Big trouble

arsonist

... I think.
Since the last time I changed virus program to AVG and had no problems until tonight. still got Spybot SD installed and tonight it went crazy tons of changes all the time. I couldn't run AVG so I unplugged internet and rebooted, but I guess that that been dissabled by the virus because it doesen't even find a tracking coockie. and to the right of the clock it says Virus Alert. If I check "My Computer" none of C: or D: is showing, only DVD Driver and Daemontool drivers.

please help me again...

Edit: I Might add that I cant reach control panel at settings and am warned about that D: is full (it shouldn't be)
and it all started when CMD poped up and started to copy a file, which file wasn't told..

Veka

Hey, arsonist

Step 1:

We need to disable your TeaTimer as it may interfere with the fixes that we need to make.

• Run Spybot-S&D in Advanced Mode.
• If it is not already set to do this Go to the Mode menu select "Advanced Mode"
• On the left hand side, Click on Tools
• Then click on the Resident Icon in the List
• Uncheck "Resident TeaTimer" and OK any prompts.
• Restart your computer.

http://russelltexas.com/malware/teatimer.htm

After all of the fixes are complete it is very important that you enable TeaTimer again.

Step 2:

Please run HijackThis again, and click Do a system scan only

Check the boxes next to all the entries listed below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: QXK Olive - {26027218-80B3-40FA-9FA1-70FD56AA5328} - C:\WINDOWS\rodqgpvldbv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKCU\..\Run: [RegCom32] C:\DOCUME~1\hemma\LOKALA~1\Temp\latest_patch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O21 - SSODL: rqbmvpso - {5EE38CFF-A22D-4B98-8C50-1465BA9BFAAF} - C:\WINDOWS\rqbmvpso.dll

Please close all web browsers, and other open windows or programs. After that, click Fix Checked.

Step 3:

Please download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

Note: It is important that it is saved directly to your desktop

---

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---

Double click on ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

For information regarding Combofix, please visit this webpage:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

arsonist

now it seems work as it should. I'm allowed to enter control panel, on my computer C: and D: is visible again.

Edit: Might add that there are still poping up an internet explorer window and another window which wants me to scan my computer, ofcourse i press no and after that AVG is blocking the windows for it's content.

Veka

Please do not attach logs, just post them. Thank you.

You may want to print out these instructions or save them as a text file with Notepad to your desktop

Step 1:

TeaTimer is still active, please turn it off as instructed below

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

• Now open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Step 2:

• Please go to VirusTotal
• Copy and paste the following file path into the Search Box in the middle of the page:
  
  C:\WINDOWS\system32\tmpDD92D.FOT
  
  
• Now, click on the Send File button
• Save a copy of the Anti-Virus results only. Post the results in your next reply.

Step 3:

Please open Notepad and copy & paste the text in the codebox below into it.

File::
C:\WINDOWS\rqbmvpso.dll
C:\WINDOWS\rvoelbxt.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rqbmvpso"=-

Save this as CFScript to your desktop.



Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log, along with the results of Virustotal

Veka

Please do not attach your logs, just post them. Thank you.

You may want to print out these instructions or save them as a text file with Notepad to your desktop

Step 1:

TeaTimer is still active, please turn it off as instructed below

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

• Now open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Step 2:

• Please go to VirusTotal
• Copy and paste the following file path into the Search Box in the middle of the page:
  
  C:\WINDOWS\system32\tmpDD92D.FOT
  
  
• Now, click on the Send File button
• Save a copy of the Anti-Virus results only. Post the results in your next reply.

Step 3:

Please open Notepad and copy & paste the text in the codebox below into it.

File::
C:\WINDOWS\rqbmvpso.dll
C:\WINDOWS\rvoelbxt.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rqbmvpso"=-

Save this as CFScript to your desktop.



Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log, along with the results of Virustotal

arsonist

well here it is, teatimer should be off. when I start my compyter i can't use the mouse until I pressed Ctrl+alt+del and then just close that window, cant use start menu or anything on that field. just can press the windows button and the start menu is poping up. also when I start an error window pops up which says:

SVR #001
CLED Error
when I run Combofix Can't file or directory maybe you don't have autohrity to rach it
32788R2FWJFW\hidec.exe comes up but whin I close it it start anyway.

