I cannot access AVG, Trend Micro or other virus protection sites

[ferdinand_dti]

I want to intall anti-virus program but I cannot access the sites where i can download the required program. I pasting the the "report" generated by Malwarebytes below. I hope Im doing the right thing. I experienced this problem after uninstalling Trend Micro pccillin as i plan to replace it with AVG. Thanks in advance.

 Malwarebytes' Anti-Malware 1.43
Database version: 3460
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/11/2010 9:01:36 AM
mbam-log-2010-02-11 (09-01-36).txt

Scan type: Quick Scan
Objects scanned: 113463
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winwlw32 (Trojan.Dialer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\winjvl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\winwlw32.dll (Trojan.Dialer) -> Quarantined and deleted successfully.

[Derek]

Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note:  It is important that it is saved directly to your desktop  and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus and  anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
• Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  
• Remember to re enable the protection again after combofix has finished
  

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you. 
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. 

[ferdinand_dti]

Sir,

Thank you very much for your prompt reply. As per your instructions, I'm pasting below "C:\ComboFix.txt" for further review.


ComboFix 10-02-11.04 - bong 02/12/2010   6:58.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.446.166 [GMT 8:00]
Running from: d:\documents and settings\bong\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\docume~1\bong\LOCALS~1\Temp\E_N4
d:\docume~1\bong\LOCALS~1\Temp\E_N4\cnvpe.fne
d:\docume~1\bong\LOCALS~1\Temp\E_N4\dp1.fne
d:\docume~1\bong\LOCALS~1\Temp\E_N4\eAPI.fne
d:\docume~1\bong\LOCALS~1\Temp\E_N4\HtmlView.fne
d:\docume~1\bong\LOCALS~1\Temp\E_N4\internet.fne
d:\docume~1\bong\LOCALS~1\Temp\E_N4\krnln.fnr
d:\docume~1\bong\LOCALS~1\Temp\E_N4\shell.fne
d:\docume~1\bong\LOCALS~1\Temp\E_N4\spec.fne
d:\windows\system32\147625

.
(((((((((((((((((((((((((   Files Created from 2010-01-11 to 2010-02-11  )))))))))))))))))))))))))))))))
.

2010-02-11 00:53 . 2009-12-30 06:55   38224   ----a-w-   d:\windows\system32\drivers\mbamswissarmy.sys
2010-02-11 00:53 . 2009-12-30 06:54   19160   ----a-w-   d:\windows\system32\drivers\mbam.sys
2010-02-11 00:50 . 2010-02-11 00:50   --------   d-----w-   d:\documents and settings\bong\Application Data\AVG8
2010-02-11 00:40 . 2010-02-11 00:40   --------   d-----w-   d:\windows\system32\wbem\Repository
2010-02-11 00:39 . 2010-02-11 00:39   --------   d-----w-   d:\program files\Trend Micro
2010-02-11 00:39 . 2010-02-11 00:39   --------   d-----w-   d:\documents and settings\All Users\Application Data\Trend Micro
2010-02-11 00:30 . 2010-02-11 00:39   --------   d-----w-   d:\program files\Trend Micro(2)
2010-02-11 00:30 . 2010-02-11 00:39   --------   d-----w-   d:\documents and settings\All Users\Application Data\Trend Micro(2)
2010-02-10 23:52 . 2010-02-10 23:52   --------   d-----w-   d:\documents and settings\bong\Application Data\Malwarebytes
2010-02-10 23:52 . 2010-02-11 00:53   --------   d-----w-   d:\program files\Malwarebytes' Anti-Malware
2010-02-10 23:52 . 2010-02-10 23:52   --------   d-----w-   d:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-10 00:00 . 2010-02-11 03:34   --------   d-----w-   d:\documents and settings\bong\Application Data\Uniblue
2010-02-10 00:00 . 2010-02-10 00:01   --------   d-----w-   d:\program files\Uniblue
2010-02-03 01:33 . 2006-02-02 09:39   595208   ----a-w-   d:\documents and settings\All Users\Application Data\Trend Micro\OE\tmaseng.dll
2010-02-03 00:05 . 2010-02-03 00:39   --------   d-----w-   d:\documents and settings\bong\Application Data\Apple Computer
2010-02-03 00:04 . 2009-05-18 06:17   26600   ----a-w-   d:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-03 00:04 . 2008-04-17 05:12   107368   ----a-w-   d:\windows\system32\GEARAspi.dll
2010-02-03 00:03 . 2010-02-03 00:03   --------   d-----w-   d:\program files\iPod
2010-02-03 00:03 . 2010-02-03 00:04   --------   d-----w-   d:\program files\iTunes
2010-02-03 00:03 . 2010-02-03 00:04   --------   d-----w-   d:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-03 00:02 . 2010-02-03 00:02   --------   d-----w-   d:\program files\Bonjour
2010-02-03 00:01 . 2010-02-03 00:02   --------   d-----w-   d:\program files\QuickTime
2010-02-03 00:01 . 2010-02-03 00:03   --------   d-----w-   d:\documents and settings\All Users\Application Data\Apple Computer
2010-02-03 00:00 . 2010-02-03 00:00   --------   d-----w-   d:\documents and settings\bong\Local Settings\Application Data\Apple
2010-02-03 00:00 . 2010-02-03 00:00   --------   d-----w-   d:\program files\Apple Software Update
2010-02-03 00:00 . 2010-02-03 00:04   --------   dc----w-   d:\windows\system32\DRVSTORE
2010-02-02 23:58 . 2010-02-03 00:03   --------   d-----w-   d:\program files\Common Files\Apple
2010-02-02 23:58 . 2010-02-02 23:58   --------   d-----w-   d:\documents and settings\All Users\Application Data\Apple
2010-02-02 23:57 . 2010-02-03 00:14   --------   d-----w-   d:\documents and settings\bong\Local Settings\Application Data\Apple Computer
2010-02-02 00:35 . 2010-02-10 03:48   --------   d-----w-   d:\program files\Winstep
2010-02-01 06:33 . 2010-02-01 06:33   201728   ----a-w-   d:\windows\system32\V Power.scr
2010-02-01 06:32 . 2010-02-11 07:16   --------   d-----w-   d:\windows\system32\V Power dir
2010-02-01 06:16 . 2010-02-01 06:16   --------   d-----w-   d:\documents and settings\All Users\Application Data\Trymedia
2010-02-01 06:15 . 2010-02-01 06:19   --------   d-----w-   d:\program files\OceanDive
2010-02-01 06:05 . 2010-02-01 06:05   40960   ----a-w-   d:\windows\BMW 6 Series Coupé.dll
2010-02-01 06:05 . 2010-02-01 06:05   3623851   ----a-w-   d:\windows\BMW 6 Series Coupé.exe
2010-02-01 06:05 . 2010-02-01 06:05   18192   ----a-w-   d:\windows\BMW 6 Series Coupé.dat
2010-02-01 06:04 . 2010-02-01 06:05   302244   ----a-w-   d:\windows\BMW 6 Series Coupé.scr
2010-02-01 01:04 . 2010-02-01 01:31   --------   d-----w-   d:\documents and settings\bong\Local Settings\Application Data\Axialis
2010-01-29 03:50 . 2010-01-29 03:50   236160   ----a-w-   d:\windows\EasyGifAnimator_Toolbar_Uninstaller_7328.exe
2010-01-29 03:49 . 2010-01-29 03:50   --------   d-----w-   d:\program files\Easy Gif Animator Extension
2010-01-29 03:48 . 2010-01-29 03:48   --------   d-----w-   d:\program files\Easy GIF Animator
2010-01-29 01:38 . 2008-04-13 08:15   26112   -c--a-w-   d:\windows\system32\dllcache\usbser.sys
2010-01-29 01:38 . 2008-04-13 08:15   26112   ----a-w-   d:\windows\system32\drivers\usbser.sys
2010-01-27 06:35 . 2008-04-13 08:15   32128   -c--a-w-   d:\windows\system32\dllcache\usbccgp.sys
2010-01-27 06:35 . 2008-04-13 08:15   32128   ----a-w-   d:\windows\system32\drivers\usbccgp.sys
2010-01-27 06:34 . 2009-01-06 09:14   103936   ----a-w-   d:\windows\system32\drivers\ZTEusbser6k.sys
2010-01-27 06:34 . 2009-01-06 09:14   103936   ----a-w-   d:\windows\system32\drivers\ZTEusbnmeaext.sys
2010-01-27 06:34 . 2009-01-06 09:14   103936   ----a-w-   d:\windows\system32\drivers\ZTEusbnmea.sys
2010-01-27 06:34 . 2009-01-06 09:14   103936   ----a-w-   d:\windows\system32\drivers\ZTEusbmdm6k.sys
2010-01-27 06:34 . 2010-01-27 06:43   --------   d-----w-   d:\program files\SMART BRO
2010-01-27 06:33 . 2010-01-27 22:55   --------   d-----w-   d:\windows\system32\SupportAppXL
2010-01-25 07:06 . 2010-01-25 07:06   --------   d-----w-   d:\program files\IZArc
2010-01-25 05:13 . 2002-11-13 03:14   1703936   ----a-w-   d:\windows\system32\NCTAudioFile.dll
2010-01-25 05:13 . 2002-09-06 03:36   233472   ----a-w-   d:\windows\system32\lame_enc.dll
2010-01-25 05:13 . 2010-01-25 05:16   --------   d-----w-   d:\program files\MP3 Converter Simple
2010-01-22 11:51 . 2010-01-22 11:51   72488   ----a-w-   d:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-22 06:38 . 2010-01-22 06:38   --------   d-----w-   d:\program files\JustDo
2010-01-22 05:42 . 2010-01-22 05:42   --------   d-----w-   d:\documents and settings\bong\Local Settings\Application Data\DDSoft
2010-01-15 03:14 . 2010-01-15 03:21   --------   d-----w-   d:\program files\JPEG to PDF

