Inactive [InActive] Virus unable to open any anti virus software

ComboFix 09-03-31.03 - Sophie 2009-04-01 13:45:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1485 [GMT 1:00]
Running from: c:\documents and settings\Sophie\Desktop\ComboFix.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated)
FW: PCguard Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\9g234sdff3d23dfgjf23
c:\windows\IE4 Error Log.txt
c:\windows\ld02.exe
c:\windows\system32\mcenspc.dll
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\t55ft2809f44.dat

.
((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-04-01 13:27 . 2009-04-01 13:27 268 --ah----- C:\sqmdata01.sqm
2009-04-01 13:27 . 2009-04-01 13:27 244 --ah----- C:\sqmnoopt01.sqm
2009-03-31 23:05 . 2009-04-01 08:33 46,640 --a------ c:\windows\system32\msln.exe
2009-03-31 22:30 . 2009-04-01 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-31 22:30 . 2009-04-01 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-31 22:02 . 2009-03-31 22:02 <DIR> d-------- c:\documents and settings\Administrator.WORKSTATION
2009-03-31 22:01 . 2009-03-31 22:01 268 --ah----- C:\sqmdata00.sqm
2009-03-31 22:01 . 2009-03-31 22:01 244 --ah----- C:\sqmnoopt00.sqm
2009-03-31 21:03 . 2009-03-31 21:03 <DIR> d-------- c:\program files\Enigma Software Group
2009-03-31 18:08 . 2009-03-31 18:08 <DIR> d-------- c:\program files\Raxco
2009-03-31 18:08 . 2009-03-31 18:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raxco
2009-03-30 17:52 . 2009-03-30 17:52 200,720 --a------ c:\windows\system32\mukmil.dll
2009-03-30 17:52 . 2009-03-30 17:52 39,936 --a------ c:\windows\system32\0b1fbcd6afea6d91aa12af116caefc32.sys
2009-03-28 20:55 . 2009-03-28 20:55 <DIR> d-------- c:\program files\Common Files\Authentium
2009-03-28 20:55 . 2009-03-31 18:07 53,192 --a------ c:\windows\system32\drivers\rp_skt32.sys
2009-03-28 20:55 . 2007-04-19 12:36 48,384 --a------ c:\windows\system32\drivers\rp_pkt32.sys
2009-03-28 20:54 . 2009-03-28 21:01 <DIR> d-------- c:\program files\Common Files\Scanner
2009-03-28 20:54 . 2009-03-28 20:54 <DIR> d-------- c:\program files\CA
2009-03-28 20:50 . 2009-03-28 20:50 <DIR> d-------- c:\documents and settings\Sophie\Application Data\InstallShield
2009-03-28 20:48 . 2009-03-28 20:53 <DIR> d-------- c:\program files\Virgin Broadband
2009-03-28 20:48 . 2009-03-28 23:00 <DIR> d-------- c:\documents and settings\Sophie\Application Data\Virgin Broadband
2009-03-28 20:48 . 2009-03-28 20:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-03-20 16:22 . 2009-03-20 16:22 11,264 --a------ c:\documents and settings\Sophie\Application Data\nSvcAppFlt.exe
2009-03-20 16:22 . 2009-03-20 16:22 2 ---h----- c:\windows\t55ft2951f44.dat
2009-03-08 20:47 . 2009-03-08 20:47 <DIR> d-------- c:\program files\Belkin
2009-03-08 20:47 . 2005-10-03 10:49 204,800 --a------ c:\windows\system32\UploadDLL.dll
2009-03-08 20:47 . 2005-11-20 05:31 192,512 --a------ c:\windows\system32\blkwcd.dll
2009-03-08 20:47 . 2005-10-03 10:50 167,936 --a------ c:\windows\system32\BelkinwcuiDLL.dll
2009-03-08 20:47 . 2005-10-03 10:50 101,888 --a------ c:\windows\system32\CrashRpt.dll
2009-03-08 20:47 . 2005-10-03 10:49 81,920 --a------ c:\windows\system32\brdcm2k.dll
2009-03-08 20:47 . 2005-10-03 10:49 61,440 --a------ c:\windows\system32\BelkinHWStatus.dll
2009-03-08 20:47 . 2004-10-29 13:09 53,248 --a------ c:\windows\system32\preflib.dll
2009-03-08 20:47 . 2009-03-08 20:47 20,747 --a------ c:\windows\system32\drivers\AegisP.sys
2009-03-08 20:34 . 2005-08-27 00:39 352,768 --a------ c:\windows\system32\drivers\rt61.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 12:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-01 12:41 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-01 12:34 --------- d-----w c:\program files\Spyware Doctor
2009-04-01 12:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-31 16:36 --------- d-----w c:\documents and settings\Sophie\Application Data\uTorrent
2009-03-28 19:59 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-28 19:51 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 09:04 --------- d-----w c:\documents and settings\Sophie\Application Data\MSN6
2009-03-08 19:58 --------- d-----w c:\program files\Google
2009-02-03 12:05 --------- d-----w c:\documents and settings\Sophie\Application Data\Vso
2009-02-02 11:26 --------- d-----w c:\program files\iTunes
2009-02-02 11:26 --------- d-----w c:\program files\iPod
2009-02-02 11:26 --------- d-----w c:\program files\Common Files\Apple
2009-02-02 11:26 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-02 11:24 --------- d-----w c:\program files\QuickTime
2009-02-02 11:01 --------- d-----w c:\program files\Bonjour
2009-02-02 10:59 --------- d-----w c:\program files\Safari
2008-11-25 13:45 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-22 08:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092220080923\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PhotoShow Deluxe Media Manager "= "c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 68856]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-25 29744]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner "= "c:\program files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC "= "c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"EPSON Stylus Photo RX520 Series "= "c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE" [2005-04-07 98304]
"Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-25 29744]
"PWRISOVM.EXE "= "c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ISTray "= "c:\program files\Spyware Doctor\pctsTray.exe" [2008-11-05 1168264]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Broadbandadvisor.exe "= "c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 2061552]
"PCguard "= "c:\program files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 310000]
"-FreedomNeedsReboot "= "c:\program files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13552]
"SoundMan "= "SOUNDMAN.EXE" [2005-06-20 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner "= "c:\program files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 61168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 11000]
Belkin Wireless Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe [2009-03-08 1523712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dffdcdb]
2002-09-14 04:28 279567 c:\windows\system32\dffdcdb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter "= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\utorrent\\utorrent.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe "=
"c:\\uTorrent.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Documents and Settings\\Sophie\\Application Data\\nSvcAppFlt.exe "=

