Did battle with internet security 2010. my combofix report...

Hey,

I;ve been trying to deal with this damn trojan program for the past four hours. Combofix did the job of getting rid of it... at least i think it did, however now I'm left with two things, the report below and the fact that I think a major file is damaged as now every program says 'Illegal operation attempted on a registry key that has been marked for deletion.'

I thought I could cope with dealing with this but now realise I'm sort of screwed. If any one has a spare minute and might know what I should do next please let me know.

I dont want to give up and reboot my machine, some one recommended downloading MGtools to try and see what might be damaged, would any one agree?

Thank you for any advice.

David





ComboFix 10-02-12.01 - David 13/02/2010 14:01:48.1.1 - x86
Microsoft Windows Vista Home Basic 6.0.6001.1.1252.44.1033.18.2008.1042 [GMT 0:00]
Running from: H:\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1926248432-2299047243-2415942083-500
c:\program files\InternetSecurity2010
c:\program files\InternetSecurity2010\IS2010.exe
C:\s
c:\users\King David\AppData\Local\av.exe
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\BM88xl.jpg
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\mx25A6mnk.jpg
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\udRemove.exe
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\y843aP.jpg
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\YbOnBa5nX.jpg
c:\users\King David\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
c:\users\King David\AppData\Roaming\Microsoft\Windows\Start Menu\Internet Security 2010.lnk
c:\windows\system32\404Fix.exe
c:\windows\system32\41.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\an99qdenr.dll
c:\windows\system32\drivers\vzivvqfa.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\flags.ini
c:\windows\system32\helper32.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\kbdsock.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\mshlps.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\oem5.inf
c:\windows\system32\Process.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\smss32.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\uses32.dat
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_vzivvqfa
-------\Service_vzivvqfa


((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.

2010-02-13 14:12 . 2010-02-13 14:14 -------- d-----w- c:\users\King David\AppData\Local\temp
2010-02-13 14:12 . 2010-02-13 14:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-13 13:58 . 2010-02-13 13:58 -------- dc----w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-13 13:52 . 2010-02-13 13:52 -------- d-----w- C:\32788R22FWJFW
2010-02-13 13:06 . 2010-02-13 13:24 35 ----a-w- c:\users\King David\AppData\Roaming\SetValue.bat
2010-02-13 13:05 . 2010-02-13 13:07 -------- d-----w- c:\windows\system32\SmitfraudFix
2010-02-13 12:41 . 2010-02-13 12:41 -------- d--h--w- c:\windows\PIF
2010-02-13 12:30 . 2010-02-13 12:30 0 ----a-w- c:\windows\nsreg.dat
2010-02-06 20:07 . 2010-02-06 20:07 53760 ----a-w- c:\windows\system32\drivers\SSHDRV76.sys
2010-02-06 19:38 . 2010-02-06 20:13 -------- d-----w- c:\program files\Ascaron Entertainment
2010-01-23 10:36 . 2010-01-23 10:36 -------- d-----w- c:\program files\SmartUndelete
2010-01-22 18:41 . 2010-01-22 18:41 -------- d-----w- c:\users\King David\AppData\Roaming\JGsoft
2010-01-22 18:41 . 2010-01-22 18:41 -------- d-----w- c:\program files\JGsoft
2010-01-22 18:41 . 2009-12-16 03:30 66800 ----a-w- c:\windows\UnDeployV.exe
2010-01-16 16:05 . 2010-01-16 16:05 -------- d-----w- c:\program files\Black Isle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 14:15 . 2009-12-28 01:59 -------- d-----w- c:\users\King David\AppData\Roaming\uTorrent
2010-02-13 14:14 . 2010-02-13 13:57 -------- d-----w- c:\program files\Spyware Doctor
2010-02-13 13:57 . 2010-02-13 13:57 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-13 13:57 . 2010-02-13 13:57 -------- d-----w- c:\users\King David\AppData\Roaming\PC Tools
2010-02-13 13:57 . 2010-02-13 13:57 -------- d-----w- c:\programdata\PC Tools
2010-02-13 13:24 . 2010-02-13 13:06 691 ----a-w- c:\users\King David\AppData\Roaming\GetValue.vbs
2010-02-11 17:05 . 2009-12-24 00:48 -------- d-----w- c:\users\King David\AppData\Roaming\vlc
2010-02-06 18:41 . 2009-12-27 22:39 -------- d-----w- c:\users\King David\AppData\Roaming\PCF-VLC
2010-01-31 22:13 . 2009-08-25 14:05 6714 ----a-w- c:\users\King David\AppData\Roaming\wklnhst.dat
2010-01-26 21:10 . 2009-10-04 16:14 -------- d-----w- c:\program files\Lx_cats
2010-01-23 20:17 . 2009-08-28 19:04 -------- d-----w- c:\users\King David\AppData\Roaming\dvdcss
2010-01-16 16:05 . 2009-08-16 21:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-16 16:05 . 2009-08-16 21:42 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-16 15:09 . 2010-01-05 13:14 -------- d-----w- c:\program files\Activision
2010-01-04 03:22 . 2010-01-04 03:22 -------- d-----w- c:\program files\Sierra
2010-01-02 19:12 . 2010-01-01 23:43 -------- d-----w- c:\program files\Soldier of Fortune II - Double Helix
2010-01-02 19:11 . 2009-12-25 00:07 -------- d-----w- c:\program files\Paradox Interactive
2009-12-31 14:53 . 2009-12-26 02:49 -------- d-----w- c:\program files\Firefly Studios
2009-12-28 10:39 . 2009-12-28 10:39 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-28 01:59 . 2009-12-28 01:59 -------- d-----w- c:\program files\uTorrent
2009-12-28 01:39 . 2009-12-28 01:18 -------- d-----w- c:\program files\Empire - Total War
2009-12-27 19:58 . 2009-12-27 19:58 -------- d-----w- c:\program files\Sierra On-Line
2009-12-27 19:38 . 2009-12-27 19:38 -------- d-----w- c:\program files\Alcohol Soft
2009-12-27 19:34 . 2009-12-27 19:34 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-26 02:14 . 2009-12-26 02:14 -------- d-----w- c:\users\King David\AppData\Roaming\gtk-2.0
2009-12-26 02:03 . 2009-12-26 02:03 -------- d-----w- c:\users\King David\AppData\Roaming\Participatory Culture Foundation
2009-12-26 02:02 . 2009-12-26 02:02 -------- d-----w- c:\program files\Participatory Culture Foundation
2009-12-26 00:41 . 2009-12-26 00:41 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-12-26 00:41 . 2009-12-26 00:41 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-12-02 12:29 . 2009-12-02 12:29 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-08-16 22:00 . 2009-08-16 22:00 75 --sh--r- c:\windows\CT4CET.bin
2009-08-17 00:02 . 2009-04-11 19:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-12-28 289584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-05-08 1516840]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-05-11 483428]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-10 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-05-10 150552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-21 3810304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^King David^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\King David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 12:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 04:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-02-05 02:26 128232 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-22 19:05 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_SZ c:\windows\system32\mshlps.dll