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-11 22:43 . 2006-02-10 06:40   67112   ----a-w-   d:\documents and settings\bong\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-29 02:47 . 2006-02-10 05:10   --------   d-----w-   d:\documents and settings\bong\Application Data\Yahoo!
2010-01-29 02:46 . 2006-02-08 05:20   --------   d-----w-   d:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-27 06:34 . 2006-02-01 07:43   --------   d--h--w-   d:\program files\InstallShield Installation Information
2010-01-26 22:58 . 2006-02-01 07:42   --------   d-----w-   d:\program files\Common Files\InstallShield
2009-07-29 17:47 . 2009-07-29 17:47   171096   --sha-r-   d:\windows\system32\wzavhm.dll
2006-02-22 13:46 . 2006-02-22 13:46   1405294   --sh--r-   d:\windows\system32\B5BAC2\18363E.EXE
.

(((((((((((((((((((((((((((((   SnapShot@2010-02-11_02.36.59   )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-01-31 23:22 . 2010-02-11 22:43   247104              d:\windows\system32\FNTCACHE.DAT
+ 2010-02-11 03:31 . 2007-05-14 21:38   1058816              d:\windows\system32\spool\drivers\w32x86\3\PCL5ERES.DLL
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="d:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"NextSTART"="d:\program files\Winstep\nextstart.exe" [2007-02-06 4921396]
"Workshelf"="d:\program files\Winstep\workshelf.exe" [2007-02-06 8976436]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" [2006-03-23 176128]
"UfSeAgnt.exe"="d:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2006-02-02 970808]
"Share-to-Web Namespace Daemon"="d:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"18363E"="d:\windows\system32\B5BAC2\18363E.EXE" [2006-02-22 1405294]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]

d:\documents and settings\PPD\Start Menu\Programs\Startup\
18363E.lnk - d:\windows\system32\B5BAC2\18363E.EXE [2006-2-22 1405294]

d:\documents and settings\bong\Start Menu\Programs\Startup\
18363E.lnk - d:\windows\system32\B5BAC2\18363E.EXE [2006-2-22 1405294]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6516:TCP"= 6516:TCP:pijrfmdw

