Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] On going trojan, virus, malware removal

Started by Waterfall , Nov 13 2009 06:03 AM

  • This topic is locked This topic is locked
25 replies to this topic

#1 Waterfall

Waterfall

    Authentic Member

  • Authentic Member
  • PipPip
  • 41 posts

Posted 13 November 2009 - 06:03 AM

Okay, long story short, I downloaded what I thought was a pdf file. It turned out to be the mother of all computer infections. I've been rooting around try to get stuff out for the past week. I almost had everything once then it kicked back up. I am back at the almost point and came across theis wonderful site for help :woot:. I followed the instructions here. Then ended up falling asleep through Kaspersky's scan. I've run the HJT tool and wanted someone to check the log and see if my computer was clean before I finished the thread instructions or tried anything else. I am posting the combo fix log first: (note I disabled AVG previous to the Combo fix scan)

ComboFix 09-11-13.04 - D 11/12/2009 20:35.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1302 [GMT -5:00]
Running from: c:\documents and settings\D\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\gidy.reg
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\xanu.vbs
c:\documents and settings\D\Local Settings\Application Data\{EDD95F70-4863-475A-BD0E-3B63D4FF88A0}
c:\documents and settings\D\Local Settings\Application Data\{EDD95F70-4863-475A-BD0E-3B63D4FF88A0}\chrome.manifest
c:\documents and settings\D\Local Settings\Application Data\{EDD95F70-4863-475A-BD0E-3B63D4FF88A0}\chrome\content\_cfg.js
c:\documents and settings\D\Local Settings\Application Data\{EDD95F70-4863-475A-BD0E-3B63D4FF88A0}\chrome\content\overlay.xul
c:\documents and settings\D\Local Settings\Application Data\{EDD95F70-4863-475A-BD0E-3B63D4FF88A0}\install.rdf
c:\windows\jestertb.dll
c:\windows\kucamy._sy
c:\windows\system32\bazoveza.dll
c:\windows\system32\dasotegi.dll
c:\windows\system32\fejuvizo.dll
c:\windows\system32\feyimupa.dll
c:\windows\system32\fujohufo.dll
c:\windows\system32\gomopiwe.dll
c:\windows\system32\guniyiyu.dll
c:\windows\system32\hofohulu.dll
c:\windows\system32\jatereya.dll
c:\windows\system32\jelukahu.dll
c:\windows\system32\kazepala.dll
c:\windows\system32\komuvuho.dll
c:\windows\system32\kujogeve.dll
c:\windows\system32\laraguji.dll
c:\windows\system32\lipulone.exe
c:\windows\system32\lunegogu.dll
c:\windows\system32\mujuyizi.dll
c:\windows\system32\pahimasa.dll
c:\windows\system32\pidazora.dll
c:\windows\system32\pihuhiru.dll
c:\windows\system32\pilabuma.dll
c:\windows\system32\puneromi.dll
c:\windows\system32\sokodewu.dll
c:\windows\system32\susujewe.dll
c:\windows\system32\suzeyiji.dll
c:\windows\system32\tedovupa.dll
c:\windows\system32\viniyare.dll
c:\windows\system32\vipogije.dll
c:\windows\system32\vorosuka.dll
c:\windows\system32\vufosesa.dll
c:\windows\system32\vumehijo.dll
c:\windows\system32\yofivowi.dll
c:\windows\system32\yubutige.dll
c:\windows\system32\zikiboru.dll
c:\windows\system32\zugezevu.dll
c:\windows\ypiluki.bat
G:\autorun.inf
G:\install.exe

----- BITS: Possible infected sites -----

hxxp://searchimages.org
.
((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-12 19:46 . 2009-11-12 19:46 39424 --sh--w- c:\windows\system32\yivahuhe.dll
2009-11-12 13:44 . 2009-11-10 00:30 4026136 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 13:44 . 2009-11-10 00:30 2016536 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 13:44 . 2009-11-10 00:30 1257240 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 13:44 . 2009-11-10 00:30 3963672 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 13:44 . 2009-11-08 03:06 600344 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 13:44 . 2009-11-08 03:06 496920 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-10 00:30 . 2009-11-08 03:07 360584 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 00:29 . 2009-11-08 03:06 610072 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-10 00:29 . 2009-11-08 03:06 1657112 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 23:07 . 2009-11-09 23:07 240664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-09 22:08 . 2009-11-09 22:08 -------- d-----w- c:\documents and settings\D\Application Data\uniblue
2009-11-09 22:08 . 2009-07-06 04:22 2838442 -c----w- c:\documents and settings\All Users\Application Data\~0\speedupmypc2009.exe
2009-11-09 22:08 . 2009-11-09 22:08 -------- d-----w- c:\program files\Uniblue
2009-11-09 22:07 . 2009-11-09 22:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-11-09 21:53 . 2009-11-09 21:53 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-11-09 17:25 . 2009-11-09 17:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-08 03:13 . 2009-10-16 17:12 1119488 -c--a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-08 03:07 . 2009-11-08 23:36 -------- dc----w- C:\$AVG
2009-11-08 03:07 . 2009-11-08 03:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-08 03:07 . 2009-11-10 00:30 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-08 03:07 . 2009-11-08 03:07 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-08 03:07 . 2009-11-08 03:07 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-08 03:07 . 2009-11-12 22:59 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-08 03:06 . 2009-11-08 03:13 -------- dc----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-08 03:06 . 2009-11-08 03:06 -------- dc----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-07 15:26 . 2009-11-07 15:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 16:33 . 2009-11-04 16:33 152576 ----a-w- c:\documents and settings\D\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-20 07:04 . 2009-10-20 07:04 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-10-16 07:02 . 2009-10-16 07:02 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-10-14 02:17 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-14 02:17 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 01:46 . 2009-07-31 16:25 -------- d-----w- c:\documents and settings\D\Application Data\Skype
2009-11-13 01:44 . 2007-08-27 05:32 -------- d-----w- c:\documents and settings\D\Application Data\WTablet
2009-11-13 01:44 . 2007-07-18 01:11 2048 --s-a-w- c:\windows\bootstat.dat
2009-11-13 01:10 . 2009-07-31 16:26 -------- d-----w- c:\documents and settings\D\Application Data\skypePM
2009-11-09 22:28 . 2008-04-07 10:36 -------- d-----w- c:\documents and settings\D\Application Data\uTorrent
2009-11-09 21:53 . 2007-09-03 12:08 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-09 21:52 . 2009-08-24 23:53 -------- dc----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-11-08 03:06 . 2008-06-17 03:20 -------- d-----w- c:\program files\AVG
2009-11-07 23:49 . 2007-08-03 05:26 -------- d-----w- c:\program files\Lavasoft
2009-11-07 22:00 . 2009-09-04 16:39 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-07 00:36 . 2009-07-18 00:55 -------- d-----w- c:\program files\Vuze
2009-11-06 19:15 . 2009-09-09 03:15 120 ----a-w- c:\windows\Hvuwurupohofuso.dat
2009-11-04 16:34 . 2008-02-20 04:50 -------- d-----w- c:\program files\Java
2009-10-25 06:40 . 2009-09-19 20:40 25 ----a-w- c:\windows\popcinfot.dat
2009-10-23 05:27 . 2009-07-17 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 23:39 . 2009-09-01 00:36 -------- d-----w- c:\program files\MilkShape 3D 1.8.5
2009-10-16 20:23 . 2007-07-18 01:13 103320 -c--a-w- c:\documents and settings\D\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2009-08-19 04:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-04 18:59 . 2009-08-27 21:00 -------- d-----w- c:\program files\s3pe
2009-10-02 22:41 . 2009-08-27 21:01 -------- d-----w- c:\program files\s3oc
2009-09-24 16:21 . 2007-11-04 16:42 -------- d-----w- c:\documents and settings\D\Application Data\U3
2009-09-21 16:20 . 2009-09-21 16:20 -------- d-----w- c:\program files\WinSCP
2009-09-21 00:04 . 2009-07-15 17:20 -------- d-----w- c:\program files\NVIDIA Corporation
2009-09-21 00:04 . 2007-07-18 01:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-21 00:03 . 2009-07-15 17:20 151552 ----a-w- c:\windows\system32\nvRegDev.dll
2009-09-19 18:56 . 2009-09-19 18:56 -------- dc----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-09-19 17:45 . 2009-09-19 17:41 -------- d-----w- c:\documents and settings\D\Application Data\Sony
2009-09-19 17:44 . 2009-09-19 17:44 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-09-19 17:44 . 2009-09-19 17:43 -------- d-----w- c:\program files\Sony
2009-09-19 17:44 . 2009-09-19 17:44 10134 ----a-r- c:\documents and settings\D\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
2009-09-19 17:43 . 2009-09-19 17:43 -------- dc----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-09-19 17:41 . 2009-09-19 17:41 -------- d-----w- c:\documents and settings\D\Application Data\Sony Setup
2009-09-19 17:40 . 2009-09-19 17:40 -------- d-----w- c:\program files\Sony Setup
2009-09-11 21:41 . 2008-06-07 02:15 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 12:03 . 2009-09-04 12:03 488968 ----a-w- c:\documents and settings\D\Application Data\Real\Update\setup\setup.exe
2009-09-02 05:11 . 2009-09-02 05:11 18941 ----a-w- c:\documents and settings\D\Application Data\kugeguzi.exe
2009-09-02 05:11 . 2009-09-02 05:11 18941 ----a-w- c:\documents and settings\D\Application Data\kugeguzi.exe
2009-09-02 05:11 . 2009-09-02 05:11 17758 ----a-w- c:\windows\system32\kawuva.sys
2009-09-02 05:11 . 2009-09-02 05:11 13975 ----a-w- c:\program files\Common Files\kimuwyhy._dl
2009-09-02 05:11 . 2009-09-02 05:11 13313 ----a-w- c:\documents and settings\D\Application Data\ehiz.dat
2009-09-02 05:11 . 2009-09-02 05:11 12795 ----a-w- c:\program files\Common Files\jaruqeca.dl
2009-09-02 05:11 . 2009-09-02 05:11 12049 ----a-w- c:\windows\system32\pifax.dat
2009-08-29 08:08 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-19 04:38 . 2009-08-19 04:38 152576 ------w- c:\documents and settings\D\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-13 01:08 . 2009-08-13 01:08 39424 --sha-w- c:\windows\system32\fapawozi.dll
2009-08-12 19:46 . 2009-08-12 19:46 45056 --sha-w- c:\windows\system32\gufinuta.dll
2009-08-13 01:08 . 2009-08-13 01:08 45056 --sha-w- c:\windows\system32\zilebobi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25607976]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-12 7626752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-05 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-12 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-12 1519616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-08 03:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BackUp Windows 2009"=c:\docume~1\D\LOCALS~1\Temp\nwgjhk.exe
"ljtrxsnt"=c:\documents and settings\D\Local Settings\Application Data\vfqdwd\xwwusysguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ljtrxsnt"=c:\documents and settings\D\Local Settings\Application Data\vfqdwd\xwwusysguard.exe
"latelaveka"=Rundll32.exe "viniyare.dll",s
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"pazezaded"=Rundll32.exe "c:\windows\system32\laraguji.dll",a