ComboFix 08-09-01.05 - hemma 2008-09-03 17:49:53.3 - NTFSx86
Running from: C:\Documents and Settings\hemma\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\hemma\Skrivbord\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-01 21:46 . 2008-09-01 21:46 <KAT> d

---

C:\Program\Trend Micro
2008-09-01 16:57 . 2008-06-19 17:24 28,544 --a

---

C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-01 16:56 . 2008-09-01 16:56 <KAT> d

---

C:\Program\Panda Security
2008-09-01 16:52 . 2008-09-01 16:54 <KAT> d

---

C:\Program\SpywareBlaster
2008-09-01 02:33 . 2008-09-01 02:33 <KAT> d

---

C:\Program\Delade filer\Wise Installation Wizard
2008-09-01 02:33 . 2008-09-01 02:37 <KAT> d

---

C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-01 00:15 . 2008-09-01 00:15 <KAT> d

---

C:\Documents and Settings\hemma\Application Data\TmpRecentIcons
2008-08-31 21:46 . 2008-08-31 21:46 54,156 --ah

---

C:\WINDOWS\QTFont.qfn
2008-08-31 21:46 . 2008-08-31 21:46 1,409 --a

---

C:\WINDOWS\QTFont.for
2008-08-31 21:45 . 2008-08-31 21:45 <KAT> d

---

C:\Program\Ashampoo
2008-08-31 21:45 . 2008-08-31 21:45 <KAT> d

---

C:\Documents and Settings\hemma\Application Data\Ashampoo
2008-08-31 21:45 . 2008-08-31 21:45 <KAT> d

---

C:\Documents and Settings\All Users\Application Data\ashampoo
2008-08-31 21:39 . 2008-06-24 13:45 1,414,440 --a

---

C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-08-31 21:39 . 2008-06-23 17:36 773,120 --a

---

C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-08-31 21:38 . 2008-08-31 21:38 0 --a

---

C:\WINDOWS\Irremote.ini
2008-08-31 21:21 . 2008-08-31 21:21 <KAT> d

---

C:\Documents and Settings\hemma\Application Data\Nero
2008-08-31 21:15 . 2008-08-31 21:41 <KAT> d

---

C:\Program\Delade filer\Nero
2008-08-31 21:15 . 2008-08-31 21:41 <KAT> d

---

C:\Documents and Settings\All Users\Application Data\Nero
2008-08-31 18:51 . 2008-08-31 18:51 <KAT> d

---

C:\WINDOWS\system32\FlashAX
2008-08-31 18:51 . 2008-08-31 18:51 <KAT> d

---

C:\Microgaming
2008-08-30 18:42 . 2008-08-30 18:42 32,549 --a

---

C:\WINDOWS\king-uninstall.exe
2008-08-25 00:48 . 2008-08-25 00:48 <KAT> d

---

C:\Program\ASIO4ALL v2
2008-08-25 00:46 . 2008-08-25 00:46 <KAT> d

---

C:\Program\Outsim
2008-08-22 19:56 . 2000-05-01 23:02 97,280 --a

---

C:\WINDOWS\system32\ccrpbds5.dll
2008-08-22 19:55 . 2001-05-23 07:05 307,200 --a

---

C:\WINDOWS\system32\drumpad.dll
2008-08-22 19:55 . 2000-03-28 22:58 280,576 --a

---

C:\WINDOWS\system32\pxd_kom.dll
2008-08-22 19:55 . 2000-03-28 12:27 75,976 --a

---

C:\WINDOWS\system32\BASSDEC.dll
2008-08-22 19:55 . 2001-04-01 16:16 45,056 --a

---

C:\WINDOWS\system32\fader.dll
2008-08-22 15:47 . 2008-08-22 15:47 <KAT> d

---

C:\WINDOWS\system32\sv
2008-08-22 15:47 . 2008-08-22 15:47 <KAT> d

---

C:\WINDOWS\system32\bits
2008-08-22 15:47 . 2008-08-22 15:47 <KAT> d

---

C:\WINDOWS\l2schemas
2008-08-22 15:42 . 2008-08-22 15:47 <KAT> d

---

C:\WINDOWS\ServicePackFiles
2008-08-22 15:33 . 2008-08-22 15:33 <KAT> d

---

C:\WINDOWS\EHome
2008-08-22 15:20 . 2004-08-04 01:07 327,040

---

C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-08-12 23:12 . 2008-04-11 21:06 691,712

