Hi
I recently purchase Malwarebytes and all was going well.
On tuesday a small Malwarebytes box appeared on my laptop, the message was as follows
"Malwarebytes Anti-Malware has detected a malicious process attempting to start and has blocked all execution attempts from this process"
Then I had three options to choose from - Disable Protection, Ignore and Quarantine.
Trojan.VunD1 was named, and this location was given - C/windows/system32/wtsapi32.dll

However, my laptop was already frozen and I was unable to Quarantine the trojan, open Malwarebytes, or indeed perform any function at all. I had to manually close the laptop. I've reopened several times hoping to click on Quarantine before the freeze up but have been unable to do so. Essentially I no longer have a computer. This post is being sent from my brother's computer. I contacted Malwarebytes but have recieved no answer.

Please help, I'm terminally ill and need access to my computer to order meds.
Many Thanks, Katrine

Please follow the instructions at the link below to start your computer in Safe Mode With Networking:
http://www.computerhope.com/issues/chsafe.htm

After starting your computer in Safe Mode With Networking, please update Malwarebytes' Anti-Malware, run a Quick Scan, delete anything it finds, and then copy and paste the log into a reply.

Hi
Thanks for your advice.
It took many tries to get booted as you suggested, but finally suceeded. I then tried to open Malwarebytes to update and got this message
"Error Code 703(0,13) and was told to report it to the support team.

What do I do now?
Katrine

Restart your computer normally, and then download ComboFix from the link below, save it on your desktop, run it, and copy and paste the log into a reply:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Hi
Things aren't going well.
When I first opened the computer on normal mode, a small box appeared saying that Malwarebyte's had been terminated unexpectedly [I don't know when this message was referring to], but I had the option of pressing OK to get a log of the events. I thought that would be helpful and pressed OK. But no log appeared and nothing happened except the computer froze up again. I manually closed down.
Tried to restart normally, and was back to the message from my first post, re the trojan, and the computer was totally frozen again. Closed down manually.
Then returned to your initial instruction about starting in Safe Mode with Networking. That seemed successful. Then tried to start in normal mode to download Combofix. That seemed to work too, and no Malware messages appeared this time. ComboFix is saved to my desktop. However when I tried to run Combofix, a small message appeared saying not all pages could be installed, and to reboot the computer to complete installation. Did that, and went straight back to the orginal message about the trojan and a frozen computer. Sigh.
Now been through the restart in Safe Mode, then restart in normal mode cycle 6 times now - with NO success. Sorry, but I'm back where I started when I first posted - Malware message re trojan and a frozen computer.

Any advice?
Thanks, Katrine

Hi
Could I please have some assistance with this problem.
Due to health issues, time is of the essence.

Please start your computer in Safe Mode, run Malwarebytes' Anti-Malware, click on the 'Protection' tab, uncheck the box that says "Start with Windows", and then restart your computer. Once your computer is running normally, download a new copy of ComboFix from the link below, run it, and then copy and paste the log into a reply:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Started up in safe mode, but Malwarebytes WILL NOT OPEN as before, same error code given, 703(0.13)
I really need this problem fixed, I can't wait 48 for replies.
Could you possibly post several suggestions should the first one fail.

Was ComboFix also not able to run?

If not, then please download Rkill from one of the following four links:

Rkill EXE:
http://download.bleepingcomputer.com/grinler/rkill.exe

Rkill COM:
http://download.bleepingcomputer.com/grinler/rkill.com

Rkill SCR:
http://download.bleepingcomputer.com/grinler/rkill.scr

Rkill PIF:
http://download.bleepingcomputer.com/grinler/rkill.pif


Save one of those 4 onto your desktop and try to run it. If the infection blocks it, then try one of the others. After running it, please try to launch ComboFix, let it run through a scan, and send me the log file that it produces when it's done.


