Security virus 2010

Printable View

August 8th, 2010, 07:59 PM
tdark

Security virus 2010

Our work computer got infected with several trojans. Antivir Solution Pro is the bad one. I can only use the internet with safemode with networking. I run GMER but could not see the save part. I finally was able to email the log files to my pc using safemode. I hope this will help us start because I am limited on what I can do with this PC. He is mbam log and the other ones mentioned here.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 17:57:10.54 on Sun 08/08/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.379 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: moigh Object: {097e8e69-2fe7-406b-a0e3-5387b3529632} - c:\windows\system32\mbvkp.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: adShotHlpr Object: {92856b74-6b6c-498b-8959-35068d2c0264} - c:\windows\system32\qbvkp.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [sta] rundll32 "qbvkp.dll",,Run
mRun: [MChk] c:\windows\system32\dbvkp.exe
mRun: [jnegcejl] c:\documents and settings\networkservice\local settings\application data\axdirjaah\rdcbqmetssd.exe
dRun: [Sbomocare] rundll32.exe "c:\windows\kbarean.dll",Startup
dRun: [jnegcejl] c:\documents and settings\networkservice\local settings\application data\axdirjaah\rdcbqmetssd.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236608517086
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1240233853262&h=52c4be629b1d82d41a89de296fc242dd/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XULRunner: {B7EED5E6-18B2-461A-AB3A-1D62E907DDA5} - c:\documents and settings\pro shop\local settings\application data\{B7EED5E6-18B2-461A-AB3A-1D62E907DDA5}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2010-8-8 20480]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-13 133104]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-12-19 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2007-12-19 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-12-19 39552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [2007-12-9 222336]

=============== Created Last 30 ================

2010-08-08 22:55:21 2848 ----a-w- c:\windows\ocatazetif.dll
2010-08-08 21:57:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-08 19:16:09 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-08-08 18:19:42 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-08-08 17:46:23 120 ----a-w- c:\windows\Vkavilekoconisi.dat
2010-08-08 17:46:23 0 ----a-w- c:\windows\Omola.bin
2010-08-08 17:45:17 5 ----a-w- C:\zrpt.xml
2010-08-08 17:45:05 75776 --sha-r- c:\windows\system32\browsewm9.dll
2010-08-08 17:44:36 782848 ----a-w- c:\windows\system32\drivers\otmbckt.sys
2010-08-08 17:44:17 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-07-22 17:37:23 0 d--h--w- c:\windows\system32\GroupPolicy
2010-07-16 04:18:18 246784 ----a-w- c:\windows\system32\mbvkp.dll
2010-07-16 04:18:04 294912 ----a-w- c:\windows\system32\qbvkp.dll
2010-07-14 14:06:14 35262 ----a-w- c:\windows\PRO SHOP000.acl
2010-07-14 14:05:01 0 d-----w- c:\windows\ShellNew
2010-07-14 08:01:07 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-14 00:43:22 40581 ----a-w- c:\windows\system32\dbvkp.exe

==================== Find3M ====================

2010-08-08 19:28:35 2404 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-14 13:32:36 286720 ------w- c:\windows\Setup1.exe
2010-07-14 13:32:34 73216 ----a-w- c:\windows\ST6UNST.EXE

============= FINISH: 17:58:55.74 ===============
August 8th, 2010, 08:00 PM
tdark

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/9/2007 3:41:51 PM
System Uptime: 8/8/2010 5:56:06 PM (0 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6378(VT8361)
Processor: AMD Duron(tm) processor | Slot A | 1300/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 12 GiB total, 4.715 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 2.501 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.3
Adobe Shockwave Player 11
Advanced SystemCare 3
BufferChm
CCleaner
ClearType Tuning Control Panel Applet
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
D5300
D5300_doccd
D5300_Help
Defraggler (remove only)
DeviceDiscovery
DeviceManagementQFolder
eSupportQFolder
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Photosmart Printer Software 9.0
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPProductAssistant
HPSSupply
Image Resizer Powertoy for Windows XP
Java(TM) 6 Update 13
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware
MarketResearch
Maxtor Manager
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Excel 97
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Resource Kit
Microsoft Publisher 97
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 97
Mozilla Firefox (3.0.4)
MSXML 6.0 Parser (KB933579)
Nero
Norton Ghost
Office 97 File and Registry Eraser Utility
Office 97 File and Registry Eraser Utility (C:\Program Files\Eraser97\)
Office 97 File and Registry Eraser Utility (C:\Program Files\Eraser97\) #3
PanoStandAlone
PS_SF_02_ProductContext
PS_SF_02_Software
PS_SF_02_Software_min
PSSWCORE
Seagate*DiscWizard
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Slideshow Generator Powertoy for Windows XP
Smart Defrag 1.03
SolutionCenter
SpywareBlaster 4.2
Status
Street-Ads Browser Enhancer
SUPERAntiSpyware Free Edition
Toolbox
TrayApp
Tweak UI
UnloadSupport
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoToolkit01
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

8/8/2010 5:04:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/8/2010 4:38:56 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 0010DC6CA2A4 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
8/8/2010 2:05:56 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 0010DC6CA2A4 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
8/8/2010 12:44:39 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.
8/8/2010 1:37:50 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
8/8/2010 1:15:24 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Fips SASDIFSV SASKUTIL
8/8/2010 1:14:34 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/4/2010 3:17:47 AM, error: Print [19] - Sharing printer failed + 1722, Printer HP Photosmart D5300 series share name Printer.

==== End Of File ===========================
August 8th, 2010, 08:01 PM
tdark

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

8/8/2010 1:36:26 PM
mbam-log-2010-08-08 (13-36-26).txt

Scan type: Quick scan
Objects scanned: 130655
Time elapsed: 8 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 5
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c7a9fd36-4dcd-4ffe-b8ce-87919aeebc19} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7a9fd36-4dcd-4ffe-b8ce-87919aeebc19} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7d4f57fc-fb66-4702-98c7-5d80e32311ca} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7d4f57fc-fb66-4702-98c7-5d80e32311ca} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srenum (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vntyrqwp (Malware.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mchk (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sta (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewrgetuj (Worm.Prolaco.M) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsdefrag (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\PRO SHOP\Application Data\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Application Data\Sky-Banners\skb (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Application Data\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Application Data\Street-Ads\sta (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\PRO SHOP\Local Settings\Application Data\pujvhithd\ewcelrstssd.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dbvkp.exe (Trojan.Adware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qbvkp.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mbvkp.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\srenum.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temp\1AB.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temp\1AC.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temp\iphsexmn.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temp\mexxi.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temp\ogjpeed.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temp\xmeraswcon.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temporary Internet Files\Content.IE5\LKL5XM95\aaidkfmhfa[1].html (Malware.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temporary Internet Files\Content.IE5\PMFUW3PL\cgxvqksq[1].html (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temporary Internet Files\Content.IE5\PMFUW3PL\jjelg[2].html (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temporary Internet Files\Content.IE5\TNUMWDKM\aaidkfmhfa[2].html (Malware.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temporary Internet Files\Content.IE5\TNUMWDKM\cgxvqksq[1].html (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temporary Internet Files\Content.IE5\TNUMWDKM\jjelg[3].html (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msrun.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\PRO SHOP\Local Settings\Temp\emxnwcrsoa.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
August 8th, 2010, 10:54 PM
Broni
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  - Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  - Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.
  - Close any open browsers.
  - WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  - Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  - If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
August 8th, 2010, 11:05 PM
tdark

Thanks Broni, I will have to wait until tomorrow now. The eyes are tired. I will post back results if this computer does not crash. It runs pretty bad. I was able to run malwarebytes again from safe mode and it found 50 more trojans. I am not sure this computer can be saved. It is pretty bad infected, or at least it was. I am sure more things are still lurking. It has been giving us strange errors for a while now. Printing problems, word and excel problems . I will let you know and thanks again. Tom
August 8th, 2010, 11:07 PM
Broni

No problem :)
No worries, we'll fix it.
You can run Combofix from Safe Mode.
August 9th, 2010, 05:21 PM
tdark

Broni, this computer is our office computer at work. We do not have another so I needed it today and did not have time it would take to run all the neccessary programs. I downloaded combofix and the computer locked up with me two times. I worked with it for almost three hours and decided to just reformat the thing. I backup up everything I could ( had most everything on exteranl backup drive) and wiped it clean. I appreciate you taking the time to help on this but I had to have the computer going today. All is back running now. I just hope I can control what gets downloaded from now on. It has windows xp pro and I will secure it more when I connect it back to internet. There has to be a way to stop these trojans. This one and all the other trojans really trashed this system. Any suggestions to stop this from happening again? I cannot think of all the people in the world that get trojans like this to prefectly good working computers. It is a shame that it cannot be stopped. Thanks again for your time on this. I wlll probably be back here again. Tom
August 9th, 2010, 09:02 PM
Broni

Not a problem :)

Good luck :)