---

c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-10 21:19 . 2008-08-10 21:19 <KAT> d

---

C:\Program\Electronic Arts
2008-08-10 20:40 . 2008-08-10 20:40 <KAT> d

---

C:\Documents and Settings\hemma\Application Data\InstallShield
2008-08-05 22:16 . 2008-08-10 20:43 <KAT> d

---

C:\Documents and Settings\hemma\Application Data\My Games
2008-08-05 21:59 . 2007-05-16 16:45 1,124,720 --a

---

C:\WINDOWS\system32\D3DCompiler_34.dll
2008-08-05 21:59 . 2007-05-16 16:45 443,752 --a

---

C:\WINDOWS\system32\d3dx10_34.dll
2008-08-05 21:59 . 2007-06-20 20:46 266,088 --a

---

C:\WINDOWS\system32\xactengine2_8.dll
2008-08-05 21:59 . 2007-06-20 20:45 18,280 --a

---

C:\WINDOWS\system32\x3daudio1_2.dll
2008-08-03 15:53 . 2008-08-03 15:54 <KAT> d

---

C:\Chosen_Few_and_sAphira-Da_Funky_Beatz-(MOK118)-WEB-2008-1KING
2008-08-03 15:47 . 2008-08-03 15:54 <KAT> d

---

C:\Program\FlashFXP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 01:21

---

d

---

w C:\Program\Spybot - Search & Destroy
2008-09-01 01:20

---

d

---

w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-01 00:36

---

d

---

w C:\Program\Lavasoft
2008-09-01 00:36

---

d

---

w C:\Documents and Settings\hemma\Application Data\Lavasoft
2008-08-31 20:08

---

d

---

w C:\Documents and Settings\hemma\Application Data\uTorrent
2008-08-31 16:50

---

d

---

w C:\Program\ladbrokesviper
2008-08-30 17:55

---

d

---

w C:\Program\HeyPoker
2008-08-26 18:09

---

d

---

w C:\Program\fulDC
2008-08-24 22:47

---

d

---

w C:\Program\Image-Line
2008-08-22 19:46

---

d

---

w C:\Program\MSN Messenger
2008-08-22 13:56 96,384 ----a-w C:\WINDOWS\system32\drivers\sptd0685.sys
2008-08-19 23:41

---

d

---

w C:\Program\Soulseek
2008-08-17 19:56

---

d--h--w C:\Program\InstallShield Installation Information
2008-08-12 21:58

---

d

---

w C:\Documents and Settings\hemma\Application Data\dvdcss
2008-08-02 01:08

---

d

---

w C:\Program\Graffiti Studio 2.0
2008-08-01 20:50

---

d

---

w C:\Documents and Settings\hemma\Application Data\Winamp
2008-07-27 10:20 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-15 20:01

---

d

---

w C:\Program\Sun
2008-07-15 20:01

---

d

---

w C:\Program\Java
2008-07-08 19:04 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-07 20:29 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 16:09

---

d

---

w C:\Documents and Settings\hemma\Application Data\Movie Label
2008-07-06 22:13

---

d

---

w C:\Program\Winamp
2008-07-06 15:34 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-06 15:33 12,936 ----a-w C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-07-04 19:36

