0

Hi there,

This is my first post and I have already found this post extremely helpful. It's made a tough situation a lot easier.

I bought a brand new PC last week and was online last night. Everything was going fantastically. The PC was running slickly and I was being extra careful in what programs I was installing.

Anyway, whilst browsing last night I was struck by a huge virus/malware "hijack" which threw my PC into a tailspin. Have never encountered anything like this before. While over the last 24 hours I have tried a number of the fixes suggested - ATF Cleaner, ComboFix, Malwarebytes, DSS (which won't run) and HiJackThis. I have also used CCleaner, Registry Mechanic, Rogue Remover - I still haven't nailed it. You could say it's overkill!

The edge has certainly been taken off the virus, but the PC is now running quite sluggishly. This is a huge disappointment, naturally. I have used my pre-installed software, BitDefender 2008, and then downloaded and used AVG anti-virus.

Below I have included ALL my scans, in the hope that some kind soul will be able to help me. It would be most appreciated and I would be happy to donate to the forum.

I have also used the online "free scan" version of Kaspersky. Most of the programs report that the system is clean, but Kaspersky's online scan reported the following:

Wednesday, July 23, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 23, 2008 21:51:10
Records in database: 999411
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Paul\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics
Files scanned 53731
Threat name 2
Infected objects 3
Suspicious objects 0
Duration of the scan 00:38:03

File name Threat name Threats count
C:\WINDOWS\system32\IEDFix.C.exe Infected: Hoax.Win32.Renos.vaoz 1
C:\WINDOWS\system32\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz 1
C:\WINDOWS\system32\Tools\Restart.exe Infected: not-a-virus:RiskTool.Win32.Reboot.j
1
The selected area was scanned.
-----------------------------------------------------------------

ComboFix 08-07-22.4 - Paul 2008-07-23 11:27:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2360 [GMT 1:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Jenna\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Paul\Application Data\inst.exe
C:\Documents and Settings\Paul\Favorites\Error Cleaner.url
C:\Documents and Settings\Paul\Favorites\Privacy Protector.url
C:\Documents and Settings\Paul\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\system32\erpyiciv.dll
C:\WINDOWS\system32\iifeBspN.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opnnmJyA.dll
C:\WINDOWS\system32\qrBacfii.ini
C:\WINDOWS\system32\qrBacfii.ini2
C:\WINDOWS\system32\viciypre.ini

