: 1500) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: AppleMobileDeviceService.exe (PID: 1500) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: OneTouch.exe (PID: 1540) Address: 0x00b50000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: OneTouch.exe (PID: 1540) Address: 0x00c10000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: GoogleDesktopIndex.exe (PID: 1620) Address: 0x00a20000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: GoogleDesktopIndex.exe (PID: 1620) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: MMDiag.exe (PID: 1640) Address: 0x00c50000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: MMDiag.exe (PID: 1640) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: avgwdsvc.exe (PID: 868) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: avgwdsvc.exe (PID: 868) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: MXOALDR.EXE (PID: 1760) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: MXOALDR.EXE (PID: 1760) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: GoogleDesktopDisplay.exe (PID: 1808) Address: 0x003e0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: GoogleDesktopDisplay.exe (PID: 1808) Address: 0x00b00000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: ehRecvr.exe (PID: 1848) Address: 0x00650000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: ehRecvr.exe (PID: 1848) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: apdproxy.exe (PID: 1868) Address: 0x00af0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: apdproxy.exe (PID: 1868) Address: 0x00bc0000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: ehSched.exe (PID: 1920) Address: 0x00630000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: ehSched.exe (PID: 1920) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: realsched.exe (PID: 1928) Address: 0x00a90000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: realsched.exe (PID: 1928) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: mim.exe (PID: 1916) Address: 0x00ae0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: mim.exe (PID: 1916) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: jqs.exe (PID: 400) Address: 0x00760000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: jqs.exe (PID: 400) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: iTunesHelper.exe (PID: 396) Address: 0x00be0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: iTunesHelper.exe (PID: 396) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: avgrsx.exe (PID: 572) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: avgrsx.exe (PID: 572) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: avgnsx.exe (PID: 1008) Address: 0x007d0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: avgnsx.exe (PID: 1008) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: isuspm.exe (PID: 2544) Address: 0x00ac0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: isuspm.exe (PID: 2544) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 2896) Address: 0x007e0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 2896) Address: 0x00890000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 3000) Address: 0x007e0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 3000) Address: 0x00890000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: mcrdsvc.exe (PID: 3212) Address: 0x00680000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: mcrdsvc.exe (PID: 3212) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: explorer.exe (PID: 3460) Address: 0x00c60000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: explorer.exe (PID: 3460) Address: 0x00d90000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: dllhost.exe (PID: 3744) Address: 0x006d0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: dllhost.exe (PID: 3744) Address: 0x007a0000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: alg.exe (PID: 4000) Address: 0x00820000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: alg.exe (PID: 4000) Address: 0x00750000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: iPodService.exe (PID: 2452) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: iPodService.exe (PID: 2452) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: Iexplore.exe (PID: 896) Address: 0x00aa0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: Iexplore.exe (PID: 896) Address: 0x00b70000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: AcroRd32.exe (PID: 2220) Address: 0x00a80000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: AcroRd32.exe (PID: 2220) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: RootRepeal.exe (PID: 3856) Address: 0x00ef0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: RootRepeal.exe (PID: 3856) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: Iexplore.exe (PID: 3540) Address: 0x00aa0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: Iexplore.exe (PID: 3540) Address: 0x00b70000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACbqhohxllldbbaom.sys

Also...A RootRepeal Error window popped up when scan was done that said: Could not get our real service table pointers!

Details--Warning - the number of SSDT entries from the kernel and the number on-disk are different (284 and 0)

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACbqhohxllldbbaom.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

I am in the process of following your last instructions. However, when Avenger did it's computer restart the Blue "Windows is starting up..." screen has been stuck for at least 5 minutes. I am able to move the cursor with the mouse. Is this normal or do I need to shut down and repeat your last instructions?

You can try rebooting, but this time, go to safe mode if you know how to do that.

If not, here's how:

• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

When I shut down and restarted I missed the f8 timing. However the Avenger window did come up with the following text:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACbqhohxllldbbaom.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


What's the next step Obi 1?

Try running MBAM now.

No Luck running MBAM. When I double click on the icon an hourglass quickly appears then disappears. Nothing happens. I also tried right-clicking and opening...nothing.

Disabled AVG 8.5. Downloaded Combofix. When I double-click on combofix and then select *Run* nothing happens.

Hello.
Delete your copy of Combofix you have right now.

Now do this. Re-download Combofix again, but before doing so, read this next instructions for renaming Combofix.

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Followed latest instructions. ComboFix started it's process...then a "Caution" Window came up that said...

*BleepingComputer.com *ForoSpyware.com *GeeksTogo.com

ComboFix.exe may be downloaded from any of the above sites. If you have downloaded from some other site, there's a likely chance that it may be tainted. For peace of mind, I suggest that you delete the current copy and get a fresh one. I wants me to click *OK*.

What Now?

It's probably an error, because Combofix has some checks it does before running.

One is expiration date, if Combofix isn't the latest version and it detects a new version, it asks that it's downloaded now. Your error is probably because it's renamed, but still run it.