If you are unable to launch ComboFix, even after running Rkill, then please download RSIT from the link below, run it with the default options, and attach the 'log' and 'info' files to a reply:
http://images.malwareremoval.com/random/RSIT.exe

Hi
Thanks for your reply and suggestions
Got started in safe mode and launched Combofix, it looked like it was going to run this time, but immediately detected AVG free 9 . Combofix instructed me to disable AVG protection before proceeding, but I've been unable to do so. I launched AVG and a box appeared saying "You can use AVG 9.0 Anti-Virus command line scanner only in Windows Safe Mode". Can't find any disable options. Then tried to uninstall AVG, and it won't uninstall.
Stuck at this point - unable to disable or remove AVG, and unable to run Combofix because of AVG.
What should I do?
Many thanks for your help
Katrine

Attached to this message is a ZIP archive. There is a file inside the ZIP archive which is a simple fix to turn off the protection that is causing your computer to freeze on startup, and thus you will be able to start your computer normally, turn off AVG, and run ComboFix. Open the ZIP archive, and then double-click on the file inside it. It will ask you if you are sure you want to import it into your registry, so be sure to answer 'Yes', and then restart your computer after it says it's done. Your computer should start up normally without freezing. Turn off AVG, and run ComboFix. If all goes well, then copy and paste the contents of the log it shows you at the end into a reply.

Hi
I got your message with the zip file. Obviously, I'm reading it from my brothers computer. This is a HUGE problem.
Obviously I need to be able to download and install the zip file on my own computer, which is the one with the trojan.

Tried starting up in normal mode:
No malwarebytes warning message this time - seemed good.
No Combofix warning message this time - seemed good.
But no internet connection showing either - not good.
When cursor is moved around screen it is displaying as an arrow, but when it moves over the area of the screen where the original malwarebytes warning was, it becomes an egg-timer!!! Yep, the computer was frozen again. Will perform no functions, including launching Opera.

Tried starting up in Safe Mode:
No Malwarebytes warning message showed - seemed good.
No Combofix warning message showed - seemed good.
But, NO INTERNET CONNECTION.

I can't get onto this forum from the infected computer!!!! So I can't access or install the zip file you recommend!!!

This is driving me nuts!!!

Tried starting up again in normal mode, this time the original Malwarebytes warning message re the trojan appeared and the computer immediately froze up.
How do we get around this problem?

Thanks, Katrine

Just try running ComboFix from Safe Mode, even though it says AVG is on. It should work OK.

Hi there
I managed to run combofix in safe mode, ignoring the AVG warnings as instructed. This is what happened:
Combofix warning appeared saying "This machine does not have Microsoft Windows Recovery Console installed. Without it Combofix shall not attempt the fixing of some serious infections" Click Yes to have Combofix download and install it. NOTE this requires an active internet connection.

Had to Click No, as I have no internet connection in safe mode [or normal mode].
However, Combofix Autoscan continued, and I now have a log.
How on earth do I get the log to you???? Still no internet connection remember.

Is there a way to establish an internet connection in safe mode?

Many Thank, Katrine

YAY Success:)

Managed to start up in Safe Mode with Networking and got and internet connection.
so at last here is the Combofix log

ComboFix 09-11-03.01 - User 06/11/2009 19:32.1.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.723 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-10-27 17:24 . 2009-10-27 17:24 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2009-10-26 19:51 . 2009-10-26 19:55 -------- d-----w- C:\$AVG
2009-10-26 19:49 . 2009-11-05 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 17:58 . 2008-08-29 19:55 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2009-10-27 17:34 . 2007-11-04 02:27 -------- d-----w- c:\program files\Lavasoft
2009-10-27 17:13 . 2007-11-04 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-26 20:07 . 2008-08-27 19:24 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-26 19:50 . 2008-08-27 19:24 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-26 19:50 . 2008-08-27 19:24 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-26 19:50 . 2008-08-27 19:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-26 19:49 . 2008-08-06 18:52 -------- d-----w- c:\program files\AVG
2009-10-17 21:09 . 2007-08-22 11:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-28 16:34 . 2009-09-09 19:04 -------- d-----w- c:\documents and settings\User\Application Data\eBookPro6
2009-09-11 19:09 . 2009-07-23 07:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 13:54 . 2009-07-23 07:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-07-23 07:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-05 18:05 . 2007-08-30 14:41 47224 -c--a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-26 2010904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-26 19:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R2 MTC0005_MTCDIO;Wireless HotKey Driver;c:\windows\system32\drivers\MTCDIO.sys [22/09/2003 09:04 11316]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [22/08/2007 11:36 68224]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/08/2008 19:24 333192]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/08/2008 19:24 360584]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [26/10/2009 19:49 906520]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [26/10/2009 19:49 285392]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [23/07/2009 07:12 269648]
S2 MTCDIO;MTCDIO;c:\windows\system32\drivers\MTCDIO.sys [22/09/2003 09:04 11316]
S3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys --> c:\windows\system32\Drivers\ov550i.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [23/07/2009 07:12 19160]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\Malwarebytes' Scheduled Update for User.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-07-23 13:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.f271.mail.yahoo.com/dc/launch?.rand=cr7pbc9qsprvi
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
DPF: PackageCab - hxxp://www.imgag.com/cp/install/AxCtp2.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Device Detector - DevDetect.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 19:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1592)
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-06 19:42
ComboFix-quarantined-files.txt 2009-11-06 19:41

Pre-Run: 4,354,539,520 bytes free
Post-Run: 8,018,272,256 bytes free

Hmmm.........I'm totally confused. I posted the Combofix log from the problematic computer, and it shows up on the forum when veiwed from this computer, BUT when I look on the forum from my brother's computer [which I usually have to use] the post of the log doesn't show up!!!!!
Have I actually managed to post the Combofix log? Can anyone other than me see it???

Thanks Katrine

I can see the log. Probably just a cache issue on your brother's computer.

OK, this should allow you to start your computer without it freezing:

I have attached a file to this message called CFScript.txt which will tell ComboFix how to remove some of the bad things I saw in your ComboFix log. Please save CFScript onto your desktop, and then download a fresh copy of ComboFix from the link below, and make sure to save it on your desktop as well. Once you have both CFScript and ComboFix saved to your desktop, hold down the left mouse button on top of the icon for CFScript, and drag it on top of the ComboFix icon, and then let go. This should start ComboFix again. Make sure, when it finishes, to attach the new log to a reply so that I can verify that it deleted what it was supposed to.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Click to view attachment

After running that, your computer should restart, and then start up normally. If it does not freeze, then you need to perform the following steps:

1. Disable AVG for the time being.
   
   
2. Run Malwarebytes' Anti-Malware.
   
   
3. Click on the 'Update' tab.
   
   
4. Click the button to check for updates.
   
   
5. Once it's done getting updates, run a Quick Scan.
   
   
6. Remove anything it finds.
   
   
7. Copy and paste the log into a reply.
   
   
8. You can turn AVG back on after sending me the log.

Hi

I've had some success. Managed to download CFScript and followed your instructions for runninng the newly downloaded Combofix.
This is the scan log:

ComboFix 09-11-03.01 - User 07/11/2009 2:02.2.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.786 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MBAMPROTECTOR
-------\Service_MBAMProtector


((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-10-27 17:24 . 2009-10-27 17:24 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2009-10-26 19:51 . 2009-10-26 19:55 -------- d-----w- C:\$AVG
2009-10-26 19:49 . 2009-11-05 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 23:05 . 2008-08-29 19:55 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2009-10-27 17:34 . 2007-11-04 02:27 -------- d-----w- c:\program files\Lavasoft
2009-10-27 17:13 . 2007-11-04 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-26 20:07 . 2008-08-27 19:24 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-26 19:50 . 2008-08-27 19:24 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-26 19:50 . 2008-08-27 19:24 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-26 19:50 . 2008-08-27 19:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-26 19:49 . 2008-08-06 18:52 -------- d-----w- c:\program files\AVG
2009-10-17 21:09 . 2007-08-22 11:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-28 16:34 . 2009-09-09 19:04 -------- d-----w- c:\documents and settings\User\Application Data\eBookPro6
2009-09-11 19:09 . 2009-07-23 07:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 13:54 . 2009-07-23 07:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-07-23 07:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-05 18:05 . 2007-08-30 14:41 47224 -c--a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-06_19.39.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-07 02:11 . 2009-11-07 02:11 16384 c:\windows\temp\Perflib_Perfdata_c9c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-26 2010904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-26 19:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/08/2008 19:24 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/08/2008 19:24 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [26/10/2009 19:49 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [26/10/2009 19:49 285392]
R2 MTC0005_MTCDIO;Wireless HotKey Driver;c:\windows\system32\drivers\MTCDIO.sys [22/09/2003 09:04 11316]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [22/08/2007 11:36 68224]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [23/07/2009 07:12 269648]
S2 MTCDIO;MTCDIO;c:\windows\system32\drivers\MTCDIO.sys [22/09/2003 09:04 11316]
S3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys --> c:\windows\system32\Drivers\ov550i.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\Malwarebytes' Scheduled Update for User.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-07-23 13:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.f271.mail.yahoo.com/dc/launch?.rand=cr7pbc9qsprvi
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
DPF: PackageCab - hxxp://www.imgag.com/cp/install/AxCtp2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 02:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-11-07 2:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-07 02:16
ComboFix2.txt 2009-11-06 19:42