R0 xfilt;VIA SATA IDE Hot-plug Driver;d:\windows\system32\drivers\xfilt.sys [2/1/2006 7:22 AM 17920]
R1 BIOS;BIOS;d:\windows\system32\drivers\BIOS.sys [2/1/2006 3:41 PM 13696]
R2 tmevtmgr;tmevtmgr;d:\windows\system32\drivers\tmevtmgr.sys [2/2/2006 5:43 PM 49680]
R2 tmpreflt;tmpreflt;d:\windows\system32\drivers\tmpreflt.sys [2/2/2006 5:39 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;d:\windows\system32\drivers\TM_CFW.sys [2/2/2006 5:39 PM 334352]
S2 Autorun CDROM Monitor;Autorun CDROM Monitor;d:\windows\system32\SupportAppXL\cdrom_mon.exe [1/27/2010 2:33 PM 81920]
S2 qhicbqpyg;Helper Monitor;d:\windows\system32\svchost.exe -k netsvcs [4/14/2008 7:00 PM 14336]
S2 TmPfw;Trend Micro Personal Firewall;d:\program files\Trend Micro\Internet Security\TmPfw.exe [2/2/2006 5:43 PM 492888]
S2 TmProxy;Trend Micro Proxy Service;d:\program files\Trend Micro\Internet Security\TmProxy.exe [2/2/2006 5:43 PM 677128]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
qhicbqpyg
.
Contents of the 'Scheduled Tasks' folder

2010-02-11 d:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2010-02-11 08:41]

2010-02-11 d:\windows\Tasks\Uniblue SpeedUpMyPC.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2010-02-11 08:41]

2010-02-11 d:\windows\Tasks\User_Feed_Synchronization-{CF6E8CD5-7975-46D1-9464-BAC517AE866B}.job
- d:\windows\system32\msfeedssync.exe [2009-07-29 17:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ph.yahoo.com/
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: axeonphone.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 07:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\qhicbqpyg]
"ServiceDll"="d:\windows\system32\wzavhm.dll"
.
Completion time: 2010-02-12  07:05:27
ComboFix-quarantined-files.txt  2010-02-11 23:05
ComboFix2.txt  2010-02-11 02:38

Pre-Run: 34,342,264,832 bytes free
Post-Run: 34,311,299,072 bytes free

- - End Of File - - BDB26F53DFBF189D8A0FD323FD987B5A

[Derek]

Download the attached CFScript.txt  and save it to your  desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop  in the list of selections in that window & press save)
Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

 



 

This will start ComboFix again.  It may ask to reboot.  Post the contents of Combofix.txt in your next reply


Note: these instructions and script were created specifically for this user.  If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

This will create a zip file inside C:\QooBox\quarantine named something like  [38]-Submit_2008-01-17@17.50.zip 

at the end it will pop up an alert  & open your browser and  ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to  http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to  upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file  inside C:\QooBox\quarantine created by combofix named something like  [38]-Submit_2008-01-17@17.50.zip 

or to
http://www.bleepingcomputer.com/submit-malware.php?channel=38

[ferdinand_dti]

Sir,

My pc shuts down while or after performing the steps you mentioned. Im not so sure coz i went out for a while while combofix was still running.

Regarding the instruction "Files to submit: the zip file  inside C:\QooBox\quarantine created by combofix named something like  [38]-Submit_2008-01-17@17.50.zip", I tried hard looking for this file but it is nowhere to be found in the C drive. But i got something from drive D. Is this the one we are looking for? Ive already uploaded it as per instruction.

Below is the combofix.txt i got after the PC restarted.


ComboFix 10-02-11.04 - bong 02/12/2010   9:02.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.446.245 [GMT 8:00]
Running from: d:\documents and settings\bong\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\bong\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"d:\documents and settings\bong\Start Menu\Programs\Startup\18363E.lnk"
"d:\documents and settings\PPD\Start Menu\Programs\Startup\18363E.lnk"

file zipped: d:\windows\system32\B5BAC2\18363E.EXE
file zipped: d:\windows\system32\wzavhm.dll
file zipped: d:\windows\system32\drivers\BIOS.sys
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\bong\Start Menu\Programs\Startup\18363E.lnk
d:\documents and settings\PPD\Start Menu\Programs\Startup\18363E.lnk
d:\windows\system32\B5BAC2
d:\windows\system32\B5BAC2\18363E.EXE
d:\windows\system32\wzavhm.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QHICBQPYG
-------\Service_qhicbqpyg


(((((((((((((((((((((((((   Files Created from 2010-01-12 to 2010-02-12  )))))))))))))))))))))))))))))))
.