----- BITS: Possible infected sites -----

http://au.download.windowsupdaj+|Cv+@J:NGD_DQ{zcxLJS@a,D$@!
.
((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-23 03:41 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-23 03:40 . 2008-07-23 03:41 <DIR> d-------- C:\Program Files\Java
2008-07-23 03:40 . 2008-07-23 03:40 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-23 03:03 . 2008-07-23 03:54 3,986 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-23 03:02 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-23 03:02 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-23 03:02 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-23 03:02 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-23 03:02 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-23 03:02 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-23 03:02 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-23 03:02 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-23 03:02 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-23 02:35 . 2008-07-23 11:01 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-23 02:33 . 2008-07-23 02:35 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-23 02:33 . 2008-07-23 02:33 <DIR> d-------- C:\Program Files\AVG
2008-07-23 02:33 . 2008-07-23 02:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-23 02:33 . 2008-07-23 02:33 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-23 02:33 . 2008-07-23 02:33 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-23 02:33 . 2008-07-23 02:33 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-07-23 02:33 . 2008-07-23 02:33 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-23 02:07 . 2008-07-23 02:08 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-07-23 01:42 . 2008-07-23 01:42 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-23 01:39 . 2008-07-23 01:39 323,648 --a------ C:\WINDOWS\system32\iifcaBrq.dll
2008-07-22 20:09 . 1999-10-11 02:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-07-22 20:08 . 2008-07-22 22:08 <DIR> d-------- C:\Program Files\Audible
2008-07-22 20:08 . 2008-07-22 20:08 417,792 --a------ C:\WINDOWS\system32\awrdscdc.ax
2008-07-22 20:07 . 2008-07-22 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2008-07-22 20:05 . 2008-07-22 20:05 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Apple Computer
2008-07-22 02:53 . 2008-07-22 22:05 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Creative
2008-07-22 02:48 . 2008-07-22 02:49 <DIR> d--h----- C:\Program Files\Creative Installation Information
2008-07-22 02:48 . 2008-07-22 20:09 <DIR> d-------- C:\Program Files\Creative
2008-07-22 02:48 . 2008-07-22 02:48 <DIR> d-------- C:\Program Files\Common Files\Creative
2008-07-22 02:48 . 1999-12-13 01:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2008-07-22 02:48 . 1999-11-18 01:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2008-07-22 00:20 . 2008-07-22 01:26 <DIR> d-------- C:\Program Files\Arachnophilia
2008-07-21 23:33 . 2008-07-21 23:33 78 --a------ C:\WINDOWS\Numerical
2008-07-21 22:00 . 2008-07-21 22:00 76 --a------ C:\WINDOWS\Spatial
2008-07-20 02:04 . 2008-07-20 02:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-20 01:58 . 2008-07-20 01:58 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-20 01:57 . 2008-04-07 05:38 45,392 -ra------ C:\WINDOWS\system32\AdobePDF.dll
2008-07-20 01:57 . 2008-04-07 05:38 22,872 -ra------ C:\WINDOWS\system32\AdobePDFUI.dll
2008-07-20 01:53 . 2008-07-20 01:58 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-20 00:38 . 2008-07-20 00:46 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-20 00:37 . 2008-07-20 00:38 <DIR> d-------- C:\Program Files\CCleaner
2008-07-19 21:19 . 2008-07-22 17:53 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\CopyToDvd
2008-07-19 21:01 . 2008-07-19 21:01 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-07-19 21:00 . 2008-07-19 21:10 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-19 21:00 . 2008-07-22 02:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-19 20:51 . 2008-07-22 23:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-19 20:51 . 2008-07-19 20:51 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-19 18:12 . 2008-07-19 21:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-19 18:12 . 2008-07-19 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 12:04 . 2008-07-19 12:04 <DIR> d-------- C:\Program Files\dvd43
2008-07-19 12:04 . 2008-07-19 12:04 18,816 --a------ C:\WINDOWS\system32\drivers\dvd43llh.sys
2008-07-19 11:55 . 2008-07-19 11:55 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\DivX
2008-07-19 11:14 . 2008-07-21 23:32 74 --a------ C:\WINDOWS\Logic
2008-07-19 03:13 . 2008-07-19 03:13 82 --a------ C:\WINDOWS\Getting Started.htm
2008-07-19 03:13 . 2008-07-21 22:00 75 --a------ C:\WINDOWS\Verbal
2008-07-19 03:13 . 2008-07-21 23:41 75 --a------ C:\WINDOWS\Memory
2008-07-19 02:29 . 2008-07-19 03:11 76 --a------ C:\WINDOWS\1
2008-07-19 02:27 . 2008-07-19 03:05 <DIR> d-------- C:\WINDOWS\system32\Brain Trainer
2008-07-19 02:27 . 2008-07-19 02:27 <DIR> d-------- C:\Program Files\Mindscape
2008-07-19 02:19 . 2008-07-19 02:19 <DIR> d-------- C:\Program Files\PowerISO
2008-07-19 01:11 . 2008-07-19 01:11 <DIR> d-------- C:\Program Files\Brain Spa
2008-07-19 01:11 . 2008-07-19 01:11 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Ubisoft
2008-07-19 00:09 . 2008-07-21 21:59 729 --a------ C:\WINDOWS\0
2008-07-19 00:09 . 2008-07-21 21:59 73 --a------ C:\WINDOWS\Times New Roman
2008-07-18 23:31 . 2008-07-18 23:31 <DIR> d-------- C:\Program Files\Common Files\CyberLink
2008-07-18 23:30 . 2001-08-17 22:43 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-18 23:28 . 2008-07-18 23:28 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\CyberLink
2008-07-18 23:13 . 2008-07-18 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-18 23:08 . 2008-07-18 23:08 31 --a------ C:\WINDOWS\papp.ini
2008-07-18 22:38 . 2008-07-18 22:38 32 --a------ C:\WINDOWS\PracticalTest.ini
2008-07-18 21:59 . 2008-07-18 21:59 <DIR> d-------- C:\Program Files\Absolute Media Software
2008-07-18 01:17 . 2008-07-18 01:17 <DIR> d-------- C:\Documents and Settings\Jenna\Application Data\Ahead
2008-07-18 01:16 . 2008-07-18 01:16 <DIR> d-------- C:\Documents and Settings\Jenna\Application Data\DivX
2008-07-18 01:11 . 2008-07-18 01:11 <DIR> d-------- C:\Documents and Settings\Jenna\Application Data\BitDefender
2008-07-18 01:11 . 2008-07-23 03:58 <DIR> d-------- C:\Documents and Settings\Jenna
2008-07-18 01:06 . 2008-07-18 01:06 <DIR> d-------- C:\Program Files\Moss Bay Software
2008-07-18 00:48 . 2008-07-18 00:48 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Systweak
2008-07-18 00:38 . 2008-07-18 00:38 <DIR> d-------- C:\Documents and Settings\Paul\Downloads
2008-07-18 00:37 . 2008-07-18 00:37 <DIR> d-------- C:\Program Files\NewsLeecher
2008-07-18 00:37 . 2008-07-18 01:07 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\NewsLeecher
2008-07-18 00:30 . 2008-07-18 00:30 <DIR> d-------- C:\Program Files\SmartSound Software
2008-07-18 00:30 . 2008-07-19 01:33 <DIR> d-------- C:\Program Files\DivX
2008-07-18 00:30 . 2008-07-18 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-07-18 00:28 . 2008-07-18 00:44 <DIR> d-------- C:\Program Files\Neuro-Programmer 2 Professional
2008-07-18 00:27 . 2008-07-18 23:19 <DIR> d-------- C:\Program Files\Cyberlink
2008-07-18 00:26 . 2008-07-18 00:26 <DIR> d-------- C:\Program Files\QuickTime
2008-07-18 00:24 . 2008-07-18 00:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-18 00:23 . 2008-07-18 00:23 <DIR> d-------- C:\MyWorks
2008-07-17 23:28 . 2008-07-17 23:28 <DIR> d-------- C:\Program Files\Driving Test Success 2006-2007
2008-07-17 23:28 . 2008-07-18 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Driving Test Success
2008-07-17 23:24 . 2008-07-17 23:24 <DIR> d-------- C:\{3B07D847-8077-4242-91C7-DFA3CE5113E0}
2008-07-17 23:23 . 2008-07-17 23:24 <DIR> d-------- C:\MWASPI
2008-07-17 23:23 . 2008-07-17 23:23 133 --a------ C:\WINDOWS\msfsetup.ini
2008-07-17 23:20 . 2008-07-17 23:20 <DIR> d-------- C:\Program Files\PIXELA
2008-07-17 23:20 . 2008-07-17 23:20 <DIR> d-------- C:\Program Files\Caplio Software
2008-07-17 23:13 . 2008-07-17 23:15 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-07-17 22:58 . 2008-07-17 22:58 <DIR> d-------- C:\Program Files\XviD
2008-07-17 22:58 . 2008-07-19 11:58 <DIR> d-------- C:\Program Files\AoA DVD Ripper
2008-07-17 22:58 . 2006-08-23 22:08 1,839,104 --a------ C:\WINDOWS\system32\avcodec-51.dll
2008-07-17 22:57 . 2008-07-19 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-07-17 22:56 . 2008-07-17 22:56 <DIR> d-------- C:\Program Files\LG Software Innovations
2008-07-17 22:53 . 2008-07-17 22:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-17 22:50 . 2008-07-17 22:50 <DIR> d-------- C:\Program Files\VSO
2008-07-17 22:50 . 2008-07-22 17:53 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Vso
2008-07-17 22:50 . 2008-07-17 22:50 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-17 22:50 . 2008-07-17 22:50 47,360 --a------ C:\Documents and Settings\Paul\Application Data\pcouffin.sys
2008-07-17 22:38 . 2008-07-23 04:47 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-17 22:31 . 2008-07-17 22:31 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-07-17 22:31 . 2005-08-25 21:00 140,288 --a------ C:\WINDOWS\system32\CNMLM7L.DLL
2008-07-17 22:31 . 2008-04-14 00:17 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-17 22:31 . 2008-04-14 00:17 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-17 22:31 . 2005-08-25 21:00 8,704 --a------ C:\WINDOWS\system32\CNMVS7L.DLL
2008-07-17 22:30 . 2008-04-14 00:15 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-17 22:30 . 2008-04-14 00:15 32,128 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-17 22:30 . 2008-04-14 00:15 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-17 22:30 . 2008-04-14 00:15 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-17 22:20 . 2008-07-17 22:20 <DIR> d-------- C:\Program Files\ScanSoft
2008-07-17 22:20 . 2008-07-17 22:20 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-07-17 22:20 . 2008-07-17 22:20 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\ScanSoft
2008-07-17 22:20 . 2008-07-17 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SSScanWizard
2008-07-17 22:20 . 2008-07-17 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 21:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-14 16:52 --------- d-----w C:\Program Files\VIA
2008-07-14 16:42 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-11 22:43 111,992 ----a-w C:\WINDOWS\system32\acaptuser32.dll
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 43,528 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:07 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-06-11 00:07 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02319437-08C3-4EE5-8DD3-BFAB00582FD1}]
2008-07-23 01:39 323648 --a------ C:\WINDOWS\system32\iifcaBrq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-07-17 22:04 160592]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 13:00 15360]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 10:19 204800]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-28 20:09 700416]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2008-07-08 16:41 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [2007-06-29 10:51 811008]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-07-15 15:26 360448]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-07-18 00:26 282624]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 20:23 83240]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 11:36 50472]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-05-19 15:24 91432]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 08:34 167936]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2008-04-09 10:00 826880]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 02:25 37232]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 22:43 640376]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-23 02:33 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acaptuser32.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\iifcaBrq