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [13/02/2010 13:57 207792]
R1 SSHDRV76;SSHDRV76;c:\windows\System32\drivers\SSHDRV76.sys [06/02/2010 20:07 53760]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\AEstSrv.exe [17/08/2009 00:07 81920]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [13/02/2010 13:57 112592]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [18/12/2008 19:05 155648]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxdcserv.exe [25/05/2007 08:38 99248]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [13/02/2010 13:57 359624]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [21/01/2008 02:33 21504]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\System32\drivers\CtClsFlt.sys [16/08/2009 21:59 144128]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
yksvcs REG_MULTI_SZ yksvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-12 c:\windows\Tasks\User_Feed_Synchronization-{3F0A56F2-8589-49CB-9DFD-A6CCBA74D102}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:34]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
FF - ProfilePath - c:\users\King David\AppData\Roaming\Mozilla\Firefox\Profiles\z20p6oa2.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\an99qdenr.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Remote System Protection - c:\windows\system32\an99qdenr.dll
HKCU-Run-smss32.exe - c:\windows\system32\smss32.exe
SharedTaskScheduler-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\an99qdenr.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 14:15
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys iastor.sys spza.sys hal.dll >>UNKNOWN [0x84D51938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8819f322
\Driver\ACPI -> acpi.sys @ 0x805b1d68
\Driver\iaStor -> iastor.sys @ 0x87c505a0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3912)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\timedate.cpl
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\lxdccoms.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-02-13 14:19:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-13 14:19

Pre-Run: 92,515,819,520 bytes free
Post-Run: 96,578,150,400 bytes free

- - End Of File - - 86997278D80E2BD9A360DB6AAC27320D

ComboFix should not be run without the guidance of a helper. It is a powerful tool and is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private or regular use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

========

Please do these steps in order.

1. Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

2. Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

5. Post the following in your next reply:

• MBAM log
  
• SAS log
  
• ESET log

And, please tell me how your computer is doing.

hey, just wanted to say thanks for replying so quick, i know it was a dumb thing to run combofix but apparently the machine seems fine now... i'm a bit iffy though, i'm going to run more anti-malware and such scans but hopefully it was simply in need of a reboot.

thank you for your help

ok