---

d

---

w C:\Program\AVG
2008-07-04 19:36

---

d

---

w C:\Documents and Settings\hemma\Application Data\AVGTOOLBAR
2008-07-04 19:36

---

d

---

w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-04 19:33

---

d

---

w C:\Program\PC Tools AntiVirus
2008-07-04 15:46

---

d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-04 11:12 316,672 ----a-w C:\WINDOWS\KingComIE.dll
2008-06-24 16:46 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:42 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:49 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2005-03-20 23:10 4,853,760 ----a-w C:\Program\mplayerc.exe
2001-11-23 11:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DAEMON Tools"="C:\Program\DAEMON Tools\daemon.exe" [2005-11-09 128920]
"Adobe Photo Downloader"="C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"H2O"="C:\Program\SyncroSoft\Pos\H2O\cledx.exe" [2005-05-11 200069]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-10-18 155648]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="C:\Program\Delade filer\Real\Update_OB\realsched.exe" [2008-04-22 185896]
"AVG8_TRAY"="C:\Program\AVG\AVG8\avgtray.exe" [2008-07-27 1235736]
"WinampAgent"="C:\Program\Winamp\winampa.exe" [2008-04-01 36352]
"ATIPTA"="atiptaxx.exe" [2005-11-23 C:\WINDOWS\system32\atiptaxx.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Program\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program\\Last.fm\\LastFM.exe"=
"C:\\Program\\fulDC\\DCPlusPlus.exe"=
"C:\\Program\\uTorrent\\uTorrent.exe"=
"C:\\Program\\Soulseek\\slsk.exe"=
"C:\\Program\\Steam\\steamapps\\sargath666\\counter-strike source\\hl2.exe"=
"C:\\Program\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"C:\\Program\\Mozilla Firefox\\firefox.exe"=
"C:\\Program\\Graffiti Studio 2.0\\Graffiti Studio.exe"=
"C:\\Program\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program\\MSN Messenger\\livecall.exe"=

R3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2003-09-04 19:38]
R3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 14:58]
R3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 14:58]
R3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 14:58]
R3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 14:58]
R3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 14:58]
R3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 14:58]
R3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 14:58]
R3 UPnPService;UPnPService;C:\Program\Delade filer\MAGIX Shared\UPnPService\UPnPService.exe []
S0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\System32\Drivers\avgrkx86.sys [2008-07-06 17:33]
S0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S1 Asapi;Asapi;C:\WINDOWS\system32\DRIVERS\Asapi.syS [2002-04-17 20:27]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-07-27 12:20]
S2 ACEDRV09;ACEDRV09;C:\WINDOWS\system32\drivers\ACEDRV09.sys [2007-12-05 18:07]
S2 avg8emc;AVG8 E-mail Scanner;C:\Program\AVG\AVG8\avgemc.exe [2008-08-15 18:37]
S2 avg8wd;AVG8 WatchDog;C:\Program\AVG\AVG8\avgwdsvc.exe [2008-07-27 12:21]
S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-07-06 17:34]
S3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 17:52:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-03 17:53:30
ComboFix-quarantined-files.txt 2008-09-03 15:53:18
ComboFix2.txt 2008-09-03 15:43:18
ComboFix3.txt 2008-09-02 20:21:17

Pre-Run: 3,676,925,952 byte ledigt
Post-Run: 3,665,534,976 byte ledigt

190 --- E O F --- 2008-08-23 13:53:58
File tmpDD92D.FOT received on 09.03.2008 17:33:32 (CET)
Current status: finished
Result: 0/36 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.03 -
AntiVir 7.8.1.23 2008.09.03 -
Authentium 5.1.0.4 2008.09.03 -
Avast 4.8.1195.0 2008.09.03 -
AVG 8.0.0.161 2008.09.03 -
BitDefender 7.2 2008.09.03 -
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.03 -
DrWeb 4.44.0.09170 2008.09.03 -
eSafe 7.0.17.0 2008.09.02 -
eTrust-Vet 31.6.6066 2008.09.03 -
Ewido 4.0 2008.09.03 -
F-Prot 4.4.4.56 2008.09.03 -
F-Secure 8.0.14332.0 2008.09.03 -
Fortinet 3.14.0.0 2008.09.03 -
GData 19 2008.09.03 -
Ikarus T3.1.1.34.0 2008.09.03 -
K7AntiVirus 7.10.439 2008.09.03 -
Kaspersky 7.0.0.125 2008.09.03 -
McAfee 5375 2008.09.02 -
Microsoft 1.3903 2008.09.03 -
NOD32v2 3412 2008.09.03 -
Norman 5.80.02 2008.09.03 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.03 -
Prevx1 V2 2008.09.03 -
Rising 20.60.21.00 2008.09.03 -
Sophos 4.33.0 2008.09.03 -
Sunbelt 3.1.1582.1 2008.09.02 -
Symantec 10 2008.09.03 -
TheHacker 6.3.0.8.070 2008.09.02 -
TrendMicro 8.700.0.1004 2008.09.03 -
VBA32 3.12.8.4 2008.09.03 -
ViRobot 2008.9.2.1361 2008.09.03 -
VirusBuster 4.5.11.0 2008.09.03 -
Webwasher-Gateway 6.6.2 2008.09.03 -
Additional information
File size: 1409 bytes
MD5...: 6e9048e65819e4486beea84ddae28cfe
SHA1..: 6b35bef36276dfe572683e194526a7cf9113b5a3
SHA256: 2977f5b9c3c22f45d6a9e1d36c696113c6b3812d13b1f0cc55819599002a3340
SHA512: ca926096d0b2498596db3ba15e848de25d98c2d146ccb9fc28be763176650719
0ecea9e86d3de846f909aa87c299d971fedc9d7b26f8442faf91634cf2d7049c
PEiD..: -
TrID..: File type identification
Win 3.x Installed TrueType Font (34.0%)
Generic Win/DOS Executable (32.9%)
DOS Executable Generic (32.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: -

Veka

You may want to print out these instructions or save them as a text file with Notepad to your desktop

Step 1:

OK, please remove ComboFix:

Click Start and Run (Windows button + R)
Type in box combofix /u and press Enter

Step 2:

And download OTMoveIt2 to your desktop.

Double click on OTMoveIt2.exe to run it.

Copy and paste the following in the codebox into OTMoveIt (1):

Note: Do not type it out to minimize the risk of typo error

C:\WINDOWS\rqbmvpso.dll
C:\WINDOWS\rvoelbxt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\rqbmvpso

Click on MoveIt! (2)

When done, click on Exit (3)

Note: If a file or folder can't be moved immediately, you may asked to restart your computer. Please choose Yes.

Please refer to this picture for using OTMoveIt.




The log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Please post this log in your next reply.

Step 3:

Download Malwarebytes' Anti-Malware (MBAM) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to both of these options:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan.
  If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
  If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  
  
• On the Scanner tab list
  • Make sure the "Perform Full Scan" option is selected.
• Then click on the Scan button.

• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step 4:

On your nex post, please include

• OTMoveIt2 log
• MBAM's log

arsonist

this time I had to attach them as files. too much text otherwise.


edit: the MBAM log was too large to add so I've zipped it.

Veka

Wow, that was nice.

Step 1:

Please do another scan with Kaspersky

Note: Internet Explorer should be used

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
• Click on My Computer under Scan and then put the kettle on!
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Copy and paste the report into your next reply.

Step 2:

HijackThis Uninstall List

• Start HijackThis
• Click on the Config button
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.
• You can click on the Save list button and specify where you would like to save this file.
• When you press Save button a notepad will open with the contents of that file.
  Simply copy and paste the contents of that notepad into your next reply.

Step 3:

Please post the results of Kaspersky, the uninstall list from HijackThis, and a fresh HijackThis log.

arsonist

kaspersky:

---

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 05, 2008 11:08:08
Records in database: 1193778

---

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\
K:\
Scan statistics:
Files scanned: 149109
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:03:11

File name / Threat name / Threats count
C:\Program\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
The selected area was scanned.