ComboFix 09-05-14.05 - Eric 05/15/2009 5:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.595 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\windows\system32\drivers\UACadwqstivftqsatt.sys
c:\windows\system32\drivers\UACbqhohxllldbbaom.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\UACbqhqbcrgeoxujrk.dll
c:\windows\system32\UACdqbwuljiufvoqvf.dll
c:\windows\system32\UACepoonjxehuqvngw.dat
c:\windows\system32\UACfsrnxyejglmajyt.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACpgrcykcjkxtkipj.log
c:\windows\system32\UACqqoivnnkrabxdmt.dll
c:\windows\system32\UACrtlwawirgdowgix.dll
c:\windows\system32\UACycmuwqvnylksdpq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-14 21:32 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-14 21:32 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-14 21:31 . 2009-05-14 21:32 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-13 13:04 . 2009-05-13 13:04 -------- d-----w c:\program files\Trend Micro
2009-05-12 01:25 . 2009-05-14 11:03 -------- d-----w c:\program files\Mwrbts
2009-05-11 23:27 . 2009-05-11 23:27 -------- d-----w c:\documents and settings\Eric\Application Data\Malwarebytes
2009-05-11 22:03 . 2009-05-13 12:30 -------- d--h--w C:\$AVG8.VAULT$
2009-05-11 03:16 . 2009-05-11 03:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-11 02:56 . 2009-05-11 02:56 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-11 02:56 . 2009-05-11 02:56 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-11 02:55 . 2009-05-11 02:55 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-11 02:55 . 2009-05-11 02:55 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-11 02:55 . 2009-05-11 03:14 -------- d-----w c:\documents and settings\Eric\Application Data\AVGTOOLBAR
2009-05-11 02:54 . 2009-05-11 02:54 -------- d-----w c:\program files\AVG
2009-05-11 02:54 . 2009-05-11 02:54 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-11 02:39 . 2009-05-11 02:30 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-11 02:30 . 2009-05-11 02:30 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-11 02:26 . 2009-05-11 02:26 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-11 02:26 . 2009-05-11 02:26 -------- d-----w c:\program files\Lavasoft
2009-05-11 02:26 . 2009-05-11 02:30 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-10 00:43 . 2009-05-10 00:42 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-07 01:09 . 2009-05-11 02:24 -------- d-----w c:\program files\Registry Easy
2009-05-01 23:17 . 2004-08-10 05:42 77824 ------w c:\windows\system32\brlmw03a.dll
2009-05-01 23:17 . 2009-05-01 23:17 34 ----a-w c:\windows\system32\BD2140.DAT
2009-04-20 23:33 . 2009-04-21 03:32 -------- d-----w C:\Iron 2 Iron Group_Chapel
2009-04-17 03:07 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 03:07 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-17 03:07 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 03:07 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 03:07 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 03:07 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 03:07 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 03:07 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 03:07 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 03:07 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 03:05 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 03:05 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 03:37 . 2006-04-13 15:56 -------- d-----w c:\program files\Google
2009-05-11 03:35 . 2008-01-05 01:37 -------- d-----w c:\program files\Yahoo!
2009-05-11 03:35 . 2006-04-20 02:05 -------- d-----w c:\program files\Common Files\Scanner
2009-05-11 02:07 . 2006-04-22 10:41 -------- d-----w c:\program files\Brother
2009-05-11 02:07 . 2006-04-13 15:44 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-11 02:06 . 2006-04-13 15:44 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-05-11 02:06 . 2006-04-13 15:44 -------- d-----w c:\program files\Dell
2009-05-10 14:53 . 2008-12-21 13:26 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-10 01:54 . 2006-04-13 15:54 -------- d-----w c:\program files\McAfee
2009-05-10 00:41 . 2006-04-13 15:39 -------- d-----w c:\program files\Java
2009-05-01 23:17 . 2006-04-22 10:41 -------- d-----w c:\program files\Brownie
2009-05-01 23:16 . 2006-04-13 15:44 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll
2006-12-17 17:41 . 2006-06-20 11:05 88 --sh--r c:\windows\system32\CF1CF066EF.sys
2008-06-11 11:39 . 2006-04-23 01:45 104 --sh--r c:\windows\system32\EF66F01CCF.sys
2008-06-11 11:39 . 2006-06-20 11:05 6686 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-10 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-13 169472]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"MaxtorOneTouch"="c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2004-08-31 823296]
"MXOBG"="c:\windows\MXOALDR.EXE" [2003-10-10 94208]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-27 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-11 516440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-11 1947928]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\Eric\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-2-22 2301952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-5-14 28672]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-13 24576]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 02:56 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2009 9:30 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/10/2009 9:55 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/10/2009 9:56 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/10/2009 9:54 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 953168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c548e726-deef-11dc-8346-001372c78f17}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 02:30]

2009-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\n9q0alme.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 05:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3896)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\system32\dllhost.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-15 6:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-15 11:06

Pre-Run: 13,694,070,784 bytes free
Post-Run: 15,204,970,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

228 --- E O F --- 2009-05-15 08:00


I am also getting a balloon popping up at the bottom of the page stating that my firewall is disabled. Should I turn it back on?

Hello.
Run the instructions in this next post and the balloon alert will stop.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "AntiVirusDisableNotify"=-
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
  "EnableFirewall"=dword:00000001
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

Task Complete. What next?

Did the firewall come back on? if not, switch it back on manually.

Turned on Windows Firewall Manually.

What next?

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Thank You Very Much.

I just updated AVG and am running a scan. I will follow all of your preventative measures.

I also will do the same for my laptop even though it isn't infected.

I have McAfee also running on my laptop, do I uninstall McAfee before installing the free AVG?

Do I need to set new restore points?

Also, should I delete/uninstall all of the programs you had me download to diagnose and fix (ie: Hijack This, Avenger, RootRepeal, etc)?

Yes, uninstall Mcafee. It is dangerous to have two AV's running at the same time.

You can delete the tools we used.