Pre-Run: 8,002,076,672 bytes free
Post-Run: 6,864,814,080 bytes free


At the end of the scan the computer did reboot on it's own, and I tried to follow the rest of your instructions.
AVG is disabled, but Malwarebyte's would not run, I got the same error message I have since this torjan problem started, Error Code 703(0.13)

Hope the new log helps, but I've no idea how to get Malwarebytes open, running and updated.

Many Thanks, Katrine

OK, error code 703 is being caused because AVG broke our software. The ComboFix log isn't showing the file that Malwarebytes' Anti-Malware was complaining about, so I can't say if it is still there or not.

Before we attempt to fix Malwarebytes' Anti-Malware, we need to add some exclusions to AVG. This won't solve all of the issues, as AVG is breaking our database regardless of exclusions, but this will help to cut down on future conflicts once they get this current issue fixed. Here are the files that need to be added to the exclusions list in AVG:

1. C:\WINDOWS\system32\drivers\mbam.sys
2. C:\WINDOWS\system32\drivers\mbamswissarmy.sys
3. C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
4. C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
5. C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
6. C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

After adding those exclusions, please run an online virus scan through ESET. Here are the steps:

1. Turn off AVG.
   
   
2. Click on this link.
   
   
3. Click on the "ESET Online Scanner" button.
   
   
4. Put a check in the box that says "YES, I accept the Terms of Use."
   
   
5. Click the 'Start' button just to the right of the checkbox.
   
   
6. Uncheck the box that says "Remove found threats" (this is very important).
   
   
7. Click on "Advanced settings".
   
   
8. Put a check in the box that says "Scan for potentially unsafe applications".
   
   
9. Verify that "Scan for potentially unwanted applications" is also checked.
   
   
10. Verify that "Enable Anti-Stealth technology" is also checked.
    
    
11. Click the 'Start' button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
    
    
12. When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
    
    
13. Save that text file on your desktop, and then copy and paste it into a reply for me.
    
    
14. Close the ESET online scan.

I will take a look at the log, and let you know if anything needs removed.

Hi
I think I've got mixed success to report.
First the bad news - I didn't know how to add any of the exclusion to AVG that you recommended, and after opening AVG was no further forward, I just couldn't figure out how to do what you had instructed. I also couldn't see anyway to turn AVG off for the second part of your instructions - I did have certain elements disabled, but couldn't find an option to turn it off completely.
So, in light of what you said about AVG breaking the Malware software, I thought maybe it would be best just to uninstall AVG.
I started the uninstall process, and about 3/4 of the way through it a box popped up wanting to restart the computer to install Microsoft Updates.
Sigh....terrible timing. I tried to stop the restart process, but it went ahead anyway.
When the computer rebooted the AVG ICON was gone from my desktop, and AVG isn't showing in my programes list, so I think it's fully uninstalled but not certain.

Then I moved onto your second set of instructions. Downloaded and ran ESET, surprisingly at the end of the scan it reported "No Threats Found".
I'm hoping this is really good news, but I'm also confused as to what could have healed or removed the trojan.
ESET didn't provide a log for me to post, and I don't really know if I'm clean or not.
At present I don't have any Anti-Viral Software on the computer, I was wary of downloading AVG again in case it caused more conflicts with Malwarebytes, but I feel vulernable without the protection.

What are your thoughts on these events, and my current status?