HijackThis uninstall:
7-Zip 4.44 beta
AC3Filter (remove only)
Ad-Aware
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.1.0
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
ASAPI Update
Ashampoo Burning Studio 8.03
ASIO4ALL
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
Audacity 1.2.3
Audio Conversion Wizard 1.4
Audiorealism BassLine VSTi v1.06
AVG 8.0
BassStation
Battlefield Vietnam(TM)
bet365casino
bet365poker
Bytescout SWF To Video Scout
CCleaner (remove only)
C-Media WDM Audio Driver
Collab
CuteFTP 5.0 XP beta
dBpowerAMP Music Converter
DC++ 0.674
Direct Show Ogg Vorbis Filter (remove only)
DivX Content Uploader
DivX Web Player
dMC Power Pack
DreamStation DXi
DRIVENHETER FÖR NVIDIA Windows 2000/XP nForce
DVDx
EA.com Update
Expekt Poker
Expekt Poker
ffdshow (remove only)
FL Studio 8
FL Studio v7.0
FlashFXP v3.02 (Build 1044) Scene Edition (Repack)
fulDC
Google Earth
Graffiti Studio 2.0
HeyPoker (remove only)
Hijackthis 1.99.1
HijackThis 2.0.2
IL Download Manager
iZotope Ozone 3
iZotope Spectron
iZotope Trash
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
king.com (remove only)
Ladbrokes Casino
Ladbrokes Poker
Last.fm 1.5.1.30182
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Swedish Language Pack
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007 (Beta)
Microsoft Office Excel MUI (English) 2007 (Beta)
Microsoft Office Outlook MUI (English) 2007 (Beta)
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007 (Beta)
Microsoft Office Proof (French) 2007 (Beta)
Microsoft Office Proof (Spanish) 2007 (Beta)
Microsoft Office Shared MUI (English) 2007 (Beta)
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MultiRes (remove only)
Native Instruments Absynth 4
Native Instruments Guitar Rig 3
Native Instruments GuitarRig 2.01 RTAS VSTi DXi
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS
Nero - Burning Rom
neroxml
NVIDIA Drivers
NVIDIA Gart Driver
OpenOffice.org Installer 1.0
PAF CS Source Map Pack 1
Panda ActiveScan 2.0
PCI Audio Applications
Personal 4.5.2
Pirates of the Caribbean
PoiZone
QuickTime Alternative 1.90
Radeon Omega Drivers v2.6.87 Setup Files and Tools
RealPlayer
Realtek AC'97 Audio
Renoise 1.8.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Snabbkorrigering för Windows Internet Explorer 7 (KB947864)
Snabbkorrigering för Windows XP (KB952287)
SoulSeek Client 156c
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster 4.1
Steinberg WaveLab 5.01b
Svenska Spels Poker
Synapse Junglist VSTi v3.2
Syncaine TM-200X VSTi v1.4
SyncroSoft Emu (Remove only)
Syncrosoft's License Control
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB928090)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB931768)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB933566)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB937143)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB938127)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB939653)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB942615)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB944533)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB950759)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB953838)
Säkerhetsuppdatering för Windows Media Player 10 (KB911565)
Säkerhetsuppdatering för Windows Media Player 10 (KB917734)
Säkerhetsuppdatering för Windows Media Player 10 (KB936782)
Säkerhetsuppdatering för Windows XP (KB941569)
Säkerhetsuppdatering för Windows XP (KB946648)
Säkerhetsuppdatering för Windows XP (KB950760)
Säkerhetsuppdatering för Windows XP (KB950762)
Säkerhetsuppdatering för Windows XP (KB950974)
Säkerhetsuppdatering för Windows XP (KB951066)
Säkerhetsuppdatering för Windows XP (KB951376)
Säkerhetsuppdatering för Windows XP (KB951376-v2)
Säkerhetsuppdatering för Windows XP (KB951698)
Säkerhetsuppdatering för Windows XP (KB951748)
Säkerhetsuppdatering för Windows XP (KB952954)
Säkerhetsuppdatering för Windows XP (KB953839)
Techno eJay 3 - Deinstallation
TerraTec Komplexer VSTi v1.0.2.0
Text-To-Speech-Runtime
Toxic Biohazard
TPTEST 5.0
Uppdatering för Windows XP (KB951072-v2)
Uppdatering för Windows XP (KB951978)
Waves Diamond Bundle v5.0
VideoLAN VLC media player 0.8.4
Winamp
Windows Genuine Advantage v1.3.0254.0
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinRAR
Virsyn TERA v1.3
Voxengo Voxformer VST v1.0
V-Station
Xilisoft 3GP Video Converter
XviD MPEG-4 Video Codec

Veka

That's clean!

Note about poker games:

You appear to be a fan of games. But I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. If you did not install these programs yourself, or you do not use them any more, I would definitely recommend that you uninstall them from your computer, even if it is simply a precautionary measure. The amount of different poker software which arises on the internet means it is impossible to keep track of which ones are infected and which ones are not. If you do use the software, and wish to continue doing so, please ignore this. If you do decide to go ahead and remove the poker software, you should be able uninstall them via add/remove which can be found in the control panel. Let me know if you have any problems whilst doing so.

Here are links to some poker sites regarded as safe for your reference.

• http://www.pokerstars.net/ - This is a free to use/play site.
• http://www.pokerstars.com - This is the paid for version.

Please remove all old versions of Java from your Computer by using Add or Remove Programs.
The old versions are a security risk.

Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5


Download CCleaner from here to clean temp files from your computer.

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

• Double click on the file to start the installation of the program.
• Select your language and click OK, then next.
• Read the license agreement and click I Agree.
• Click next to use the default install location. Click Install then finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
• On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
• If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
• Click on the "Options" icon at the left side of the window, then click on "Advanced."
  deselect "Only delete files in Windows Temp folders older than 48 hours."
• Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
• Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
• After CCleaner has completed its process, click Exit.

================

How is your Computer running now?

arsonist

I can't remove Java update 2 and 3. An error accured during the installation... it says

my computer works good except the start menu and the toolbar where all windows is showing I must use alt+tab to change windows also the systemtray is locked.

Veka

Hello. Might be a shot in the dark, but try uninstalling Spybot - Search & Destroy.

Let's do a supplementary scan with Trend Micro HouseCall.

• Read the and put a check next to Yes I accept the terms of use.
• Click the Launch HouseCal button.
• Under "Browser plug-in" Installing and using Housecall kernel, click the Starting HouseCall button.
• You may receive a prompt to install the ActiveX, click install.
• If you are taken back to the main page, click Launch HouseCal button again.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next button.
• Please wait while HouseCall scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click on the Clean now button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

Please let me know about the results of HouseCall.

arsonist

HouseCall did not find any potential threats on your computer....

guess that I've to reinstall windows or something..

Veka

Did you try uninstalling Spybot? Hm... I'm inclined to think it's not a malware problem but something else. Maybe you should ask help from our Operating Systems forum.

arsonist

yes spybot is uninstalled.
ok. I will!
thanks for the help with the maleware/virsus stuff!

Veka

You're welcome.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Clean up System Restore

You can find instructions on how to disable and enable System Restore from these guides:

Disable And Enable System Restore
Windows XP System Restore Guide

Make Your Internet Explorer More Secure

This can be done by following these simple instructions:

• From within Internet Explorer click on the tools menu and then click on Options
• Click once on the "Security" tab
• Click once on the "Internet" icon so it becomes highlighted
• Click once on the Custom Level button.
  • Change the "Download signed ActiveX" controls to Prompt
  • Change the "Download unsigned ActiveX" controls to Disable
  • Change the "Initialize and script ActiveX controls" not marked as safe to Disable
  • Change the "Launching programs and files in an IFRAME" to Prompt
  • Change the "Navigate sub-frames across different domains" to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Note that Internet Explorer is not the most secure browser. There are safer (and better) alternatives available like Opera and Firefox.

Keep Your System Up to date

It is imperative that you keep your Windows, Antivirus, and other softwares up to date. Otherwise you are not protected against new threats and your system is vulnerable and unsafe. Update your Antivirus software at least once a week, and visit Microsoft Windows Update site regularly.

Install SpywareBlaster

SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

Additional Utilities and Tips to Enhance Your Safety

• MVPS Hosts file --- The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Comodo BOCLEAN --- Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
• Winpatrol --- Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software

Get more knowledge about how to protecet your computer and prevent malware issues by reading these short articles:

• How to prevent Malware by miekiemoes
• So How Did I Get Infected In First Place by Tony Klein
• Ten Commandments for Your Computer Sanity by BitDefender

Happy surfing and stay clean!