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2005-02-12 16640]
R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3132r5.sys [2006-09-05 208688]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-24 356920]
S0 0b1fbcd6afea6d91aa12af116caefc32;0b1fbcd6afea6d91aa12af116caefc32; [x]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 EraserSvc10910;Symantec Eraser Service; "c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe" /h ccCommon --> c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2009-03-08 17149]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-10-31 29744]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2003-03-31 5120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0abd8cc2-607b-11db-97e3-806d6172696f}]
\Shell\AutoRun\command - F:\AUTORUN.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2009-04-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-27 20:31]

2009-01-16 c:\windows\Tasks\Norton Security Scan for Sophie.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 05:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EPSON Stylus Photo RX420 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
HKLM-Run-EPSON Stylus Photo RX420 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
HKLM-Run-VideoraiPodConverter - c:\program files\VideoraiPodConverter\VideoraConverter.exe
HKLM-Run-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe


.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?94ef9cb0c3174054a1e7f93d6897084a
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?94ef9cb0c3174054a1e7f93d6897084a
TCP: {78E6DAE4-6CED-4B6C-976C-C0441BB588DB} = 4.2.2.2,4.2.2.1
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
FF - ProfilePath - c:\documents and settings\Sophie\Application Data\Mozilla\Firefox\Profiles\88r7or2o.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 13:51:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1172)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\dffdcdb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Virgin Broadband\PCguard\Fws.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Virgin Broadband\PCguard\rpsupdaterR.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-04-01 13:54:24 - machine was rebooted
Hi

I am fairly new to forums and i am really struggling to identify or resolve the above issue. I have read a few post already live, regarding what seems to be the same virus but i am not really getting anyware! Below is a log taken from combo fix. I hope that this helps. However if any further information is required please ask as any support is much appreciated

ComboFix-quarantined-files.txt 2009-04-01 12:54:22


Pre-Run: 5,478,416,384 bytes free
Post-Run: 7,553,527,808 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer

229 --- E O F --- 2009-03-27 23:09:29

 

Hi

I am fairly new to forums and i am really struggling to identify or resolve the above issue. I have read a few post already live, regarding what seems to be the same virus but i am not really getting anyware! Below is a log taken from combo fix. I hope that this helps. However if any further information is required please ask as any support is much appreciated

(sorry this message was supposd to be at the top!)[/B]

 

Hi and welcome

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HJT/DDS logs and start a new topic.


Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.





Please download Flash_Disinfector by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

• Plug in your USB flash drive.
• Double-click Flash_Disinfector.exe to run it.
• Follow any prompts that may appear.
• Your desktop will vanish for a while, and then reappear. This is normal.
• Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

Please leave the flash drive plugged in while completing the following.




Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

File:: 
F:\AUTORUN.EXE
c:\windows\system32\msln.exe
c:\windows\system32\mukmil.dll
c:\windows\system32\dffdcdb.dll
c:\windows\system32\0b1fbcd6afea6d91aa12af116caefc32.sys
Driver::
0b1fbcd6afea6d91aa12af116caefc32
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dffdcdb]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{0abd8cc2-607b-11db-97e3-806d6172696f}]

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

Please include the contents of both logs in your next reply. The scan will instruct you to post the attach log as an attachment.
No need for that though ..... just post it as you would any other log.



In your next reply post:
ComboFix.txt
DDS log



You may need several replies to post the requested logs, otherwise they might get cut off.

 

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter.