Computer Infected

**Broni** · July 11th, 2010, 08:01 PM

Follow all instruction from my reply #11.
Let me know, if something is unclear.
- rKill
- exehelper
- broni.com

**Drhunter2k** · July 11th, 2010, 08:09 PM

I ran rKill, exehelper and then combofix. A popup appears when I try to run Combofix that says "Some files could not be created. Please close all applications, reboot Windows and restart this application." I tried that with no result.

**Broni** · July 11th, 2010, 08:12 PM

Did you rename combofix.exe to broni.com?

**Drhunter2k** · July 11th, 2010, 08:15 PM

yes I did.

**Broni** · July 11th, 2010, 08:19 PM

Please, restart computer in Safe Mode.
Run rKill and then broni.com right away
You don't have to run exehelper again.

**Drhunter2k** · July 11th, 2010, 08:21 PM

To run in safe mode I keep hitting F8 while restarting correct?

**Broni** · July 11th, 2010, 08:23 PM

Exactly

**Drhunter2k** · July 11th, 2010, 08:57 PM

ComboFix 10-07-11.03 - Administrator 07/11/2010 19:41:55.2.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.713 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Broni.com.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\avatoqihojiseciy.dll
c:\windows\edaqahiv.dll
c:\windows\esofusizebaz.dll
c:\windows\ogiciluv.dll
c:\windows\udarovil.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.

2010-07-11 23:21 . 2010-07-11 23:48 -------- d-----w- C:\32788R22FWJFW.7.tmp
2010-07-11 23:20 . 2010-07-11 23:21 -------- d-----w- C:\32788R22FWJFW.6.tmp
2010-07-11 23:14 . 2010-07-11 23:20 -------- d-----w- C:\32788R22FWJFW.5.tmp
2010-07-11 23:13 . 2010-07-11 23:14 -------- d-----w- C:\32788R22FWJFW.4.tmp
2010-07-11 23:01 . 2010-07-11 23:01 -------- d-----w- C:\32788R22FWJFW.3.tmp
2010-07-11 23:00 . 2010-07-11 23:01 -------- d-----w- C:\32788R22FWJFW.2.tmp
2010-07-11 22:59 . 2010-07-11 23:00 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-07-11 19:48 . 2010-07-11 22:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 23:23 . 2010-07-11 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\elgvyunei
2010-06-28 16:45 . 2010-06-28 16:45 1039712 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-06-21 17:18 . 2010-06-21 17:18 74760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\UniversalDD.sys
2010-06-21 17:18 . 2010-06-21 17:18 26120 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSShim.sys
2010-06-21 17:18 . 2010-06-21 17:18 25096 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSxx.sys
2010-06-21 17:18 . 2010-06-21 17:18 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-06-21 17:18 . 2010-06-21 17:18 30216 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSFilter.sys
2010-06-21 17:18 . 2010-06-21 17:18 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-06-21 17:18 . 2010-06-21 17:18 122376 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSDriver.sys
2010-06-21 17:17 . 2010-06-21 17:17 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-21 17:15 . 2010-06-21 17:15 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-06-21 17:15 . 2010-06-21 17:15 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-06-21 17:15 . 2010-06-21 17:15 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 00:19 . 2009-12-30 20:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData
2010-07-12 00:00 . 2009-10-25 15:44 -------- d-----w- c:\program files\QuickTime
2010-07-11 22:25 . 2004-05-27 10:15 28384 ----a-w- c:\windows\system32\drivers\sym_hi.sys
2010-07-11 19:47 . 2009-11-30 04:05 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-06-21 17:17 . 2009-10-14 23:38 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-21 17:17 . 2009-11-13 18:21 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-06-21 17:16 . 2009-10-14 23:38 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-09 03:07 . 2010-03-09 05:05 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-31 14:19 . 2009-10-14 23:38 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-21 19:14 . 2009-10-23 13:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-02 05:22 . 2004-05-26 19:30 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-14 23:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-14 23:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-05-26 19:29 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 15:25 . 2010-04-19 15:25 2117704 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\Update\igt5.tmp.dir\IEToolbar.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 15:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"CHotkey"="zHotkey.exe" [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-21 17:17 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [11/13/2009 1:21 PM 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/13/2009 1:21 PM 52872]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/14/2009 6:38 PM 216400]
S1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/14/2009 6:38 PM 243024]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/21/2010 12:17 PM 308136]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [6/21/2010 12:17 PM 5897808]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [3/8/2010 4:40 PM 430152]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [11/13/2009 1:20 PM 122448]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [11/13/2009 1:20 PM 30288]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [11/13/2009 1:20 PM 26192]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vlqlp9ei.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vlqlp9ei.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vlqlp9ei.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Pqowevusukasev - c:\windows\mgsfvcl.dll
SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 19:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1425509361-2549639290-720616759-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fb,62,05,0d,cb,05,bf,45,9d,71,01,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,0a,95,79,5c,12,ad,4a,a4,ea,b8,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fb,62,05,0d,cb,05,bf,45,9d,71,01,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(228)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-11 19:50:50
ComboFix-quarantined-files.txt 2010-07-12 00:50

Pre-Run: 52,959,449,088 bytes free
Post-Run: 53,055,729,664 bytes free

- - End Of File - - 1DF7EBF2BDF74D72D53560793DDE3CB1

**Broni** · July 11th, 2010, 09:03 PM

Excellent!
Please, make sure, Combofix file is not named Broni.com.exe, but just broni.com (no ".exe").

When you're done, start computer in normal mode and see, if you can run steps listed below (if still a problem, go back to safe mode)...

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
C:\32788R22FWJFW.1.tmp
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.3.tmp
C:\32788R22FWJFW.4.tmp
C:\32788R22FWJFW.5.tmp
C:\32788R22FWJFW.6.tmp
C:\32788R22FWJFW.7.tmp
c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat


Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\elgvyunei

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

**Drhunter2k** · July 11th, 2010, 09:09 PM

how do I get the exe out? When I dragged the combofix to my desktop I renamed it broni.com only.

**Broni** · July 11th, 2010, 09:11 PM

Please, double check, because Combofix says:

Running from: c:\documents and settings\Administrator\Desktop\Broni.com.exe

It's not a big deal, as long, as it runs

**Drhunter2k** · July 11th, 2010, 09:16 PM

Hmmm I looked in that folder and it has it renamed broni.com with no exe added. I tried to rename it again but I am going to assume it will still show the exe in the log. Will it be ok if it shows as an exe file?

**Broni** · July 11th, 2010, 09:17 PM

Go ahead.

**Train** · July 11th, 2010, 09:19 PM

Double click Broni.com, it should run.

**Drhunter2k** · July 11th, 2010, 09:55 PM

Broni, now my internet explorer works and when I restarted my computer that error message did not pop up. Here's the combofix log:

ComboFix 10-07-11.03 - Administrator 07/11/2010 20:33:37.3.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.804 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Broni.com.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"C:\32788R22FWJFW.1.tmp"
"C:\32788R22FWJFW.2.tmp"
"C:\32788R22FWJFW.3.tmp"
"C:\32788R22FWJFW.4.tmp"
"C:\32788R22FWJFW.5.tmp"
"C:\32788R22FWJFW.6.tmp"
"C:\32788R22FWJFW.7.tmp"
"c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\elgvyunei
c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat

.
((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.

2010-07-12 01:15 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-07-12 01:15 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-07-12 01:14 . 2010-07-12 01:14 -------- d-----w- c:\program files\iPod
2010-07-12 01:14 . 2010-07-12 01:15 -------- d-----w- c:\program files\iTunes
2010-07-12 01:06 . 2010-07-12 01:08 -------- dc-h--w- c:\windows\ie8
2010-07-12 01:06 . 2010-07-12 01:06 -------- d-----w- c:\program files\Bonjour
2010-07-12 01:05 . 2010-07-12 01:07 -------- d-----w- c:\program files\Common Files\Apple
2010-07-11 23:21 . 2010-07-11 23:48 -------- d-----w- C:\32788R22FWJFW.7.tmp
2010-07-11 23:20 . 2010-07-11 23:21 -------- d-----w- C:\32788R22FWJFW.6.tmp
2010-07-11 23:14 . 2010-07-11 23:20 -------- d-----w- C:\32788R22FWJFW.5.tmp
2010-07-11 23:13 . 2010-07-11 23:14 -------- d-----w- C:\32788R22FWJFW.4.tmp
2010-07-11 23:01 . 2010-07-11 23:01 -------- d-----w- C:\32788R22FWJFW.3.tmp
2010-07-11 23:00 . 2010-07-11 23:01 -------- d-----w- C:\32788R22FWJFW.2.tmp
2010-07-11 22:59 . 2010-07-11 23:00 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-07-11 19:48 . 2010-07-11 22:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-28 16:45 . 2010-06-28 16:45 1039712 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-06-21 17:18 . 2010-06-21 17:18 74760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\UniversalDD.sys
2010-06-21 17:18 . 2010-06-21 17:18 26120 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSShim.sys
2010-06-21 17:18 . 2010-06-21 17:18 25096 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSxx.sys
2010-06-21 17:18 . 2010-06-21 17:18 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-06-21 17:18 . 2010-06-21 17:18 30216 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSFilter.sys
2010-06-21 17:18 . 2010-06-21 17:18 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-06-21 17:18 . 2010-06-21 17:18 122376 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSDriver.sys
2010-06-21 17:17 . 2010-06-21 17:17 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-21 17:15 . 2010-06-21 17:15 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-06-21 17:15 . 2010-06-21 17:15 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-06-21 17:15 . 2010-06-21 17:15 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-06-16 01:01 . 2010-06-16 01:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

Thread: Computer Infected

Thread Tools

Search Thread

Display

Hybrid View

Thread Information

Users Browsing this Thread

Posting Permissions