Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC is infected w/Virtumonde


  • This topic is locked This topic is locked
21 replies to this topic

#1 industry_kitty

industry_kitty

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 07 December 2008 - 12:50 PM

I have tried running Spybot S&D several times which has at least been helpful with giving names to whatever has taken over my PC. Unfortunately, it's been unable to fix the problem. I have also used Trend Micro's internet scanner a few times to help clean things up, but it has been unsuccessful in complete removal as well.
AVG anti-virus free addition along with the built-in Windows XP Pro firewall were running at the time of the original infection. At present AVG still does not appear to be able to recognize and/or correct the infection either.
The most obvious problem is with my IE browser running rampant. Opening up browser windows, resetting my internet option preferences and I can only imagine what it's doing to things I cannot see.
I've lost track of all the different things I've tried to recover my system and short of dumping the entire thing and reloading my OS I figured it would be more wise to come here for help first.

Thanks in advance for your help
~K

Below are the logs from RSIT and HJT respectively:

info.txt logfile of random's system information tool 1.04 2008-12-07 08:59:50

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E6BF946C-C6A8-4799-A9C7-7EC6EBD79992}\Setup.exe" /L9 remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Browser Address Error Redirector-->MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Laser MFP 1600n Software Uninstall-->C:\Program Files\DELL\Dell Laser MFP 1600n\Install\setup.exe /Uninstall
Dell Support Center-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PRO Network Connections 12.1.8.0-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Macromedia Dreamweaver MX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Fireworks MX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{930B2432-43D4-11D5-9871-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NDCMedisoft Patient Accounting 10-->C:\PROGRA~1\NDCMED~1\Bin\UNWISE.EXE "C:\Program Files\NDCMedisoft\Bin\impasu.log"
novaPDF Lite Desktop 5.5 printer-->"C:\Program Files\Softland\novaPDF Lite Desktop 5\unins000.exe"
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
PaperPort 9.0-->MsiExec.exe /I{3F3C0456-E391-41AB-9523-A6B5558069A0}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -l0x9 -cluninstall
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Roxio Activation Module-->MsiExec.exe /I{07159635-9DFE-4105-BFC0-2817DB540C68}
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41C6-8752-958A45325C82}
Roxio Creator BDAV Plugin-->MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4C52-84D5-77E344289F87}
Roxio Creator DE-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ED8-B104-03393876DFDF}
Roxio Drag-to-Disc-->MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SearchAssist-->C:\DELL\SearchAssist\UninstSA.bat
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sonic CinePlayer Decoder Pack-->MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
Speedy Claims-->MsiExec.exe /I{1887B4B7-423A-420E-BAED-F466A3635A9B}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2-->"C:\Program Files\SpywareGuard\unins000.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Web Update Wizard (Redistributable) 4.0-->C:\WINDOWS\system32\wuwuninst.exe
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

=====HijackThis Backups=====

O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\KontrolledChaos\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AVG Anti-Virus Free

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------


Logfile of random's system information tool 1.04 (written by random/random)
Run by KontrolledChaos at 2008-12-07 08:59:41
Microsoft Windows XP Professional Service Pack 3
System drive C: has 141 GB (92%) free of 153 GB
Total RAM: 1013 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:49 AM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\KontrolledChaos\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\KontrolledChaos.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080806
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080806
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz.del...amp;ibd=5080806
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {87cb2a8c-9588-e4c9-ecf4-752ddc659b76} - {67b956cd-d257-4fce-9c4e-8859c8a2bc78} - C:\WINDOWS\system32\dwtljf.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\yayxyAtU.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C5E29E6F-A9AE-46F1-8970-F381807832FA} - (no file)
O2 - BHO: (no name) - {E8CB69D9-8387-407B-B8CA-2E0DA23C11BE} - (no file)
O2 - BHO: (no name) - {F20C12A7-0257-4897-BAE3-9A5816CBF5E7} - C:\WINDOWS\system32\vtUmKBTm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5884] command /c del "C:\WINDOWS\system32\inuoviiq.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2759] cmd /c del "C:\WINDOWS\system32\inuoviiq.dll_old"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7089] command /c del "C:\WINDOWS\system32\inuoviiq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1610] cmd /c del "C:\WINDOWS\system32\inuoviiq.dll_old"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.industry-la.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll ikzlav.dll dwtljf.dll
O20 - Winlogon Notify: yayxyAtU - C:\WINDOWS\SYSTEM32\yayxyAtU.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe

--
End of file - 8378 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\tccawilb.job
C:\WINDOWS\tasks\wogcsjxk.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67b956cd-d257-4fce-9c4e-8859c8a2bc78}]
C:\WINDOWS\system32\dwtljf.dll [2008-12-07 129024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
C:\WINDOWS\system32\yayxyAtU.dll [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-10-14 2055960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2008-09-12 2549368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2008-08-05 325048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5E29E6F-A9AE-46F1-8970-F381807832FA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8CB69D9-8387-407B-B8CA-2E0DA23C11BE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F20C12A7-0257-4897-BAE3-9A5816CBF5E7}]
C:\WINDOWS\system32\vtUmKBTm.dll [2008-12-06 302592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-09-12 2549368]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-10-14 2055960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-06-13 142104]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-06-13 162584]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-06-13 138008]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-06-13 16132608]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2007-06-13 69632]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-05 29744]
"ECenter"=C:\Dell\E-Center\EULALauncher.exe [2008-02-28 17920]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2008-03-11 16384]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-27 1261336]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA5884"=command /c del C:\WINDOWS\system32\inuoviiq.dll_old []
"SpybotDeletingC2759"=cmd /c del C:\WINDOWS\system32\inuoviiq.dll_old []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2006-09-11 218032]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB7089"=command /c del C:\WINDOWS\system32\inuoviiq.dll_old []
"SpybotDeletingD1610"=cmd /c del C:\WINDOWS\system32\inuoviiq.dll_old []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

C:\Documents and Settings\KontrolledChaos\Start Menu\Programs\Startup
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll ikzlav.dll dwtljf.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll [2007-06-20 10536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-06-13 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayxyAtU]
C:\WINDOWS\system32\yayxyAtU.dll [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=C:\Program Files\SpywareGuard\spywareguard.dll [2003-08-02 126976]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\yayxyAtU.dll [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\vtUmKBTm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Documents and Settings\KontrolledChaos\My Documents\LimeWire\LimeWire.exe"="C:\Documents and Settings\KontrolledChaos\My Documents\LimeWire\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.js - open - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2008-12-07 08:59:41 ----D---- C:\rsit
2008-12-07 08:27:09 ----ASH---- C:\WINDOWS\system32\mTBKmUtv.ini2
2008-12-07 05:02:27 ----A---- C:\WINDOWS\system32\dwtljf.dll
2008-12-07 05:02:25 ----A---- C:\WINDOWS\system32\cimrhixp.dll
2008-12-07 05:00:04 ----A---- C:\WINDOWS\system32\77a042f6-.txt
2008-12-07 01:08:37 ----ASH---- C:\WINDOWS\system32\mTBKmUtv.ini
2008-12-06 22:32:05 ----D---- C:\Program Files\SpywareGuard
2008-12-06 21:37:56 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-06 21:37:56 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-06 18:58:09 ----D---- C:\Program Files\Trend Micro
2008-12-06 18:33:09 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-06 18:33:00 ----D---- C:\Program Files\SpywareBlaster
2008-12-06 16:54:37 ----A---- C:\WINDOWS\system32\mcrh.tmp
2008-12-06 14:04:47 ----A---- C:\WINDOWS\system32\ikzlav.dll
2008-12-06 14:04:45 ----A---- C:\WINDOWS\system32\ddwsvjyu.dll
2008-12-06 14:01:52 ----A---- C:\WINDOWS\system32\konfjouw.dll
2008-12-06 07:14:33 ----A---- C:\WINDOWS\system32\wcfqoi.dll
2008-12-06 07:14:31 ----A---- C:\WINDOWS\system32\ohmdmrpc.dll
2008-12-06 07:11:23 ----A---- C:\WINDOWS\system32\vtUmKBTm.dll
2008-12-06 07:07:13 ----HD---- C:\$AVG8.VAULT$
2008-12-06 07:06:18 ----D---- C:\Program Files\GetModule
2008-12-06 07:06:18 ----A---- C:\WINDOWS\system32\yayxyAtU.dll
2008-12-01 14:39:16 ----D---- C:\Documents and Settings\KontrolledChaos\Application Data\Apple Computer
2008-12-01 14:37:34 ----D---- C:\Documents and Settings\KontrolledChaos\Application Data\LimeWire
2008-12-01 14:36:14 ----D---- C:\Documents and Settings\KontrolledChaos\Application Data\Help
2008-12-01 00:00:58 ----A---- C:\WINDOWS\system32\GEARAspi.dll
2008-12-01 00:00:43 ----D---- C:\Program Files\iPod
2008-12-01 00:00:40 ----D---- C:\Program Files\iTunes
2008-12-01 00:00:40 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-01 00:00:28 ----D---- C:\Program Files\Bonjour
2008-12-01 00:00:02 ----D---- C:\Program Files\QuickTime
2008-12-01 00:00:01 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-11-30 23:59:50 ----D---- C:\Program Files\Apple Software Update
2008-11-30 23:59:23 ----D---- C:\Program Files\Common Files\Apple
2008-11-30 23:59:23 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2008-11-23 18:29:12 ----A---- C:\VDM105.tmp
2008-11-23 18:29:12 ----A---- C:\VDM104.tmp
2008-11-23 18:29:05 ----D---- C:\IDAPI
2008-11-23 18:28:57 ----D---- C:\WOW
2008-11-22 03:01:13 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2008-11-22 03:01:01 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-11-22 03:00:50 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2008-11-22 03:00:39 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-11-22 03:00:30 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2008-11-21 10:57:09 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-11-21 06:18:44 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-11-21 06:18:43 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2008-11-21 06:18:31 ----D---- C:\Program Files\Windows Media Connect 2
2008-11-21 06:18:23 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2008-11-21 06:18:07 ----D---- C:\b14e4216653ebe8381f4
2008-11-21 06:17:46 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2008-11-21 06:17:27 ----D---- C:\db6afe0b057a7d9c90f13099
2008-11-21 06:17:23 ----D---- C:\WINDOWS\system32\LogFiles
2008-11-21 06:17:19 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2008-11-21 06:17:03 ----D---- C:\58943d4356f9a29033
2008-11-12 03:00:37 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 03:00:32 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 03:00:26 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-09 16:48:20 ----N---- C:\WINDOWS\system32\pxhpinst.exe

