Win32:MalOb-Z[Cryp]

A few days ago, one of my computers started showing this virus. Avast blocks it everytime but no matter what I do it just keeps coming back every 4-5 mins. When I unplug my internet, the virus doesn’t show up, but right after I plug my internet back in, the virus starts coming up again. Everytime Avast detects it, the virus is always in the temp folder. I have already searched for solutions, but no one seemed to have found a solution for this.

hey! try scan with MBAB and SAS and see if they can solve your problem.

http://filehippo.com/download_malwarebytes_anti_malware/
http://filehippo.com/download_superantispyware/

good luck and write back if that is not solving your problem.

Don’t forget to update the database first before you make the scan with them.

welcome to the forum to.

I have tried scanning with Avast, MBAB, SAS, and Spybot S&D. Nothing was found. I also used CCleaner to remove all files in the temp folder.

sorry delete

I strongly recommend you check out Essexboy Combofix suggestion on page 2 of this thread.

http://forum.avast.com/index.php?topic=50222.0

I struggled with this virus for two days until following his instructions. I think I’m good to go now!

Some of the new malware infects system files which AV’s do not detect (yet) and the files change on almost a daily basis

Download Combofix from any of the links below. You must rename it before saving rename it to Gotcha before saving it to your desktop.

Link 1
Link 2

==================================

http://www.hdrcgb.org.uk/g2g/Cfix_Gotcha.exe.jpg

Double click on the renamed ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt so we can continue cleaning the system.

Ok, I did everything. Heres the 1st part of the file.

ComboFix 09-10-26.06 - David 10/27/2009 17:17.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2867 [GMT -4:00]
Running from: c:\documents and settings\David\My Documents\Downloads\Gotcha.exe
AV: avast! antivirus 4.8.1356 [VPS 091027-0] On-access scanning disabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :stuck_out_tongue:
.
((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-27 19:51 . 2009-10-27 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-27 19:51 . 2009-10-27 19:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-27 19:51 . 2009-10-27 19:51 -------- d-----w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com
2009-10-25 18:28 . 2009-10-25 18:28 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2009-10-25 18:28 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-25 18:28 . 2009-10-25 18:28 -------- d-----w- c:\program files\Malwarebytes’ Anti-Malware
2009-10-25 18:28 . 2009-10-25 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-25 18:28 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-25 16:38 . 2009-10-25 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-25 16:38 . 2009-10-25 17:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-25 16:13 . 2009-10-25 16:13 -------- d-----w- c:\windows\system32\Futuremark
2009-10-25 16:13 . 2009-10-25 16:13 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2009-10-25 16:13 . 2008-09-17 19:14 27672 ----a-r- c:\windows\system32\drivers\Entech.sys
2009-10-25 15:53 . 2009-10-25 16:16 -------- d-----w- c:\program files\SpeedFan
2009-10-25 15:52 . 2009-10-25 15:52 -------- d-----w- c:\program files\Lavalys
2009-10-23 21:23 . 2009-10-23 21:23 -------- d-----w- c:\windows\ie8updates
2009-10-23 20:43 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-23 20:43 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-23 20:43 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-23 20:43 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-23 20:43 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-23 20:04 . 2009-10-23 20:04 -------- d-sh–w- c:\documents and settings\David\PrivacIE
2009-10-23 19:05 . 2009-10-23 19:05 -------- d-sh–w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-23 19:00 . 2009-10-23 19:00 -------- d-sh–w- c:\documents and settings\David\IETldCache
2009-10-23 18:54 . 2009-10-23 18:55 -------- dc-h–w- c:\windows\ie8
2009-10-23 07:02 . 2009-10-23 07:02 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-23 07:02 . 2009-10-23 07:02 -------- d-----w- c:\program files\MSBuild
2009-10-23 07:02 . 2009-10-23 07:02 -------- d-----w- c:\program files\Reference Assemblies
2009-10-23 07:02 . 2009-10-23 07:02 -------- d-----w- C:\a470e91d3b477412c3ba2fa1f2
2009-10-23 07:02 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-23 07:02 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-23 07:02 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-23 07:02 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-23 07:02 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-23 07:02 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-23 07:02 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-23 00:39 . 2009-10-23 21:38 -------- d-----w- c:\program files\Saints Row 2
2009-10-22 23:57 . 2009-10-22 23:57 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\THQ
2009-10-22 23:24 . 2009-10-22 23:24 -------- d-----w- c:\program files\7-Zip
2009-10-22 10:20 . 2009-10-22 10:20 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-22 10:20 . 2009-10-22 10:20 -------- d-----w- c:\windows\system32\AGEIA
2009-10-22 03:26 . 2009-10-22 10:20 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\GamersFirst LIVE!
2009-10-22 03:26 . 2009-10-27 21:15 -------- d-----w- c:\documents and settings\David\Application Data\DNA
2009-10-22 03:26 . 2009-10-27 19:48 -------- d-----w- c:\program files\DNA
2009-10-22 03:26 . 2009-10-22 03:26 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\DNA
2009-10-21 20:26 . 2009-10-22 23:24 -------- d-----w- c:\documents and settings\David\Application Data\BitTorrent
2009-10-21 20:26 . 2009-10-21 20:26 -------- d-----w- c:\program files\BitTorrent
2009-10-21 10:07 . 2005-01-02 03:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-10-21 10:07 . 2009-10-21 10:07 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-10-21 10:05 . 2009-10-21 10:05 -------- d-----w- c:\documents and settings\David\Application Data\Xfire
2009-10-21 10:05 . 2009-10-21 10:05 -------- d-----w- c:\program files\Xfire
2009-10-21 10:02 . 2009-10-21 10:02 -------- d-----w- C:\ijji
2009-10-21 02:38 . 2009-10-21 02:38 -------- d-----w- c:\documents and settings\David\Application Data\ijjigame
2009-10-21 02:35 . 2009-10-21 02:35 -------- d-----w- c:\program files\ijji
2009-10-21 02:35 . 2009-07-03 04:34 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-10-21 02:35 . 2009-07-03 04:34 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-10-21 02:35 . 2009-07-03 04:34 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2009-10-21 02:35 . 2009-07-01 14:25 61440 ----a-w- c:\windows\system32\uc_atlantica_launching.dll
2009-10-21 02:35 . 2009-06-23 17:21 64000 ----a-w- c:\windows\system32\uc_sfighters_launching.dll
2009-10-21 02:35 . 2009-03-31 21:43 53248 ----a-w- c:\windows\system32\uc_luminary_launching.dll
2009-10-21 02:35 . 2009-01-29 15:53 87472 ----a-w- c:\windows\system32\ijjiChannelingPlugin.dll
2009-10-21 01:45 . 2009-10-21 01:45 -------- d-----w- c:\program files\LiveUpdate
2009-10-21 01:10 . 2008-04-14 04:15 26368 -c–a-w- c:\windows\system32\dllcache\usbstor.sys
2009-10-20 22:28 . 2009-10-20 22:28 -------- d-----w- c:\program files\SystemRequirementsLab
2009-10-20 22:28 . 2009-10-20 22:28 -------- d-----w- c:\documents and settings\David\Application Data\SystemRequirementsLab
2009-10-20 21:53 . 2009-10-20 21:53 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Identities
2009-10-20 21:30 . 2009-10-20 21:30 -------- d-----w- c:\documents and settings\David\Application Data\TeamViewer
2009-10-20 21:30 . 2009-10-20 21:30 -------- d-----w- c:\program files\TeamViewer
2009-10-20 21:30 . 2009-10-20 21:30 -------- d-----w- c:\documents and settings\David\temp
2009-10-20 21:06 . 2009-10-20 21:06 -------- d-----w- c:\windows\system32\LogFiles
2009-10-20 20:06 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-20 20:06 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-20 20:06 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-20 20:06 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-20 20:06 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-20 20:06 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-20 20:06 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-20 20:06 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-20 20:05 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-20 20:05 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-10-20 20:05 . 2003-03-18 20:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-10-20 20:05 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-10-20 20:05 . 2009-10-20 20:05 -------- d-----w- c:\program files\Alwil Software
2009-10-20 19:45 . 2009-10-21 20:12 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\WarRockDF
2009-10-20 19:33 . 2009-10-20 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-10-20 19:29 . 2009-10-20 19:29 -------- d-----w- c:\program files\ATI
2009-10-20 19:19 . 2009-10-20 19:19 -------- d-----w- C:\ATI
2009-10-20 19:10 . 2009-10-22 10:15 -------- d-----w- c:\program files\GamersFirst
2009-10-20 19:02 . 2009-06-22 06:44 726528 -c–a-w- c:\windows\system32\dllcache\jscript.dll

2nd part

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 21:16 . 2009-10-20 02:29 17488 ----a-w- c:\windows\gdrv.sys
2009-10-27 19:51 . 2009-10-20 03:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-25 16:13 . 2009-10-20 14:12 -------- d–h–w- c:\program files\InstallShield Installation Information
2009-10-23 07:21 . 2009-10-20 14:21 13104 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 19:50 . 2009-10-20 03:38 63 ----a-w- c:\documents and settings\David\jagex_runescape_preferences2.dat
2009-10-21 19:50 . 2009-10-20 03:35 38 ----a-w- c:\documents and settings\David\jagex_runescape_preferences.dat
2009-10-21 01:45 . 2009-10-20 14:11 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-20 20:15 . 2009-10-20 03:25 -------- d-----w- c:\documents and settings\David\Application Data\Ventrilo
2009-10-20 19:28 . 2009-10-20 14:12 -------- d-----w- c:\program files\ATI Technologies
2009-10-20 14:26 . 2009-10-20 14:26 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-20 14:26 . 2009-10-20 14:21 -------- d-----w- c:\program files\Realtek
2009-10-20 14:23 . 2009-10-20 14:23 -------- d-----w- c:\documents and settings\David\Application Data\InstallShield
2009-10-20 14:21 . 2009-10-20 14:21 -------- d-----w- c:\documents and settings\David\Application Data\ATI
2009-10-20 14:20 . 2009-10-20 14:20 0 ----a-w- c:\windows\ativpsrm.bin
2009-10-20 14:19 . 2009-10-20 14:19 -------- d-----w- c:\program files\Intel
2009-10-20 14:19 . 2009-10-20 14:19 -------- d-----w- c:\program files\Browser Configuration Utility
2009-10-20 14:18 . 2009-10-20 14:18 -------- d-----w- c:\program files\GIGABYTE
2009-10-20 14:15 . 2009-10-20 14:15 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-10-20 14:06 . 2009-10-20 14:06 -------- d-----w- c:\program files\microsoft frontpage
2009-10-20 14:03 . 2009-10-20 14:03 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-20 03:33 . 2009-10-20 03:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-20 03:33 . 2009-10-20 03:33 -------- d-----w- c:\program files\Java
2009-10-20 03:24 . 2009-10-20 03:24 -------- d-----w- c:\program files\CCleaner
2009-10-20 03:20 . 2009-10-20 03:20 -------- d-----w- c:\program files\Ventrilo
2009-10-20 02:39 . 2009-10-20 02:39 0 ----a-w- c:\windows\nsreg.dat
2009-10-06 22:54 . 2009-10-20 14:21 5922816 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-10-06 20:34 . 2009-10-20 14:21 18750976 ----a-w- c:\windows\RTHDCPL.EXE
2009-09-29 22:38 . 2009-10-20 14:21 352256 ----a-w- c:\windows\vncutil.exe
2009-09-21 20:47 . 2009-10-20 14:21 41472 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2009-09-11 14:18 . 2004-08-12 14:01 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 00:01 . 2009-09-11 00:01 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-04 21:03 . 2004-08-12 14:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2004-08-12 14:06 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 21:04 . 2009-08-25 21:04 75264 ----a-w- c:\windows\system32\uc_holybeast_launching.dll
2009-08-18 21:16 . 2009-10-20 14:21 831488 ----a-w- c:\windows\RtlExUpd.dll
2009-08-14 04:27 . 2009-04-29 03:30 4485632 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-08-14 02:28 . 2009-10-20 14:12 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-08-14 02:27 . 2009-04-29 02:17 345600 ----a-w- c:\windows\system32\ati2dvag.dll
2009-08-14 02:10 . 2009-04-29 02:07 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2009-08-14 02:10 . 2009-04-29 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-08-14 02:09 . 2009-04-29 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-08-14 02:09 . 2009-04-29 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-08-14 02:09 . 2009-04-29 02:06 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-08-14 02:08 . 2009-04-29 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-08-14 02:06 . 2009-04-29 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-08-14 02:00 . 2009-10-20 14:12 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-08-14 01:58 . 2009-04-29 01:56 3492576 ----a-w- c:\windows\system32\ati3duag.dll
2009-08-14 01:47 . 2009-04-29 01:45 12959744 ----a-w- c:\windows\system32\atioglxx.dll
2009-08-14 01:42 . 2009-04-29 01:42 2081920 ----a-w- c:\windows\system32\ativvaxx.dll
2009-08-14 01:42 . 2009-10-20 14:12 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-08-14 01:42 . 2009-10-20 14:12 3 ----a-w- c:\windows\system32\ativva5x.dat
2009-08-14 01:25 . 2009-04-29 01:26 49664 ----a-w- c:\windows\system32\atimpc32.dll
2009-08-14 01:25 . 2009-04-29 01:26 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2009-08-14 01:21 . 2009-04-29 01:22 561152 ----a-w- c:\windows\system32\atikvmag.dll
2009-08-14 01:21 . 2009-04-29 01:20 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-08-14 01:20 . 2009-04-29 01:20 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-08-14 01:19 . 2009-04-29 01:18 3469312 ----a-w- c:\windows\system32\aticaldd.dll
2009-08-14 01:19 . 2009-04-29 01:20 163840 ----a-w- c:\windows\system32\atiadlxx.dll
2009-08-14 01:18 . 2009-04-29 01:19 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-08-14 01:17 . 2009-04-29 01:19 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-08-14 01:17 . 2009-04-29 01:17 376832 ----a-w- c:\windows\system32\atiok3x2.dll
2009-08-14 01:12 . 2009-04-29 01:13 614400 ----a-w- c:\windows\system32\ati2cqag.dll
2009-08-14 01:05 . 2009-10-20 14:12 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-08-06 23:24 . 2009-10-20 14:04 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2009-10-20 14:04 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2009-10-20 14:04 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2009-10-20 02:42 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2009-10-20 14:04 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-12 13:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2009-10-20 14:04 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-10-20 14:04 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 18:31 . 2009-10-20 14:21 2170880 ----a-w- c:\windows\MicCal.exe
2009-08-04 15:13 . 2004-08-12 14:02 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

Part 3

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BitTorrent DNA”=“c:\program files\DNA\btdna.exe” [2009-10-22 318272]
“SpybotSD TeaTimer”=“c:\program files\Spybot - Search & Destroy\TeaTimer.exe” [2009-03-05 2260480]
“SUPERAntiSpyware”=“c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2009-10-20 149280]
“StartCCC”=“c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2009-08-14 98304]
“ATICustomerCare”=“c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe” [2007-10-04 307200]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-09-15 81000]
“Malwarebytes Anti-Malware (reboot)”=“c:\program files\Malwarebytes’ Anti-Malware\mbam.exe” [2009-09-10 1312080]
“RTHDCPL”=“RTHDCPL.EXE” - c:\windows\RTHDCPL.EXE [2009-10-06 18750976]

c:\documents and settings\All Users\Start Menu\Programs\Startup
REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\Realtek\RTL8187 Wireless LAN Utility\RtWLan.exe [2009-10-20 815104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “c:\program files\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
backup=c:\windows\pss\GamersFirst LIVE!.lnkCommon Startup

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\Ventrilo\Ventrilo.exe”=
“c:\Program Files\TeamViewer\Version4\TeamViewer.exe”=
“c:\Program Files\BitTorrent\bittorrent.exe”=
“c:\Program Files\DNA\btdna.exe”=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/20/2009 4:06 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/20/2009 4:06 PM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/20/2009 10:26 AM 38144]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [10/20/2009 10:18 AM 68136]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/20/2009 10:21 AM 1684736]
S3 cpuz130;cpuz130;??\c:\docume~1\David\LOCALS~1\Temp\cpuz130\cpuz_x32.sys → c:\docume~1\David\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service → c:\windows\system32\GameMon.des -service [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [10/20/2009 10:26 AM 332928]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]

— Other Services/Drivers In Memory —

Deregistered - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\x4ljetdx.default
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 17:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
“ImagePath”=“c:\windows\system32\GameMon.des -service”
.
--------------------- DLLs Loaded Under Running Processes ---------------------

              • ‘winlogon.exe’(688)
                c:\program files\SUPERAntiSpyware\SASWINLO.dll
                c:\windows\system32\WININET.dll
                c:\windows\system32\Ati2evxx.dll
                .
                Completion time: 2009-10-27 17:20
                ComboFix-quarantined-files.txt 2009-10-27 21:20

Pre-Run: 468,786,139,136 bytes free
Post-Run: 468,764,844,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Home Edition” /noexecute=optin /fastdetect

    • End Of File - - 7F1E69BD96B6178B3A75B5A15BBE112C

OK that looks good This was the infected file

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :stuck_out_tongue:
and it looks as though Avast stopped it from downloading any pals. I would recommend a quick scan with Malwarebytes now to see if there are any orphans left

To remove Combofix

Start > Run > Gotcha / uninstall

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

LOL @ kitty ate it :stuck_out_tongue:

Anyways, i’m scanning right now and ill see how it goes.

Ok, there are no malware found. I’ll try leaving the internet on for a few mins. Hopefully no virus shows up. :slight_smile:

You should be OK now if MBAM showed nothing - CF killed the infector. Dont forget to uninstall combofix as it will be out of date by tomeorrow

Now I get an Unknown error when I try to open up Avast Antivirus. It says “Skin is not complete. Look at the following description: Skin is not loaded properly.”

I click OK then it tells me to choose a skin. I choose 1 and the same message comes up.

Should I reinstall Avast?

Go for a repair initially - do you know how to do that ?

Ok, everything seems to look fine. Now I can use my computer. Thanks for your help Essexboy. :slight_smile:

No probs Enjoy