Thanks for all your help and advice. If I need to take further action, can I please let you know in advance that I need really detailed instructions, I have NO technical knowledge or experience. I wouldn't be the least offended if you treated me as if I know nothing, because that would actually be accurate

I look forward to hearing your thoughts on the matter.
Many thanks, Katrine

Please download and run the AVG Remover to make sure it's completely gone.

Also, We normally recommend either AntiVir or Microsoft Security Essentials. Note that if you go with Microsoft Security Essentials, you will probably need to add exclusions. AntiVir does not have any issues with our software (so no exclusions), but it likes to display an ad for the Pro version each time it updates.

Adding exclusions in Microsoft Security Essentials is easy (if you choose it over AntiVir). When you open Microsoft Security Essentials, click on the 'Settings' tab, and then select "Excluded processes" from the list on the left. Using the 'Add' button on the right, add the following processes to the list:

• C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
• C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
• C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

Afterwards, select "Excluded files & locations" from the list on the left, and using the 'Add' button, add the following two files:

• C:\WINDOWS\system32\drivers\mbam.sys
• C:\WINDOWS\system32\drivers\mbamswissarmy.sys

After selecting and setting up your new anti-virus, please open Malwarebytes' Anti-Malware, go to the 'Protection' tab, and select the box to "Start with Windows". You may also want to click the button to "Start Protection". This will ensure that you are once again protected.

Hi
I'm so sorry, but I'm having no luck here at all.
I downloaded AVGremover and ran it, log available if you need it.
I downoaded Antivir, but it won't update, says there was an error during download.
I've unistalled it three times, and downoaded three times - each time I'm told I need to update, but update won't run because of a download error!!!
So, I gave up on Antivir, and tried the Microsoft alternative you suggested. It seems to have downloaded ok, but I can't add the exclusion you wanted.
I followed your instructions, and opened the proper tabs, hit the ADD button, and another window opens up with my Cdrive and Ddrive listed, but there is no way I can find to either type in the list of exclusions, or copy and paste them.
I realise I'm probably missing something really obvious here, but don't know what. Sorry

I forgot that Microsoft Security Essentials uses a less common type of file-chooser. If you look to the left of each folder, there's a '+' sign in a box, and if you click that it expands the folder and allows you to browse the contents (see the screenshot below). What you will have to do is click through the folders until you find the files, and then select them.

Hi
Oh my goodness, that was quite a task, but at last all the exclusions are in place.
I ran a quick scan, but it didn't seem to produce a log - is that normal?

Then tried to open Malwarebytes as you said ealier, guess what? Error Code 703 again.
At the moment I'm trying running a full scan and see if I can get a log for you this time.

Do you think I need to uninstall Malwarebytes and download a new copy? Would I have to pay for it again?
And how do we find out if the trojan is gone or not?

Many Thanks, Katrine

I do not believe that Microsoft Security Essentials shows you logs after scans like Malwarebytes' Anti-Malware does, so that is probably normal.



Yes. That would be the best course of action.



No. Your license is good for a lifetime. Just download a fresh copy from this link.



A Quick Scan in Malwarebytes' Anti-Malware should tell us.

Hi
I think I've got really good news for you

The Microsoft Security Essential full scan is finished. Again, no log, but it did report that No Threats Detected.

Old version of Malwarebytes uninstalled, and new version installed from your link. Protection Tab activated.
Ran a full scan, find log below. Again, No Threats Detected.

Are we all clear now?
Everything seems to be functioning normall, except that the computer is really noisy, sounds like it struggling.

Many Thanks for all your help
Katrine

Malwarebytes' Anti-Malware 1.41
Database version: 3134
Windows 5.1.2600 Service Pack 3

09/11/2009 19:43:32
mbam-log-2009-11-09 (19-43-32).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 162408
Time elapsed: 48 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OK, it looks like everything is OK. Nothing is detecting anything malicious, and your ComboFix log looks clean. I'm willing to say that your computer is clean. Let me know if you have any further issues.

Many Thanks for all your help.
It's a wonderful relief to be clear and functioning again
Katrine

I'm going to close this topic now to prevent it from being hijacked by someone else. If you need it reopened for any reason, then please send me a private message to let me know.