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\Tablet.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/7/2009 10:07 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/7/2009 10:07 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/7/2009 10:06 PM 285392]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S3 axskbus;axskbus;c:\windows\system32\DRIVERS\axskbus.sys --> c:\windows\system32\DRIVERS\axskbus.sys [?]
S3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\drivers\OVCA.sys [10/3/2007 11:56 PM 25088]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys --> c:\windows\system32\XDva011.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-07 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {50998A40-AA88-4ABF-9E5A-A7A6F6FD3BAE} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\D\Application Data\Mozilla\Firefox\Profiles\fa8cq251.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
.
- - - - ORPHANS REMOVED - - - -

BHO-{02d90cb7-3304-4d53-8c6b-079e27d1004e} - vumehijo.dll
BHO-{0adfa9e0-af24-4ea1-9179-124fcf86a84e} - vumehijo.dll
HKLM-Run-pazezaded - c:\windows\system32\laraguji.dll
HKLM-Run-latelaveka - viniyare.dll
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
SharedTaskScheduler-{470e951f-c627-440e-bf1b-930718407c60} - c:\windows\system32\vakefume.dll
SharedTaskScheduler-{f1c4682b-c65e-4db2-bcc0-fd31792ff764} - c:\windows\system32\falukovo.dll
SharedTaskScheduler-{c80b742f-cb48-495b-99e0-dd914924894c} - c:\windows\system32\sokodewu.dll
SharedTaskScheduler-{8f14ed5e-cf22-49d5-9aff-63d2ab0fa48e} - c:\windows\system32\lehelojo.dll
SharedTaskScheduler-{6b34fb22-5c11-4f90-a337-3d2398af3730} - c:\windows\system32\laraguji.dll
SSODL-sowadijud-{470e951f-c627-440e-bf1b-930718407c60} - c:\windows\system32\vakefume.dll
SSODL-soyiduhek-{f1c4682b-c65e-4db2-bcc0-fd31792ff764} - c:\windows\system32\falukovo.dll
SSODL-kemazizab-{c80b742f-cb48-495b-99e0-dd914924894c} - c:\windows\system32\sokodewu.dll
SSODL-tizafihiy-{8f14ed5e-cf22-49d5-9aff-63d2ab0fa48e} - c:\windows\system32\lehelojo.dll
SSODL-nikigunet-{cf42a7b8-0521-45d5-962a-da070bd46846} - (no file)
SSODL-fumudayuk-{68699b95-afe9-4c25-a1b8-b3438d0def78} - (no file)
SSODL-zevayizep-{6b34fb22-5c11-4f90-a337-3d2398af3730} - c:\windows\system32\laraguji.dll
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-MilkShape 3D 1.8.4 - c:\program files\MilkShape 3D 1.8.4\uninstall.exe
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-Scriptorium_for_TS2_is1 - e:\eagame~1\SIMS2~1\TSData\Res\Catalog\Scripts\Scriptorium_Backup\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 20:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys spmj.sys hal.dll >>UNKNOWN [0x8A863938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xBA609B40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,2e,d3,83,e0,a8,f3,4f,b1,92,7e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,2e,d3,83,e0,a8,f3,4f,b1,92,7e,\

[HKEY_USERS\S-1-5-21-602162358-1177238915-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{83CF03DE-408E-5F6E-94BF-9582B7C2E820}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaanmcphgmojbepbhm"=hex:6a,61,64,6f,70,65,6b,6f,6c,68,6a,6b,65,6c,6d,61,67,67,
70,6a,00,f0
"hagncbooklchmfoh"=hex:6a,61,64,6f,6b,65,6c,70,65,68,6c,69,64,6e,68,63,69,6d,
70,6d,00,e2
"handeiegdejkdelb"=hex:64,63,6a,62,6b,67,67,6d,62,64,65,70,68,6d,69,67,62,62,
6f,63,6d,6e,69,61,6d,6c,62,6a,6a,66,6c,65,6b,64,6b,6d,68,69,61,62,69,68,6f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{83CF03DE-408E-5F6E-94BF-9582B7C2E820}\InProcServer32*]
"jacnhpplokjcbfdgfape"=hex:6a,61,64,6f,70,65,6b,6f,6c,68,6a,6b,65,6c,6d,61,67,
67,70,6a,00,00
"iacnbpfbdhommnmdio"=hex:6a,61,64,6f,6b,65,6c,70,65,68,6c,69,64,6e,68,63,69,6d,
70,6d,00,e2
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2500)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\WTablet\TabUserW.exe
c:\windows\system32\Tablet.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-11-12 20:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-13 01:56

Pre-Run: 45,087,375,360 bytes free
Post-Run: 45,195,243,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 1D144860562482E44EB772D9A2E9BD01



Here is the HJT file after the Kaspersky scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:47 AM, on 11/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebo...oUploader55.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8691 bytes
I would greatly appreciate if someone would let me know if my com is clean. I have already seen a great performance increase in speed while online and opening files. I have also reactivated the resident shield in AVG. Thank you in advance for the help.

    Advertisements

Register to Remove

#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 November 2009 - 08:30 AM

Hi,

You took a risk running a fix from someone else's log. It is not advisable to do as every computer configuration is different. You were lucky that running ComboFix had no adverse effects.

There is more work to do with it.

if ComboFix asks to update itself ALLOW it to do so.


Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/going_trojan_virus_malware_removal_t108252.html&view=findpost&p=610345#entry610345

Collect::
c:\windows\system32\yivahuhe.dll
c:\windows\Hvuwurupohofuso.dat
c:\documents and settings\D\Application Data\kugeguzi.exe
c:\windows\system32\kawuva.sys
c:\program files\Common Files\kimuwyhy._dl
c:\documents and settings\D\Application Data\ehiz.dat
c:\program files\Common Files\jaruqeca.dl
c:\windows\system32\pifax.dat
c:\windows\system32\fapawozi.dll
c:\windows\system32\gufinuta.dll
c:\windows\system32\zilebobi.dll
c:\documents and settings\D\Local Settings\Application Data\vfqdwd\xwwusysguard.exe
c:\windows\system32\viniyare.dll
c:\windows\system32\laraguji.dll

DirLook::
c:\documents and settings\All Users\Application Data\~0

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ljtrxsnt"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ljtrxsnt"=-
"latelaveka"=-
"pazezaded"=-

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#3 Waterfall

Waterfall

    Authentic Member

  • Authentic Member
  • PipPip
  • 41 posts

Posted 13 November 2009 - 06:48 PM

Thank you for your help. I can not express how I appreciate it. Sorry I was unable to reply before now. I had meetings all day and just got home. I forgot to mention that I have spybot as well. Also with this second combo fix scan, "I saw unable to access file being used by another program a few times." And, I did not get a script box to send the file capture. Here are the result of that scan:

ComboFix 09-11-14.01 - D 11/13/2009 19:29.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1272 [GMT -5:00]
Running from: c:\documents and settings\D\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\D\Desktop\ComboFix.exe c:\documents and settings\D\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-13 11:34 . 2009-11-13 11:34 -------- d-----w- c:\program files\Trend Micro
2009-11-13 11:33 . 2009-11-13 04:32 812344 ----a-w- c:\program files\HJTInstall.exe
2009-11-13 08:05 . 2009-11-05 14:36 26768832 ----a-w- c:\windows\system32\MRT.exe
2009-11-13 02:17 . 2009-11-13 02:17 -------- d-----w- c:\documents and settings\D\Application Data\Malwarebytes
2009-11-13 02:17 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 02:17 . 2009-11-13 02:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-13 02:17 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 02:16 . 2009-11-13 02:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-12 13:44 . 2009-11-10 00:30 4026136 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 13:44 . 2009-11-10 00:30 2016536 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 13:44 . 2009-11-10 00:30 1257240 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 13:44 . 2009-11-10 00:30 3963672 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 13:44 . 2009-11-08 03:06 600344 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 13:44 . 2009-11-08 03:06 496920 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-10 00:30 . 2009-11-08 03:07 360584 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 00:29 . 2009-11-08 03:06 610072 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-10 00:29 . 2009-11-08 03:06 1657112 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 23:07 . 2009-11-09 23:07 240664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-09 22:08 . 2009-11-09 22:08 -------- d-----w- c:\documents and settings\D\Application Data\uniblue
2009-11-09 22:08 . 2009-07-06 04:22 2838442 -c----w- c:\documents and settings\All Users\Application Data\~0\speedupmypc2009.exe
2009-11-09 22:08 . 2009-11-09 22:08 -------- d-----w- c:\program files\Uniblue
2009-11-09 22:07 . 2009-11-09 22:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-11-09 21:53 . 2009-11-09 21:53 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-11-09 17:25 . 2009-11-09 17:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-08 03:13 . 2009-10-16 17:12 1119488 -c--a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-08 03:07 . 2009-11-08 23:36 -------- dc----w- C:\$AVG
2009-11-08 03:07 . 2009-11-08 03:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-08 03:07 . 2009-11-10 00:30 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-08 03:07 . 2009-11-08 03:07 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-08 03:07 . 2009-11-08 03:07 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-08 03:07 . 2009-11-13 14:04 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-08 03:06 . 2009-11-08 03:13 -------- dc----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-08 03:06 . 2009-11-08 03:06 -------- dc----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-07 15:26 . 2009-11-07 15:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 16:33 . 2009-11-04 16:33 152576 ----a-w- c:\documents and settings\D\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-20 07:04 . 2009-10-20 07:04 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-10-16 07:02 . 2009-10-16 07:02 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 00:38 . 2009-07-31 16:25 -------- d-----w- c:\documents and settings\D\Application Data\Skype
2009-11-13 21:00 . 2009-07-31 16:26 -------- d-----w- c:\documents and settings\D\Application Data\skypePM
2009-11-13 08:29 . 2007-08-27 05:32 -------- d-----w- c:\documents and settings\D\Application Data\WTablet
2009-11-13 08:12 . 2009-07-17 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-09 22:28 . 2008-04-07 10:36 -------- d-----w- c:\documents and settings\D\Application Data\uTorrent
2009-11-09 21:53 . 2007-09-03 12:08 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-09 21:52 . 2009-08-24 23:53 -------- dc----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-11-08 03:06 . 2008-06-17 03:20 -------- d-----w- c:\program files\AVG
2009-11-07 23:49 . 2007-08-03 05:26 -------- d-----w- c:\program files\Lavasoft
2009-11-07 22:00 . 2009-09-04 16:39 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-07 00:36 . 2009-07-18 00:55 -------- d-----w- c:\program files\Vuze
2009-11-06 19:15 . 2009-09-09 03:15 120 ----a-w- c:\windows\Hvuwurupohofuso.dat
2009-11-04 16:34 . 2008-02-20 04:50 -------- d-----w- c:\program files\Java
2009-10-25 06:40 . 2009-09-19 20:40 25 ----a-w- c:\windows\popcinfot.dat
2009-10-22 09:19 . 2006-03-23 17:32 5939712 ------w- c:\windows\system32\mshtml.dll
2009-10-21 23:39 . 2009-09-01 00:36 -------- d-----w- c:\program files\MilkShape 3D 1.8.5
2009-10-16 20:23 . 2007-07-18 01:13 103320 -c--a-w- c:\documents and settings\D\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2009-08-19 04:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-04 18:59 . 2009-08-27 21:00 -------- d-----w- c:\program files\s3pe
2009-10-02 22:41 . 2009-08-27 21:01 -------- d-----w- c:\program files\s3oc
2009-09-24 16:21 . 2007-11-04 16:42 -------- d-----w- c:\documents and settings\D\Application Data\U3
2009-09-21 16:20 . 2009-09-21 16:20 -------- d-----w- c:\program files\WinSCP
2009-09-21 00:04 . 2009-07-15 17:20 -------- d-----w- c:\program files\NVIDIA Corporation
2009-09-21 00:04 . 2007-07-18 01:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-21 00:03 . 2009-07-15 17:20 151552 ----a-w- c:\windows\system32\nvRegDev.dll
2009-09-19 18:56 . 2009-09-19 18:56 -------- dc----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-09-19 17:45 . 2009-09-19 17:41 -------- d-----w- c:\documents and settings\D\Application Data\Sony
2009-09-19 17:44 . 2009-09-19 17:44 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-09-19 17:44 . 2009-09-19 17:43 -------- d-----w- c:\program files\Sony
2009-09-19 17:44 . 2009-09-19 17:44 10134 ----a-r- c:\documents and settings\D\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
2009-09-19 17:43 . 2009-09-19 17:43 -------- dc----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-09-19 17:41 . 2009-09-19 17:41 -------- d-----w- c:\documents and settings\D\Application Data\Sony Setup
2009-09-19 17:40 . 2009-09-19 17:40 -------- d-----w- c:\program files\Sony Setup
2009-09-11 21:41 . 2008-06-07 02:15 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 12:03 . 2009-09-04 12:03 488968 ----a-w- c:\documents and settings\D\Application Data\Real\Update\setup\setup.exe
2009-09-02 05:11 . 2009-09-02 05:11 18941 ----a-w- c:\documents and settings\D\Application Data\kugeguzi.exe
2009-09-02 05:11 . 2009-09-02 05:11 18941 ----a-w- c:\documents and settings\D\Application Data\kugeguzi.exe
2009-09-02 05:11 . 2009-09-02 05:11 17758 ----a-w- c:\windows\system32\kawuva.sys
2009-09-02 05:11 . 2009-09-02 05:11 13975 ----a-w- c:\program files\Common Files\kimuwyhy._dl
2009-09-02 05:11 . 2009-09-02 05:11 13313 ----a-w- c:\documents and settings\D\Application Data\ehiz.dat
2009-09-02 05:11 . 2009-09-02 05:11 12795 ----a-w- c:\program files\Common Files\jaruqeca.dl
2009-09-02 05:11 . 2009-09-02 05:11 12049 ----a-w- c:\windows\system32\pifax.dat
2009-08-29 08:08 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-19 04:38 . 2009-08-19 04:38 152576 ------w- c:\documents and settings\D\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-11-13_01.45.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-13 08:29 . 2009-11-13 08:29 16384 c:\windows\Temp\Perflib_Perfdata_1a8.dat
+ 2009-09-08 18:05 . 2009-11-13 08:12 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-11-13 08:11 . 2009-11-13 08:11 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2009-10-23 05:28 . 2009-10-23 05:28 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:27 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-09-08 18:05 . 2009-10-23 05:27 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2009-09-08 18:05 . 2009-10-23 05:27 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2004-08-04 10:00 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
- 2007-07-17 19:58 . 2009-10-17 15:20 1689704 c:\windows\system32\FNTCACHE.DAT
+ 2007-07-17 19:58 . 2009-11-13 08:29 1689704 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-15 11:46 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2009-10-16 12:03 . 2009-10-16 12:03 5003776 c:\windows\Installer\1335a4f.msp
+ 2009-08-18 17:58 . 2009-08-18 17:58 8301056 c:\windows\Installer\1335a2f.msp
+ 2009-08-18 17:57 . 2009-08-18 17:57 9122304 c:\windows\Installer\1335a17.msp
- 2009-09-08 18:05 . 2009-10-23 05:27 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-09-08 18:05 . 2009-10-23 05:27 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25607976]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-12 7626752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-05 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-12 86016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"pazezaded"="c:\windows\system32\laraguji.dll" [BU]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-12 1519616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-08 03:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BackUp Windows 2009"=c:\docume~1\D\LOCALS~1\Temp\nwgjhk.exe
"ljtrxsnt"=c:\documents and settings\D\Local Settings\Application Data\vfqdwd\xwwusysguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ljtrxsnt"=c:\documents and settings\D\Local Settings\Application Data\vfqdwd\xwwusysguard.exe
"latelaveka"=Rundll32.exe "viniyare.dll",s
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"pazezaded"=Rundll32.exe "c:\windows\system32\laraguji.dll",a