2010-02-11 00:53 . 2009-12-30 06:55   38224   ----a-w-   d:\windows\system32\drivers\mbamswissarmy.sys
2010-02-11 00:53 . 2009-12-30 06:54   19160   ----a-w-   d:\windows\system32\drivers\mbam.sys
2010-02-11 00:50 . 2010-02-11 00:50   --------   d-----w-   d:\documents and settings\bong\Application Data\AVG8
2010-02-11 00:40 . 2010-02-11 00:40   --------   d-----w-   d:\windows\system32\wbem\Repository
2010-02-11 00:39 . 2010-02-11 00:39   --------   d-----w-   d:\program files\Trend Micro
2010-02-11 00:39 . 2010-02-11 00:39   --------   d-----w-   d:\documents and settings\All Users\Application Data\Trend Micro
2010-02-11 00:30 . 2010-02-11 00:39   --------   d-----w-   d:\program files\Trend Micro(2)
2010-02-11 00:30 . 2010-02-11 00:39   --------   d-----w-   d:\documents and settings\All Users\Application Data\Trend Micro(2)
2010-02-10 23:52 . 2010-02-10 23:52   --------   d-----w-   d:\documents and settings\bong\Application Data\Malwarebytes
2010-02-10 23:52 . 2010-02-11 00:53   --------   d-----w-   d:\program files\Malwarebytes' Anti-Malware
2010-02-10 23:52 . 2010-02-10 23:52   --------   d-----w-   d:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-10 00:00 . 2010-02-11 03:34   --------   d-----w-   d:\documents and settings\bong\Application Data\Uniblue
2010-02-10 00:00 . 2010-02-10 00:01   --------   d-----w-   d:\program files\Uniblue
2010-02-03 01:33 . 2006-02-02 09:39   595208   ----a-w-   d:\documents and settings\All Users\Application Data\Trend Micro\OE\tmaseng.dll
2010-02-03 00:05 . 2010-02-03 00:39   --------   d-----w-   d:\documents and settings\bong\Application Data\Apple Computer
2010-02-03 00:04 . 2009-05-18 06:17   26600   ----a-w-   d:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-03 00:04 . 2008-04-17 05:12   107368   ----a-w-   d:\windows\system32\GEARAspi.dll
2010-02-03 00:03 . 2010-02-03 00:03   --------   d-----w-   d:\program files\iPod
2010-02-03 00:03 . 2010-02-03 00:04   --------   d-----w-   d:\program files\iTunes
2010-02-03 00:03 . 2010-02-03 00:04   --------   d-----w-   d:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-03 00:02 . 2010-02-03 00:02   --------   d-----w-   d:\program files\Bonjour
2010-02-03 00:01 . 2010-02-03 00:02   --------   d-----w-   d:\program files\QuickTime
2010-02-03 00:01 . 2010-02-03 00:03   --------   d-----w-   d:\documents and settings\All Users\Application Data\Apple Computer
2010-02-03 00:00 . 2010-02-03 00:00   --------   d-----w-   d:\documents and settings\bong\Local Settings\Application Data\Apple
2010-02-03 00:00 . 2010-02-03 00:00   --------   d-----w-   d:\program files\Apple Software Update
2010-02-03 00:00 . 2010-02-03 00:04   --------   dc----w-   d:\windows\system32\DRVSTORE
2010-02-02 23:58 . 2010-02-03 00:03   --------   d-----w-   d:\program files\Common Files\Apple
2010-02-02 23:58 . 2010-02-02 23:58   --------   d-----w-   d:\documents and settings\All Users\Application Data\Apple
2010-02-02 23:57 . 2010-02-03 00:14   --------   d-----w-   d:\documents and settings\bong\Local Settings\Application Data\Apple Computer