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-07-23 02:33]
R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys [2007-03-26 08:26]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-03-29 04:36]
R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys [2007-03-26 08:26]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-23 02:33]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-05-15 12:07]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-23 02:33]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-23 02:33]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-25 15:40]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 04:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-08ef696d - C:\WINDOWS\system32\erpyiciv.dll
SSODL-kvxqmtre-{3C5E1F15-D12B-449E-BEB3-A800FE6FC549} - (no file)
SSODL-evgratsm-{2280B776-3099-4352-B500-399D6E8B90C5} - (no file)
Notify-ddcBSMgG - ddcBSMgG.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.google.com
O8 -: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 -: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 -: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 -: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 11:31:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\qrBacfii.ini 347 bytes
C:\WINDOWS\system32\qrBacfii.ini2 347 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\iifcaBrq.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-23 11:34:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-23 10:34:31

Pre-Run: 469,266,309,120 bytes free
Post-Run: 469,409,398,784 bytes free

302 --- E O F --- 2008-07-20 01:21:19


------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:11, on 24/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216127127671
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: acaptuser32.dll,avgrsstx.dll,
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 11869 bytes
------------------------------------------------


Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 3

20:50:01 23/07/2008
mbam-log-7-23-2008 (20-50-01).txt

Scan type: Quick Scan
Objects scanned: 41295
Time elapsed: 1 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iifcaBrq.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8251d0ac-739b-4ef4-91cf-38f2b4ad4182} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8251d0ac-739b-4ef4-91cf-38f2b4ad4182} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qndsfmao.bvqe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qndsfmao.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifcabrq -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifcabrq -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iifcaBrq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qrBacfii.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrBacfii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0bdc5af1.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0bdc5af1.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


I hope someone will be able to assist me here. I am at a loss...

3
Contributors
3
Replies
4
Views
9 Years
Discussion Span
Last Post by jholland1964
0

I managed to get the problem resolved. It was quite painstaking, but I'll summarize the other things I did to fix the problem.

- Visited Jotti (http://virusscan.jotti.org/) to find out which AV programs picked up the virus

- Only about 4 AV Progs detected the virus

- I uninstalled BitDefender and downloaded Kaspersky Internet Security after doing the free online scan.

- I ran the program and managed to delete the viruses.

- I ran Registry Mechanic again to get rid of any remnants of the old AVs.

- I ran ScanDisk to make sure all system errors were resolved

Kaspersky deleted the viruses with little fuss, but also picked up some security vulnerabilities. Most of these related to the QuickTime program. I didn't install this! It's a new PC, so it may have been pre-installed.

I just uninstalled QuickTime, rather than doing an update.

If you have QuickTime and don't use it, just uninstall all traces of it from your PC. It seems to be the cause of this virus to some degree. Moreover, it's not an essential program...

The PC is as good as new again and I'm taking active steps to prevent anything like this happening again. It was, in a word, hellish.

0

I'm having a similar problem. The Microsoft Malicious Software on-line tool found Wind32/Renos and seems to have removed the self-install program so I don't get the annoying pop-up balloon, but I can't access virus related websites nor can I run ComboFix, SpyBot or Registry Mechanic. They launch and I see them in the process window but nothing appears on the screen. I also can't create a restore point. I've tried running with minimal services and no start-up items with the same results.

Chuck

0

Hello, First of all a word of caution to ALL reading this thread, ComboFix is not a general purpose cleaning tool and should not be as such. ComboFix should only be used when asked by someone experienced in the use of this tool. Using this tool without supervision can cause problems with your computer. That is why Combofix is NOT listed in our Read me before posting a request for assistance sticky.
It also says that one of the tools the poster tried to use was

DSS (which won't run)

If you will note in the above linked sticky it clearly says;

Deckards System Scanner is currently unavailable. Please continue with the rest of PhilliePhan's recommendations.

It is also noted that Registry Mechanic, Rogue Remover were used. We rarely, IF EVER recommend the use of a Registry cleaner. MBA-M DOES fix registry entries made by infections.
The detective work here was pretty good, using Jotti. Essentially smitfraudfix usually removes this. Not certain about MBA-M.
Sounds like poster knew how to proceed but do want to caution ALL please don't be using Combofix unless directed to do so as it can do damage to a computer with a problem which does not require it's use.
I would recommend that poster should REMOVE combofix from the machine since it is such a specialized tool AND updates are issued for it on a fairly regular basis. This stand alone program itself cannot be updated but requires an entirely new copy if a person is instructed to run it.

To uninstall ComboFix.exe And all Backups of files that it deleted

* Click START then RUN
* Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"


Now all of this noted cpwhite, you need to begin your OWN thread, stating all the problems you are having, steps you have attempted to remove the problem and also post any logs you may have. This thread is nearly 6 months old and one should ALWAYS begin his own thread.
Create your own thread with all necessary info and we will be most happy to provide help and assistance.
Judy

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.