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\Tablet.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/7/2009 10:07 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/7/2009 10:07 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/7/2009 10:06 PM 285392]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S3 axskbus;axskbus;c:\windows\system32\DRIVERS\axskbus.sys --> c:\windows\system32\DRIVERS\axskbus.sys [?]
S3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\drivers\OVCA.sys [10/3/2007 11:56 PM 25088]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys --> c:\windows\system32\XDva011.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-07 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\D\Application Data\Mozilla\Firefox\Profiles\fa8cq251.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
.
- - - - ORPHANS REMOVED - - - -

BHO-{02d90cb7-3304-4d53-8c6b-079e27d1004e} - (no file)
BHO-{0adfa9e0-af24-4ea1-9179-124fcf86a84e} - (no file)
SSODL-fumudayuk-{68699b95-afe9-4c25-a1b8-b3438d0def78} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 19:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys spnh.sys hal.dll >>UNKNOWN [0x8A881938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xBA609B40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,2e,d3,83,e0,a8,f3,4f,b1,92,7e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,2e,d3,83,e0,a8,f3,4f,b1,92,7e,\

[HKEY_USERS\S-1-5-21-602162358-1177238915-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{83CF03DE-408E-5F6E-94BF-9582B7C2E820}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaanmcphgmojbepbhm"=hex:6a,61,64,6f,70,65,6b,6f,6c,68,6a,6b,65,6c,6d,61,67,67,
70,6a,00,f0
"hagncbooklchmfoh"=hex:6a,61,64,6f,6b,65,6c,70,65,68,6c,69,64,6e,68,63,69,6d,
70,6d,00,e2
"handeiegdejkdelb"=hex:64,63,6a,62,6b,67,67,6d,62,64,65,70,68,6d,69,67,62,62,
6f,63,6d,6e,69,61,6d,6c,62,6a,6a,66,6c,65,6b,64,6b,6d,68,69,61,62,69,68,6f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{83CF03DE-408E-5F6E-94BF-9582B7C2E820}\InProcServer32*]
"jacnhpplokjcbfdgfape"=hex:6a,61,64,6f,70,65,6b,6f,6c,68,6a,6b,65,6c,6d,61,67,
67,70,6a,00,00
"iacnbpfbdhommnmdio"=hex:6a,61,64,6f,6b,65,6c,70,65,68,6c,69,64,6e,68,63,69,6d,
70,6d,00,e2
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3000)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-13 19:41
ComboFix-quarantined-files.txt 2009-11-14 00:40
ComboFix2.txt 2009-11-13 01:56

Pre-Run: 45,191,790,592 bytes free
Post-Run: 45,268,828,160 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - BE2D2D1A5F879F8901B641CE4793C69C

Edited by Waterfall, 13 November 2009 - 06:50 PM.

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 November 2009 - 07:13 PM

Hi,

That script didn't work, probably because of the error messages.

please delete the copy of Combofix from your desktop and download a fresh copy from one of the following links:

Link 1
Link 2

Now do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/going_trojan_virus_malware_removal_t108252.html

Collect::
c:\windows\Hvuwurupohofuso.dat
c:\documents and settings\D\Application Data\kugeguzi.exe
c:\documents and settings\D\Application Data\kugeguzi.exe
c:\windows\system32\kawuva.sys
c:\program files\Common Files\kimuwyhy._dl
c:\documents and settings\D\Application Data\ehiz.dat
c:\program files\Common Files\jaruqeca.dl
c:\windows\system32\pifax.dat
c:\windows\system32\laraguji.dll
c:\docume~1\D\LOCALS~1\Temp\nwgjhk.exe
c:\documents and settings\D\Local Settings\Application Data\vfqdwd\xwwusysguard.exe
c:\windows\system32\viniyare.dll
c:\windows\system32\laraguji.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pazezaded"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BackUp Windows 2009"=-
"ljtrxsnt"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ljtrxsnt"=-
"latelaveka"=-
"pazezaded"=-

DirLook::
c:\documents and settings\All Users\Application Data\~0

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#5 Waterfall

Waterfall

    Authentic Member

  • Authentic Member
  • PipPip
  • 41 posts

Posted 13 November 2009 - 07:57 PM

The script window came up this time.
Here are the results:

ComboFix 09-11-14.01 - D 11/13/2009 20:44.4.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1340 [GMT -5:00]
Running from: c:\documents and settings\D\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\D\Desktop\ComboFix.exe c:\documents and settings\D\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\documents and settings\D\Application Data\ehiz.dat
file zipped: c:\documents and settings\D\Application Data\kugeguzi.exe
file zipped: c:\program files\Common Files\jaruqeca.dl
file zipped: c:\program files\Common Files\kimuwyhy._dl
file zipped: c:\windows\Hvuwurupohofuso.dat
file zipped: c:\windows\system32\kawuva.sys
file zipped: c:\windows\system32\pifax.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\D\Application Data\ehiz.dat
c:\documents and settings\D\Application Data\kugeguzi.exe
c:\program files\Common Files\jaruqeca.dl
c:\program files\Common Files\kimuwyhy._dl
c:\windows\Hvuwurupohofuso.dat
c:\windows\system32\kawuva.sys
c:\windows\system32\pifax.dat

.
((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-13 11:34 . 2009-11-13 11:34 -------- d-----w- c:\program files\Trend Micro
2009-11-13 11:33 . 2009-11-13 04:32 812344 ----a-w- c:\program files\HJTInstall.exe
2009-11-13 02:17 . 2009-11-13 02:17 -------- d-----w- c:\documents and settings\D\Application Data\Malwarebytes
2009-11-13 02:17 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 02:17 . 2009-11-13 02:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-13 02:17 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 02:16 . 2009-11-13 02:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-12 13:44 . 2009-11-10 00:30 4026136 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 13:44 . 2009-11-10 00:30 2016536 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 13:44 . 2009-11-10 00:30 1257240 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 13:44 . 2009-11-10 00:30 3963672 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 13:44 . 2009-11-08 03:06 600344 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 13:44 . 2009-11-08 03:06 496920 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-10 00:30 . 2009-11-08 03:07 360584 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 00:29 . 2009-11-08 03:06 610072 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-10 00:29 . 2009-11-08 03:06 1657112 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 23:07 . 2009-11-09 23:07 240664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-09 22:08 . 2009-11-09 22:08 -------- d-----w- c:\documents and settings\D\Application Data\uniblue
2009-11-09 22:08 . 2009-07-06 04:22 2838442 -c----w- c:\documents and settings\All Users\Application Data\~0\speedupmypc2009.exe
2009-11-09 22:08 . 2009-11-09 22:08 -------- d-----w- c:\program files\Uniblue
2009-11-09 22:07 . 2009-11-09 22:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-11-09 21:53 . 2009-11-09 21:53 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-11-09 17:25 . 2009-11-09 17:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-08 03:13 . 2009-10-16 17:12 1119488 -c--a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-08 03:07 . 2009-11-08 23:36 -------- dc----w- C:\$AVG
2009-11-08 03:07 . 2009-11-08 03:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-08 03:07 . 2009-11-10 00:30 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-08 03:07 . 2009-11-08 03:07 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-08 03:07 . 2009-11-08 03:07 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-08 03:07 . 2009-11-13 14:04 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-08 03:06 . 2009-11-08 03:13 -------- dc----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-08 03:06 . 2009-11-08 03:06 -------- dc----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-07 15:26 . 2009-11-07 15:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 16:33 . 2009-11-04 16:33 152576 ----a-w- c:\documents and settings\D\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-20 07:04 . 2009-10-20 07:04 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-10-16 07:02 . 2009-10-16 07:02 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 01:29 . 2009-07-31 16:25 -------- d-----w- c:\documents and settings\D\Application Data\Skype
2009-11-13 21:00 . 2009-07-31 16:26 -------- d-----w- c:\documents and settings\D\Application Data\skypePM
2009-11-13 08:29 . 2007-08-27 05:32 -------- d-----w- c:\documents and settings\D\Application Data\WTablet
2009-11-13 08:12 . 2009-07-17 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-09 22:28 . 2008-04-07 10:36 -------- d-----w- c:\documents and settings\D\Application Data\uTorrent
2009-11-09 21:53 . 2007-09-03 12:08 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-09 21:52 . 2009-08-24 23:53 -------- dc----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-11-08 03:06 . 2008-06-17 03:20 -------- d-----w- c:\program files\AVG
2009-11-07 23:49 . 2007-08-03 05:26 -------- d-----w- c:\program files\Lavasoft
2009-11-07 22:00 . 2009-09-04 16:39 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-07 00:36 . 2009-07-18 00:55 -------- d-----w- c:\program files\Vuze
2009-11-04 16:34 . 2008-02-20 04:50 -------- d-----w- c:\program files\Java
2009-10-25 06:40 . 2009-09-19 20:40 25 ----a-w- c:\windows\popcinfot.dat
2009-10-21 23:39 . 2009-09-01 00:36 -------- d-----w- c:\program files\MilkShape 3D 1.8.5
2009-10-16 20:23 . 2007-07-18 01:13 103320 -c--a-w- c:\documents and settings\D\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2009-08-19 04:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-04 18:59 . 2009-08-27 21:00 -------- d-----w- c:\program files\s3pe
2009-10-02 22:41 . 2009-08-27 21:01 -------- d-----w- c:\program files\s3oc
2009-09-24 16:21 . 2007-11-04 16:42 -------- d-----w- c:\documents and settings\D\Application Data\U3
2009-09-21 16:20 . 2009-09-21 16:20 -------- d-----w- c:\program files\WinSCP
2009-09-21 00:04 . 2009-07-15 17:20 -------- d-----w- c:\program files\NVIDIA Corporation
2009-09-21 00:04 . 2007-07-18 01:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-21 00:03 . 2009-07-15 17:20 151552 ----a-w- c:\windows\system32\nvRegDev.dll
2009-09-19 18:56 . 2009-09-19 18:56 -------- dc----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-09-19 17:45 . 2009-09-19 17:41 -------- d-----w- c:\documents and settings\D\Application Data\Sony
2009-09-19 17:44 . 2009-09-19 17:44 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-09-19 17:44 . 2009-09-19 17:43 -------- d-----w- c:\program files\Sony
2009-09-19 17:44 . 2009-09-19 17:44 10134 ----a-r- c:\documents and settings\D\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
2009-09-19 17:43 . 2009-09-19 17:43 -------- dc----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-09-19 17:41 . 2009-09-19 17:41 -------- d-----w- c:\documents and settings\D\Application Data\Sony Setup
2009-09-19 17:40 . 2009-09-19 17:40 -------- d-----w- c:\program files\Sony Setup
2009-09-11 21:41 . 2008-06-07 02:15 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 12:03 . 2009-09-04 12:03 488968 ----a-w- c:\documents and settings\D\Application Data\Real\Update\setup\setup.exe
2009-08-29 08:08 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-19 04:38 . 2009-08-19 04:38 152576 ------w- c:\documents and settings\D\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\~0 ----

2009-11-09 22:08 . 2009-07-06 04:22 579156 -c----w- c:\documents and settings\All Users\Application Data\~0\mia.lib
2009-11-09 22:08 . 2009-07-06 04:22 2838442 -c----w- c:\documents and settings\All Users\Application Data\~0\speedupmypc2009.exe


((((((((((((((((((((((((((((( SnapShot@2009-11-13_01.45.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-13 08:29 . 2009-11-13 08:29 16384 c:\windows\Temp\Perflib_Perfdata_1a8.dat
+ 2009-09-08 18:05 . 2009-11-13 08:12 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-11-13 08:11 . 2009-11-13 08:11 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2009-10-23 05:28 . 2009-10-23 05:28 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-09-08 18:05 . 2009-10-23 05:27 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-09-08 18:05 . 2009-10-23 05:28 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-09-08 18:05 . 2009-10-23 05:27 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2009-09-08 18:05 . 2009-10-23 05:27 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2004-08-04 10:00 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
- 2007-07-17 19:58 . 2009-10-17 15:20 1689704 c:\windows\system32\FNTCACHE.DAT
+ 2007-07-17 19:58 . 2009-11-13 08:29 1689704 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-15 11:46 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2009-10-16 12:03 . 2009-10-16 12:03 5003776 c:\windows\Installer\1335a4f.msp
+ 2009-08-18 17:58 . 2009-08-18 17:58 8301056 c:\windows\Installer\1335a2f.msp
+ 2009-08-18 17:57 . 2009-08-18 17:57 9122304 c:\windows\Installer\1335a17.msp
- 2009-09-08 18:05 . 2009-10-23 05:27 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-09-08 18:05 . 2009-10-23 05:27 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-09-08 18:05 . 2009-11-13 08:12 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-11-13 08:05 . 2009-11-05 14:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25607976]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-12 7626752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-05 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-12 86016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-12 1519616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-08 03:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\Tablet.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/7/2009 10:07 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/7/2009 10:07 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/7/2009 10:06 PM 285392]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S3 axskbus;axskbus;c:\windows\system32\DRIVERS\axskbus.sys --> c:\windows\system32\DRIVERS\axskbus.sys [?]
S3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\drivers\OVCA.sys [10/3/2007 11:56 PM 25088]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys --> c:\windows\system32\XDva011.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-07 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\D\Application Data\Mozilla\Firefox\Profiles\fa8cq251.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 20:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys spnh.sys hal.dll >>UNKNOWN [0x8A881938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xBA609B40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,2e,d3,83,e0,a8,f3,4f,b1,92,7e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,2e,d3,83,e0,a8,f3,4f,b1,92,7e,\

[HKEY_USERS\S-1-5-21-602162358-1177238915-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{83CF03DE-408E-5F6E-94BF-9582B7C2E820}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaanmcphgmojbepbhm"=hex:6a,61,64,6f,70,65,6b,6f,6c,68,6a,6b,65,6c,6d,61,67,67,
70,6a,00,f0
"hagncbooklchmfoh"=hex:6a,61,64,6f,6b,65,6c,70,65,68,6c,69,64,6e,68,63,69,6d,
70,6d,00,e2
"handeiegdejkdelb"=hex:64,63,6a,62,6b,67,67,6d,62,64,65,70,68,6d,69,67,62,62,
6f,63,6d,6e,69,61,6d,6c,62,6a,6a,66,6c,65,6b,64,6b,6d,68,69,61,62,69,68,6f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{83CF03DE-408E-5F6E-94BF-9582B7C2E820}\InProcServer32*]
"jacnhpplokjcbfdgfape"=hex:6a,61,64,6f,70,65,6b,6f,6c,68,6a,6b,65,6c,6d,61,67,
67,70,6a,00,00
"iacnbpfbdhommnmdio"=hex:6a,61,64,6f,6b,65,6c,70,65,68,6c,69,64,6e,68,63,69,6d,
70,6d,00,e2
.
Completion time: 2009-11-13 20:52
ComboFix-quarantined-files.txt 2009-11-14 01:52
ComboFix2.txt 2009-11-14 01:39
ComboFix3.txt 2009-11-14 00:41
ComboFix4.txt 2009-11-13 01:56

Pre-Run: 45,267,267,584 bytes free
Post-Run: 45,261,692,928 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - B794C9D952AFD626CAA87DA25AA0ABFA
Upload was successful

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 November 2009 - 08:19 PM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


In your next reply please include
  • MBAM Log
  • Kaspersky report

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#7 Waterfall

Waterfall

    Authentic Member

  • Authentic Member
  • PipPip
  • 41 posts

Posted 13 November 2009 - 09:56 PM

Kaspersky's scan is still going, but here is the malware scan results. MBAM LOG Database version: 3167 Windows 5.1.2600 Service Pack 3 11/13/2009 9:50:39 PM mbam-log-2009-11-13 (21-50-39).txt Scan type: Quick Scan Objects scanned: 104320 Time elapsed: 4 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Here is the Kaspersky Scan: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Saturday, November 14, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, November 14, 2009 00:53:06 Records in database: 3206671 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan statistics: Objects scanned: 658247 Threats found: 3 Infected objects found: 40 Suspicious objects found: 0 Scan duration: 10:05:30 File name / Threat / Threats count C:\Qoobox\Quarantine\C\WINDOWS\system32\bazoveza.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\dasotegi.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\fejuvizo.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\feyimupa.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\gomopiwe.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\guniyiyu.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\hofohulu.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\jatereya.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\jelukahu.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\kazepala.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\komuvuho.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\kujogeve.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\laraguji.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\lunegogu.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\mujuyizi.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\pihuhiru.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\pilabuma.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\puneromi.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\sokodewu.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\susujewe.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\tedovupa.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\viniyare.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\vipogije.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\vorosuka.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\vufosesa.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\vumehijo.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\yofivowi.dll.vir Infected: not-a-virus:FraudTool.Win32.Agent.aju 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\zikiboru.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\zugezevu.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\System Volume Information\_restore{5026D834-C5AA-4D7A-A426-0B6DD8703106}\RP10\A0002876.dll Infected: Packed.Win32.TDSS.aa 1 C:\System Volume Information\_restore{5026D834-C5AA-4D7A-A426-0B6DD8703106}\RP2\A0000163.dll Infected: Packed.Win32.TDSS.aa 1 C:\System Volume Information\_restore{5026D834-C5AA-4D7A-A426-0B6DD8703106}\RP4\A0000256.dll Infected: Packed.Win32.TDSS.aa 1 C:\System Volume Information\_restore{5026D834-C5AA-4D7A-A426-0B6DD8703106}\RP6\A0000495.exe Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.ayy 1 C:\System Volume Information\_restore{5026D834-C5AA-4D7A-A426-0B6DD8703106}\RP6\A0000733.dll Infected: Packed.Win32.TDSS.aa 1 C:\System Volume Information\_restore{5026D834-C5AA-4D7A-A426-0B6DD8703106}\RP8\A0001801.dll Infected: Packed.Win32.TDSS.aa 1 C:\System Volume Information\_restore{5026D834-C5AA-4D7A-A426-0B6DD8703106}\RP9\A0002820.dll Infected: Packed.Win32.TDSS.aa 1 C:\System Volume Information\_restore{5026D834-C5AA-4D7A-A426-0B6DD8703106}\RP9\A0002853.dll Infected: Packed.Win32.TDSS.aa 1 C:\System Volume Information\_restore{5026D834-C5AA-4D7A-A426-0B6DD8703106}\RP9\A0002854.dll Infected: Packed.Win32.TDSS.aa 1 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DE4FBRO\logo[1].htm Infected: Packed.Win32.TDSS.aa 1 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QK206V4Q\logo[1].htm Infected: Packed.Win32.TDSS.aa 1

Edited by Waterfall, 14 November 2009 - 07:25 AM.

#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 14 November 2009 - 07:29 AM

Hi,

Most of what was found is in quarantine, or old restore points, which we will be cleaning up shortly,

Please run this tool to get rid of all your temporary files:

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.


NEXT:

Please run a fresh DDS and Attach.txt and advise how your computer is running now and if there are any outstanding issues.

Please download DDS from LINK 1 or LINK 2
and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#9 Waterfall

Waterfall

    Authentic Member

  • Authentic Member
  • PipPip
  • 41 posts

Posted 14 November 2009 - 09:53 AM

I don't seem top be having any issues. I don't hear the extreme slow down that I did before when my computer booted up. There are no pop up talking about your computer is infected would you like to buy our soft ware. I am not redirected to any search pages when I click a link after my search results come up. I no longer get "this file is infected" when I click on anything on my desk top or any file in my system, or when I try to use soft ware. And my internet has not turned itself on and gone to porn and viagra ads. I am wondering though what is the sotoyomu file and that pazezaded thing exactly? May I turn my antivirus back on (avg and Teatimer through spybot)? The requested reports: DDS (Ver_09-10-26.01) - NTFSx86 Run by D at 10:51:23.56 on Sat 11/14/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1410 [GMT -5:00] AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DAEMON Tools Lite\DTLite.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\D\Desktop\dds.pif ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll uURLSearchHooks: H - No File mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [nwiz] nwiz.exe /install mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: avgrsstarter - avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\d\applic~1\mozilla\firefox\profiles\fa8cq251.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p= FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-7 333192] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-7 360584] R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-7 285392] S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\askupgrade.exe --> c:\program files\askbardis\bar\bin\ASKUpgrade.exe [?] S3 axskbus;axskbus;c:\windows\system32\drivers\axskbus.sys --> c:\windows\system32\drivers\axskbus.sys [?] S3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\drivers\OVCA.sys [2007-10-3 25088] S3 XDva011;XDva011;\??\c:\windows\system32\xdva011.sys --> c:\windows\system32\XDva011.sys [?] S3 XDva020;XDva020;\??\c:\windows\system32\xdva020.sys --> c:\windows\system32\XDva020.sys [?] S3 XDva090;XDva090;\??\c:\windows\system32\xdva090.sys --> c:\windows\system32\XDva090.sys [?] S3 XDva190;XDva190;\??\c:\windows\system32\xdva190.sys --> c:\windows\system32\XDva190.sys [?] =============== Created Last 30 ================ 2009-11-13 11:34:02 0 d-----w- c:\program files\Trend Micro 2009-11-13 11:33:49 812344 ----a-w- c:\program files\HJTInstall.exe 2009-11-13 02:17:05 0 d-----w- c:\docume~1\d\applic~1\Malwarebytes 2009-11-13 02:17:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-13 02:17:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-13 02:17:00 0 dc----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-11-13 02:16:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-13 01:26:34 0 dcsha-r- C:\cmdcons 2009-11-13 01:25:05 98816 ----a-w- c:\windows\sed.exe 2009-11-13 01:25:05 77312 ----a-w- c:\windows\MBR.exe 2009-11-13 01:25:05 260608 ----a-w- c:\windows\PEV.exe 2009-11-13 01:25:05 161792 ----a-w- c:\windows\SWREG.exe 2009-11-12 09:27:00 6456 ---ha-w- c:\windows\system32\sotoyomu 2009-11-09 22:08:36 0 d-----w- c:\docume~1\d\applic~1\uniblue 2009-11-09 22:08:04 0 d-----w- c:\program files\Uniblue 2009-11-09 22:07:49 0 dc-h--w- c:\docume~1\alluse~1\applic~1\~0 2009-11-09 21:53:04 0 d-----w- c:\program files\DAEMON Tools Lite 2009-11-08 03:07:26 0 dc----w- C:\$AVG 2009-11-08 03:07:15 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2009-11-08 03:07:14 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-11-08 03:07:08 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-11-08 03:07:00 0 d-----w- c:\windows\system32\drivers\Avg 2009-11-08 03:06:58 0 dc----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar 2009-11-08 03:06:37 0 dc----w- c:\docume~1\alluse~1\applic~1\avg9 2009-11-07 15:26:02 0 d-----w- c:\program files\Spybot - Search & Destroy 2009-11-06 22:44:22 1055 ----a-w- c:\windows\wininit.ini 2009-11-06 20:53:53 0 -csha-w- C:\2080789901 ==================== Find3M ==================== 2009-11-09 21:53:17 691696 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-21 00:03:22 151552 ----a-w- c:\windows\system32\nvRegDev.dll 2009-09-11 21:41:21 107888 ----a-w- c:\windows\system32\CmdLineExt.dll 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-18 03:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL ============= FINISH: 10:52:09.40 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-10-26.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 7/17/2007 9:11:09 PM System Uptime: 11/14/2009 10:43:58 AM (0 hours ago) Motherboard: Dell Inc. | | 0U7565 Processor: Intel® Xeon™ CPU 3.00GHz | Microprocessor | 2992/800mhz Processor: Intel® Xeon™ CPU 3.00GHz | Microprocessor | 2992/800mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 149 GiB total, 42.289 GiB free. D: is CDROM () E: is CDROM () F: is FIXED (NTFS) - 466 GiB total, 205.113 GiB free. G: is FIXED (FAT32) - 233 GiB total, 127.605 GiB free. ==== Disabled Device Manager Items ============= Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A} Description: MTP Device Device ID: ROOT\WPD\0000 Manufacturer: (Standard MTP-compliant devices) Name: MTP Device PNP Device ID: ROOT\WPD\0000 Service: WUDFRd ==== System Restore Points =================== RP1: 11/6/2009 9:58:39 PM - System Checkpoint RP2: 11/7/2009 7:48:57 PM - Removed Ad-Aware RP3: 11/7/2009 10:06:37 PM - Installed AVG Free 9.0 RP4: 11/8/2009 4:56:12 AM - AVG9update-clearoftrojans11082009 RP5: 11/9/2009 9:18:03 AM - System Checkpoint RP6: 11/9/2009 4:53:17 PM - SPTD setup V1.62 RP7: 11/9/2009 7:29:56 PM - Avg8 Update RP8: 11/9/2009 7:30:51 PM - Avg8 Update RP9: 11/11/2009 3:05:08 AM - System Checkpoint RP10: 11/12/2009 4:00:39 AM - System Checkpoint RP11: 11/12/2009 8:44:54 AM - Avg8 Update RP12: 11/13/2009 3:02:13 AM - Software Distribution Service 3.0 ==== Installed Programs ====================== ľTorrent 2007 Microsoft Office Suite Service Pack 1 (SP1) 3dsmax ancillary install Abacast Client Add or Remove Adobe Creative Suite 3 Design Premium Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) Adobe Anchor Service CS3 Adobe Asset Services CS3 Adobe Bridge CS3 Adobe Bridge Start Meeting Adobe BridgeTalk Plugin CS3 Adobe Camera Raw 4.0 Adobe CMaps Adobe Color - Photoshop Specific Adobe Color Common Settings Adobe Color EU Extra Settings Adobe Color JA Extra Settings Adobe Color NA Recommended Settings Adobe Creative Suite 3 Design Premium Adobe Default Language CS3 Adobe Device Central CS3 Adobe Dreamweaver CS3 Adobe ExtendScript Toolkit 2 Adobe Extension Manager CS3 Adobe Flash CS3 Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Flash Video Encoder Adobe Fonts All Adobe Help Viewer CS3 Adobe Illustrator CS3 Adobe InDesign CS3 Adobe InDesign CS3 Icon Handler Adobe Linguistics CS3 Adobe MotionPicture Color Files Adobe PDF Library Files Adobe Photoshop CS3 Adobe Reader 8.1.2 Adobe Reader 8.1.2 Security Update 1 (KB403742) Adobe Setup Adobe SING CS3 Adobe Stock Photos CS3 Adobe Type Support Adobe Update Manager CS3 Adobe Version Cue CS3 Client Adobe WAS CS3 Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS3 AHV content for Acrobat and Flash Alias MotionBuilder | Beginner's Guide Alias SketchBook Pro 2.0 AMP Font Viewer Apple Mobile Device Support Apple Software Update Autodesk 3ds Max 9 32-bit Autodesk AliasStudio 2008 Autodesk DirectConnect 2.0 Autodesk DWF Viewer 7 Autodesk MotionBuilder 7.5 AutoUpdate AVG Free 9.0 Backburner Bonjour Canon MP480 series MP Drivers CDisplay 1.8 Celestia 1.5.1 CEP (Color Enable Package) v.9.2 (beta) Collab Compatibility Pack for the 2007 Office system Crazybump Beta Test (remove only) Critical Update for Windows Media Player 11 (KB959772) DivX Codec DivX Converter DivX Web Player EasyCleaner FBX Plugin 2006.08 for Max 9.0 Feeling Software ColladaMaya Filter Forge Freepack 1 - Metals 1.012 FL Studio 8 FreeMind getPlus®_ocx Google SketchUp 6 Google Toolbar for Internet Explorer HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB942288-v3) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) IL Download Manager Intel® PRO Network Adapters and Drivers iTunes Java™ 6 Update 17 Java™ 6 Update 3 Java™ 6 Update 5 Java™ 6 Update 7 Macromedia Shockwave Player Malwarebytes' Anti-Malware Maya 2008 Maya 2008 Documentation (en_US) Maya 8.0 Documentation (en_US) Media Go Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Enterprise 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Groove MUI (English) 2007 Microsoft Office Groove Setup Metadata MUI (English) 2007 Microsoft Office InfoPath MUI (English) 2007 Microsoft Office OneNote MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft Software Update for Web Folders (English) 12 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 8.0 Support DLLs Microsoft WSE 3.0 Runtime MilkShape 3D 1.8.5 Mozilla Firefox (3.5.3) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 6.0 Parser (KB933579) MysticThumbs NVIDIA DDS Utilities NVIDIA Drivers NVIDIA Photoshop Plug-ins PDF Settings Picasa 3 PlayStation®Network Downloader PlayStation®Store PolarClock3 Screen Saver Poser 7 QuickTime Roleplaying City Map Generator 5.31 Rosetta Stone Version 3 Scientific-Atlanta WebSTAR 2000 series Cable Modem Security Update for 2007 Microsoft Office System (KB951550) Security Update for 2007 Microsoft Office System (KB951944) Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB973704) Security Update for Microsoft Office Excel 2007 (KB973593) Security Update for Microsoft Office OneNote 2007 (KB950130) Security Update for Microsoft Office Outlook 2007 (KB972363) Security Update for Microsoft Office PowerPoint 2007 (KB957789) Security Update for Microsoft Office Publisher 2007 (KB969693) Security Update for Microsoft Office system 2007 (972581) Security Update for Microsoft Office system 2007 (KB969613) Security Update for Microsoft Office system 2007 (KB974234) Security Update for Microsoft Office Visio Viewer 2007 (KB973709) Security Update for Microsoft Office Word 2007 (KB969604) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950759) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969897) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972260) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Sentinel System Driver SimPE 0.72 (alpha) Sims2Pack Clean Installer Sims3 Object Cloner Sims3 Package Editor Skype web features Skype™ 4.1 SoundMAX Spybot - Search & Destroy Tablet The Sims 2 The Sims 2 Family Fun Stuff The Sims 2 Glamour Life Stuff The Sims 2 Nightlife The Sims 2 Open For Business The Sims 2 Pets The Sims 2 University The Sims 3 Music Manager 1.3 The Sims™ 2 Apartment Life The Sims™ 2 Bon Voyage The Sims™ 2 Celebration! Stuff The Sims™ 2 FreeTime The Sims™ 2 H&MŽ Fashion Stuff The Sims™ 2 IKEAŽ Home Stuff The Sims™ 2 Kitchen & Bath Interior Design Stuff The Sims™ 2 Mansion and Garden Stuff The Sims™ 2 Seasons The Sims™ 2 Teen Style Stuff The Sims™ 3 Toxic Biohazard TS3 Install Helper Monkey Update for 2007 Microsoft Office System (KB967642) Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Outlook 2007 Junk Email Filter (kb975960) Update for Windows Internet Explorer 8 (KB973874) Update for Windows Internet Explorer 8 (KB976749) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) Viewpoint Media Player WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Internet Explorer 8 Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 WinRAR archiver WinSCP 4.2.3 beta WinZip 11.1 Wood Workshop XML Paper Specification Shared Components Pack 1.0 YAFSScreen Yahoo! Messenger ==== Event Viewer Messages From Past Week ======== 11/9/2009 9:46:37 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume. 11/9/2009 10:53:09 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep 11/9/2009 10:53:09 AM, error: Service Control Manager [7000] - The DS1410D service failed to start due to the following error: The system cannot find the file specified. 11/9/2009 10:53:09 AM, error: Service Control Manager [7000] - The ASKUpgrade service failed to start due to the following error: The system cannot find the file specified. 11/9/2009 10:10:09 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\regsvr32.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512. 11/7/2009 7:47:49 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} 11/14/2009 10:42:37 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s). 11/14/2009 10:42:36 AM, error: Service Control Manager [7034] - The TabletService service terminated unexpectedly. It has done this 1 time(s). 11/14/2009 10:42:36 AM, error: Service Control Manager [7034] - The spkrmon service terminated unexpectedly. It has done this 1 time(s). 11/14/2009 10:42:35 AM, error: Service Control Manager [7034] - The PnkBstrB service terminated unexpectedly. It has done this 1 time(s). 11/14/2009 10:42:35 AM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s). 11/14/2009 10:42:35 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s). 11/14/2009 10:42:34 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s). 11/14/2009 10:42:34 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s). 11/14/2009 10:42:34 AM, error: Service Control Manager [7034] - The Autodesk Licensing Service service terminated unexpectedly. It has done this 1 time(s). 11/14/2009 10:42:34 AM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service. 11/14/2009 10:42:34 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 11/12/2009 8:35:13 PM, error: Service Control Manager [7034] - The mental ray 3.5 Satellite (32-bit) service terminated unexpectedly. It has done this 1 time(s). 11/12/2009 8:08:01 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'avgcorex.dll.old' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume. ==== End Of File ===========================

Edited by Waterfall, 14 November 2009 - 10:23 AM.

#10 Waterfall

Waterfall

    Authentic Member

  • Authentic Member
  • PipPip
  • 41 posts

Posted 14 November 2009 - 10:55 AM

I have to go out for a meeting. I get back here as soon as I can. Thank you for all your help so far.

    Advertisements

Register to Remove

#11 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 14 November 2009 - 10:59 AM

Hi,

Your logs are clean.

Just some housekeeping to do now.

Go ahead and activate your security programs.

Please do the following:

Visit ADOBEand download the latest version of Acrobat Reader (version 9.2)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT

Go to Start > Control Panel > Add/Remove programs

a list of installed programs will populate
Loacate all the old Java entries and select REMOVE

leave the Java version 6 update 17 as that is the most recent version.


NEXT


Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image




NEXT

Now to remove the rest of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Note: If there are any more logs/tools remaining that I had you download > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

    WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox, IE and chrome.

  • For Firefox, I highly recommend this add-on to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#12 Waterfall

Waterfall

    Authentic Member

  • Authentic Member
  • PipPip
  • 41 posts

Posted 14 November 2009 - 02:34 PM

Computer cannot locate combo fix. I didn't remove it so, I don't know what happened to it.

#13 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 14 November 2009 - 02:40 PM

Just right click and delete it if the icon is still on your desktop

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#14 Waterfall

Waterfall

    Authentic Member

  • Authentic Member
  • PipPip
  • 41 posts

Posted 14 November 2009 - 02:50 PM

It's not and I got a rundll error "error c:\windows\system32\laraguji.dll The specified module could not be found" I want to thank you for your help. I just could not figure out how to get that last of that carp** off my computer. I really appreciate your time and patience.

#15 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 14 November 2009 - 02:54 PM

Hi,

Let's see if I can get rid of that error message, please do the following:

please follow these instructions for downloading and installing Hijack this
Click here to download HJTInstall.exe
Please follow the prompts to ensure it is installed in the proper folder and
a shortcut is created.
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·