2010-02-02 00:35 . 2010-02-10 03:48   --------   d-----w-   d:\program files\Winstep
2010-02-01 06:33 . 2010-02-01 06:33   201728   ----a-w-   d:\windows\system32\V Power.scr
2010-02-01 06:32 . 2010-02-11 07:16   --------   d-----w-   d:\windows\system32\V Power dir
2010-02-01 06:16 . 2010-02-01 06:16   --------   d-----w-   d:\documents and settings\All Users\Application Data\Trymedia
2010-02-01 06:15 . 2010-02-01 06:19   --------   d-----w-   d:\program files\OceanDive
2010-02-01 06:05 . 2010-02-01 06:05   40960   ----a-w-   d:\windows\BMW 6 Series Coupé.dll
2010-02-01 06:05 . 2010-02-01 06:05   3623851   ----a-w-   d:\windows\BMW 6 Series Coupé.exe
2010-02-01 06:05 . 2010-02-01 06:05   18192   ----a-w-   d:\windows\BMW 6 Series Coupé.dat
2010-02-01 06:04 . 2010-02-01 06:05   302244   ----a-w-   d:\windows\BMW 6 Series Coupé.scr
2010-02-01 01:04 . 2010-02-01 01:31   --------   d-----w-   d:\documents and settings\bong\Local Settings\Application Data\Axialis
2010-01-29 03:50 . 2010-01-29 03:50   236160   ----a-w-   d:\windows\EasyGifAnimator_Toolbar_Uninstaller_7328.exe
2010-01-29 03:49 . 2010-01-29 03:50   --------   d-----w-   d:\program files\Easy Gif Animator Extension
2010-01-29 03:48 . 2010-01-29 03:48   --------   d-----w-   d:\program files\Easy GIF Animator
2010-01-29 01:38 . 2008-04-13 08:15   26112   -c--a-w-   d:\windows\system32\dllcache\usbser.sys
2010-01-29 01:38 . 2008-04-13 08:15   26112   ----a-w-   d:\windows\system32\drivers\usbser.sys
2010-01-27 06:35 . 2008-04-13 08:15   32128   -c--a-w-   d:\windows\system32\dllcache\usbccgp.sys
2010-01-27 06:35 . 2008-04-13 08:15   32128   ----a-w-   d:\windows\system32\drivers\usbccgp.sys
2010-01-27 06:34 . 2009-01-06 09:14   103936   ----a-w-   d:\windows\system32\drivers\ZTEusbser6k.sys
2010-01-27 06:34 . 2009-01-06 09:14   103936   ----a-w-   d:\windows\system32\drivers\ZTEusbnmeaext.sys
2010-01-27 06:34 . 2009-01-06 09:14   103936   ----a-w-   d:\windows\system32\drivers\ZTEusbnmea.sys
2010-01-27 06:34 . 2009-01-06 09:14   103936   ----a-w-   d:\windows\system32\drivers\ZTEusbmdm6k.sys
2010-01-27 06:34 . 2010-01-27 06:43   --------   d-----w-   d:\program files\SMART BRO
2010-01-27 06:33 . 2010-01-27 22:55   --------   d-----w-   d:\windows\system32\SupportAppXL
2010-01-25 07:06 . 2010-01-25 07:06   --------   d-----w-   d:\program files\IZArc
2010-01-25 05:13 . 2002-11-13 03:14   1703936   ----a-w-   d:\windows\system32\NCTAudioFile.dll
2010-01-25 05:13 . 2002-09-06 03:36   233472   ----a-w-   d:\windows\system32\lame_enc.dll
2010-01-25 05:13 . 2010-01-25 05:16   --------   d-----w-   d:\program files\MP3 Converter Simple
2010-01-22 11:51 . 2010-01-22 11:51   72488   ----a-w-   d:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-22 06:38 . 2010-01-22 06:38   --------   d-----w-   d:\program files\JustDo
2010-01-22 05:42 . 2010-01-22 05:42   --------   d-----w-   d:\documents and settings\bong\Local Settings\Application Data\DDSoft
2010-01-15 03:14 . 2010-01-15 03:21   --------   d-----w-   d:\program files\JPEG to PDF