======List of files/folders modified in the last 1 months======

2008-12-07 08:59:45 ----D---- C:\WINDOWS\Temp
2008-12-07 08:59:31 ----D---- C:\WINDOWS\Prefetch
2008-12-07 08:36:59 ----D---- C:\Program Files\Mozilla Firefox
2008-12-07 08:27:09 ----D---- C:\WINDOWS\system32
2008-12-07 08:06:16 ----D---- C:\WINDOWS
2008-12-07 08:05:37 ----RD---- C:\Program Files
2008-12-07 08:05:08 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-07 05:25:43 ----A---- C:\WINDOWS\wininit.ini
2008-12-07 05:04:24 ----D---- C:\WINDOWS\system32\drivers
2008-12-07 04:56:31 ----D---- C:\WINDOWS\pchealth
2008-12-07 01:08:27 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-07 00:43:07 ----D---- C:\WINDOWS\SoftwareDistribution
2008-12-06 19:48:45 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-06 17:44:03 ----D---- C:\Program Files\Internet Explorer
2008-12-06 16:25:41 ----D---- C:\WINDOWS\system32\Restore
2008-12-06 11:24:39 ----SD---- C:\WINDOWS\Tasks
2008-12-04 19:40:46 ----SHD---- C:\WINDOWS\Installer
2008-12-01 14:36:14 ----D---- C:\Program Files\WinRAR
2008-12-01 00:00:58 ----HD---- C:\WINDOWS\inf
2008-12-01 00:00:58 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-30 23:59:23 ----D---- C:\Program Files\Common Files
2008-11-24 10:31:13 ----D---- C:\WINDOWS\WinSxS
2008-11-24 10:31:10 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-11-24 10:31:04 ----D---- C:\Program Files\Common Files\Adobe
2008-11-24 10:31:04 ----D---- C:\Program Files\Adobe
2008-11-23 18:29:12 ----A---- C:\WINDOWS\win.ini
2008-11-23 18:29:03 ----D---- C:\WINDOWS\system
2008-11-22 03:02:14 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-22 03:01:14 ----SHD---- C:\WINDOWS\system32\dllcache
2008-11-22 03:01:04 ----A---- C:\WINDOWS\imsins.BAK
2008-11-21 06:18:41 ----D---- C:\Program Files\Windows Media Player
2008-11-21 06:18:29 ----D---- C:\WINDOWS\Help
2008-11-18 08:54:32 ----A---- C:\WINDOWS\iltwain.ini
2008-11-12 03:00:36 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-10-14 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-10-14 26824]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-07-23 30064]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-10-14 76040]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\Drivers\DLABMFSM.SYS [2007-07-23 37360]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\Drivers\DLABOIOM.SYS [2007-07-23 32848]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\Drivers\DLADResM.SYS [2007-07-23 9104]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS [2007-07-23 108752]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS [2007-07-23 27216]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\Drivers\DLAPoolM.SYS [2007-07-23 16304]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS [2007-07-23 98448]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS [2007-07-23 93552]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-07-23 52000]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-06-26 254872]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-06-13 5760096]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-06-13 4403712]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-14 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-14 231704]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 WebUpdate4;Web Update Wizard Service V4; C:\WINDOWS\system32\WebUpdateSvc4.exe [2007-07-16 229592]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-14 32768]
S3 GoogleDesktopManager-010708-104812;Google Desktop Manager 5.7.801.7324; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-05 29744]
S3 GoToMyPC;GoToMyPC; C:\Program Files\Citrix\GoToMyPC\g2svc.exe [2007-06-20 258856]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-05 138168]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:55 AM

Posted 07 December 2008 - 12:53 PM

Hello industry_kitty

Welcome to BleepingComputer :thumbsup:
========================
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 industry_kitty

industry_kitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 07 December 2008 - 01:51 PM

Below is the ComboFix.txt log:

ComboFix 08-12-06.06 - KontrolledChaos 2008-12-07 10:20:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.432 [GMT -8:00]
Running from: c:\documents and settings\KontrolledChaos\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\GetModule
c:\windows\system32\cimrhixp.dll
c:\windows\system32\ddwsvjyu.dll
c:\windows\system32\dwtljf.dll
c:\windows\system32\ikzlav.dll
c:\windows\system32\konfjouw.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mTBKmUtv.ini
c:\windows\system32\mTBKmUtv.ini2
c:\windows\system32\ohmdmrpc.dll
c:\windows\system32\vtUmKBTm.dll
c:\windows\system32\wcfqoi.dll
c:\windows\system32\x64
c:\windows\Tasks\tccawilb.job
c:\windows\Tasks\wogcsjxk.job
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 08:59 . 2008-12-07 08:59 <DIR> d-------- C:\rsit
2008-12-06 22:32 . 2008-12-07 05:01 <DIR> d-------- c:\program files\SpywareGuard
2008-12-06 21:37 . 2008-12-06 21:38 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-06 21:37 . 2008-12-06 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-06 18:58 . 2008-12-06 18:58 <DIR> d-------- c:\program files\Trend Micro
2008-12-06 18:33 . 2008-12-06 18:33 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-06 18:33 . 2008-12-07 08:25 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-06 16:53 . 2008-12-07 00:43 <DIR> d-------- c:\documents and settings\KontrolledChaos\.housecall6.6
2008-12-06 07:07 . 2008-12-07 06:12 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-06 07:06 . 2008-12-06 07:06 34,816 --a------ c:\windows\system32\yayxyAtU.dll
2008-12-01 14:39 . 2008-12-01 14:39 <DIR> d-------- c:\documents and settings\KontrolledChaos\Application Data\Apple Computer
2008-12-01 14:37 . 2008-12-01 23:49 <DIR> d-------- c:\documents and settings\KontrolledChaos\Shared
2008-12-01 14:37 . 2008-12-02 07:10 <DIR> d-------- c:\documents and settings\KontrolledChaos\Incomplete
2008-12-01 14:37 . 2008-12-01 23:51 <DIR> d-------- c:\documents and settings\KontrolledChaos\Application Data\LimeWire
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\program files\QuickTime
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\program files\iTunes
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\program files\iPod
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\program files\Bonjour
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-01 00:00 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-01 00:00 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-30 23:59 . 2008-12-01 00:00 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-30 23:59 . 2008-11-30 23:59 <DIR> d-------- c:\program files\Apple Software Update
2008-11-30 23:59 . 2008-11-30 23:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-23 18:29 . 2008-11-25 15:34 <DIR> d-------- c:\windows\system\FONTS
2008-11-23 18:29 . 2008-11-23 18:29 <DIR> d-------- C:\IDAPI
2008-11-23 18:29 . 2008-11-23 18:29 0 --a------ C:\VDM105.tmp
2008-11-23 18:29 . 2008-11-23 18:29 0 --a------ C:\VDM104.tmp
2008-11-23 18:28 . 2008-11-23 18:29 <DIR> d-------- C:\WOW
2008-11-23 18:27 . 1996-07-11 19:02 21,648 --a------ c:\windows\system\ctl3dv2.dll
2008-11-21 06:18 . 2008-11-21 06:18 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-21 06:18 . 2008-11-21 06:18 <DIR> d-------- C:\b14e4216653ebe8381f4
2008-11-21 06:17 . 2008-11-21 06:17 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-21 06:17 . 2008-11-21 06:17 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-21 06:17 . 2008-11-21 06:18 <DIR> d-------- C:\db6afe0b057a7d9c90f13099
2008-11-21 06:17 . 2008-11-21 06:17 <DIR> d-------- C:\58943d4356f9a29033
2008-11-11 20:03 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:03 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 18:34 302,592 ----a-w c:\windows\system32\tuvSlKEv.dll
2008-11-24 18:31 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 13:55 --------- d-----w c:\documents and settings\KontrolledChaos\Application Data\AVGTOOLBAR
2008-10-15 00:47 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-15 00:47 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-15 00:47 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-15 00:47 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-09 06:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-09 06:33 --------- d-----w c:\program files\Macromedia
2008-10-09 06:33 --------- d-----w c:\program files\Common Files\Macromedia
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-17 23:44 129,520 ----a-w c:\windows\system32\PxAFS.DLL
2008-09-16 01:19 47,616 ----a-w c:\windows\system32\wuwuninst.exe
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-06 07:06 34816 --a------ c:\windows\system32\yayxyAtU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B85165CD-89A7-496B-90D5-46E371EFBFEE}]
2008-12-07 10:34 302592 --a------ c:\windows\system32\tuvSlKEv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB7089"="command" [X]
"SpybotDeletingD1610"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-05 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.EXE]

c:\documents and settings\KontrolledChaos\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-09-07 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\yayxyAtU.dll" [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 10:09 10536 c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxyAtU]
2008-12-06 07:06 34816 c:\windows\system32\yayxyAtU.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\tuvSlKEv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\KontrolledChaos\\My Documents\\LimeWire\\LimeWire.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-14 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-14 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-14 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-14 76040]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2007-07-16 229592]
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{67b956cd-d257-4fce-9c4e-8859c8a2bc78} - c:\windows\system32\dwtljf.dll
BHO-{C5E29E6F-A9AE-46F1-8970-F381807832FA} - (no file)
BHO-{E8CB69D9-8387-407B-B8CA-2E0DA23C11BE} - (no file)
BHO-{F20C12A7-0257-4897-BAE3-9A5816CBF5E7} - c:\windows\system32\vtUmKBTm.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080806

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FireFox -: Profile - c:\documents and settings\KontrolledChaos\Application Data\Mozilla\Firefox\Profiles\1wpkqtyd.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 10:33:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\tuvSlKEv.dll 302592 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
c:\windows\system32\yayxyAtU.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-12-07 10:36:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 18:36:33

Pre-Run: 147,350,499,328 bytes free
Post-Run: 147,302,395,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

227 --- E O F --- 2008-11-22 11:01:15

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:55 AM

Posted 07 December 2008 - 08:29 PM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Rootkit::
c:\windows\system32\tuvSlKEv.dll 

File::
c:\windows\system32\yayxyAtU.dll
c:\windows\system32\tuvSlKEv.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B85165CD-89A7-496B-90D5-46E371EFBFEE}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxyAtU]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 industry_kitty

industry_kitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 08 December 2008 - 04:51 AM