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-11 22:43 . 2006-02-10 06:40   67112   ----a-w-   d:\documents and settings\bong\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-29 02:47 . 2006-02-10 05:10   --------   d-----w-   d:\documents and settings\bong\Application Data\Yahoo!
2010-01-29 02:46 . 2006-02-08 05:20   --------   d-----w-   d:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-27 06:34 . 2006-02-01 07:43   --------   d--h--w-   d:\program files\InstallShield Installation Information
2010-01-26 22:58 . 2006-02-01 07:42   --------   d-----w-   d:\program files\Common Files\InstallShield
.

(((((((((((((((((((((((((((((   SnapShot@2010-02-11_02.36.59   )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-01-31 23:22 . 2010-02-11 22:43   247104              d:\windows\system32\FNTCACHE.DAT
+ 2010-02-11 03:31 . 2007-05-14 21:38   1058816              d:\windows\system32\spool\drivers\w32x86\3\PCL5ERES.DLL
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="d:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"NextSTART"="d:\program files\Winstep\nextstart.exe" [2007-02-06 4921396]
"Workshelf"="d:\program files\Winstep\workshelf.exe" [2007-02-06 8976436]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" [2006-03-23 176128]
"UfSeAgnt.exe"="d:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2006-02-02 970808]
"Share-to-Web Namespace Daemon"="d:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

R0 xfilt;VIA SATA IDE Hot-plug Driver;d:\windows\system32\drivers\xfilt.sys [2/1/2006 7:22 AM 17920]
R1 BIOS;BIOS;d:\windows\system32\drivers\BIOS.sys [2/1/2006 3:41 PM 13696]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;d:\windows\system32\SupportAppXL\cdrom_mon.exe [1/27/2010 2:33 PM 81920]
R2 tmevtmgr;tmevtmgr;d:\windows\system32\drivers\tmevtmgr.sys [2/2/2006 5:43 PM 49680]
R2 tmpreflt;tmpreflt;d:\windows\system32\drivers\tmpreflt.sys [2/2/2006 5:39 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;d:\windows\system32\drivers\TM_CFW.sys [2/2/2006 5:39 PM 334352]
S2 TmPfw;Trend Micro Personal Firewall;d:\program files\Trend Micro\Internet Security\TmPfw.exe [2/2/2006 5:43 PM 492888]
S2 TmProxy;Trend Micro Proxy Service;d:\program files\Trend Micro\Internet Security\TmProxy.exe [2/2/2006 5:43 PM 677128]
.
Contents of the 'Scheduled Tasks' folder

2010-02-11 d:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2010-02-11 08:41]

2010-02-11 d:\windows\Tasks\Uniblue SpeedUpMyPC.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2010-02-11 08:41]

2010-02-12 d:\windows\Tasks\User_Feed_Synchronization-{CF6E8CD5-7975-46D1-9464-BAC517AE866B}.job
- d:\windows\system32\msfeedssync.exe [2009-07-29 17:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ph.yahoo.com/
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: axeonphone.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 09:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2936)
d:\windows\system32\WININET.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
d:\windows\system32\wpdshserviceobj.dll
d:\windows\system32\portabledevicetypes.dll
d:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Trend Micro\BM\TMBMSRV.exe
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\program files\Trend Micro\Internet Security\SfCtlCom.exe
d:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
d:\windows\system32\wscntfy.exe
d:\windows\SOUNDMAN.EXE
d:\windows\system32\VTTimer.exe
d:\windows\system32\VTtrayp.exe
d:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
d:\program files\iPod\bin\iPodService.exe
d:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-02-12  09:12:01 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-12 01:11
ComboFix2.txt  2010-02-11 23:05
ComboFix3.txt  2010-02-11 02:38

Pre-Run: 34,316,726,272 bytes free
Post-Run: 34,218,311,680 bytes free

- - End Of File - - F0E9D738EBFD9CED75EC1D428CF65193

[Derek]

the files uploaded are showing conficker worm, which every antivirus in existance should recognize & deal with, but didn't on your computer


IS trend micros up to date or is it an expired version #

* Run Kaspersky online virus scan  Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
select the (b)"Spyware, Adware, Dialers and other potentially dangerous programs" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

If that won't run then
Run an online antivirus check from one of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.bitdefender.com/scan8/ie.html

[Would you do all this for nothing?]

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware has become so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

The reason I run this site is to raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the paypal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

To donate via paypal when the button doesn't appear or the link doesn't work: just go to www.paypal.com or your country's paypal log in page and chose send money and use help@thehedgehog.co.uk as recipient email address and select other service as the option. then follow prompts

<>

[Information]

  
  Information
   Security & Protection Blog
   Prevention
   Using Autoruns
     System Restore
  Rss feeds
     Microsoft at Home
     MSRC
     Malware blog

Take the Kaspersky Challenge: See what your current antivirus is missing. Our free online virus scanner is a great way to find out if you have any viruses or spyware on your machine without having to uninstall your current antivirus software or install a new one.

Kaspersky Online Scanner

Most importantly, you can see what viruses your current antivirus software let slip through! Now works with ANY Java enabled browser