At this point I cannot do anything with my infected PC and am now using an old laptop to try and find out how to fix the problems. First, I am unable to completely stop Spyware Guard 2008 and whatever else from running so I have no idea whether ComboFix is even able to perform properly. I'm pretty much ready to throw my computer over the balcony but it's only 2 months old so I figure there's no reason I should not be able to recover it fairly easy. I'm not worried about losing any files because they are all backed up to a remote server so if dumping the entire system will work I'll do it. Unfortunately, whatever has taken it over is making that rather difficult as well. Any suggestions because the download this, download that, run this, run that method doesn't seem to be working. Or maybe it is and I just can't see it. :thumbsup:

~K

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:55 AM

Posted 08 December 2008 - 07:30 AM

Ok well you will have to be more specific than that what exactly is happenning.
Please be patient as it sometimes can be frustrating.

Did you do create the cf script from my previous post?
I will need to see the log produced by Combofix.
In your next reply please tell me whether or not combofix ran or didn't.
If it did not then please run it in Safe Mode.

*Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Edited by kahdah, 08 December 2008 - 07:50 AM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 industry_kitty

industry_kitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 08 December 2008 - 08:15 PM

*Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
[/quote]

SafeMode, tried that, but not really an option right now. Choosing to hit F8 doesn't even show up as a suggestion on reboot. Luckily, I just know from personal experience where it will take me if I hit it while rebooting the system. The problem is the screen that gives you the option of starting in safe mode or elsewhere only shows up for literally about 2 seconds or less not enough time to make any choice let alone see what those choices could possibly be.

Yes, I created the script added it to Combofix and let it do it's thing. All the while ComboFix is running, or appears to be running, Spyware Guard 2008 is just merrily opening up fake alert after fake alert over in the right lower quadrant of my monitor. ComboFix does restart the computer and makes a log but Spyware Guard 2008 is still chugging along.

I redid the script thing and reran combofix. Upon start up I received the following info in the form of a windows type alert:
The contents of this folder
C:|Windows\erdnt\Hiv-backup
could not be completely deleted

This is the first time I've received this message so thought I would just mention it to you.

The following are the ComboFix log and a new Hijackthis log respectively:

ComboFix 08-12-07.04 - KontrolledChaos 2008-12-08 16:47:11.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511 [GMT -8:00]
Running from: c:\documents and settings\KontrolledChaos\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\KontrolledChaos\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\tuvSlKEv.dll
c:\windows\system32\yayxyAtU.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\svhost.exe
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\tuvSlKEv.dll
c:\windows\system32\winscenter.exe
c:\windows\vmreg.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-07 20:10 . 2008-12-07 20:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-07 20:10 . 2008-12-07 20:10 <DIR> d-------- c:\documents and settings\KontrolledChaos\Application Data\Malwarebytes
2008-12-07 20:10 . 2008-12-07 20:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-07 20:10 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-07 20:10 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-07 17:17 . 2008-12-07 17:17 158,208 --a------ c:\windows\system32\vxlqfjku.exe
2008-12-07 08:59 . 2008-12-07 08:59 <DIR> d-------- C:\rsit
2008-12-06 22:32 . 2008-12-07 05:01 <DIR> d-------- c:\program files\SpywareGuard
2008-12-06 21:37 . 2008-12-08 16:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-06 21:37 . 2008-12-08 16:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-06 18:58 . 2008-12-06 18:58 <DIR> d-------- c:\program files\Trend Micro
2008-12-06 18:33 . 2008-12-06 18:33 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-06 18:33 . 2008-12-07 15:20 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-06 16:53 . 2008-12-07 00:43 <DIR> d-------- c:\documents and settings\KontrolledChaos\.housecall6.6
2008-12-06 07:07 . 2008-12-07 17:48 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-01 14:39 . 2008-12-01 14:39 <DIR> d-------- c:\documents and settings\KontrolledChaos\Application Data\Apple Computer
2008-12-01 14:37 . 2008-12-01 23:49 <DIR> d-------- c:\documents and settings\KontrolledChaos\Shared
2008-12-01 14:37 . 2008-12-02 07:10 <DIR> d-------- c:\documents and settings\KontrolledChaos\Incomplete
2008-12-01 14:37 . 2008-12-01 23:51 <DIR> d-------- c:\documents and settings\KontrolledChaos\Application Data\LimeWire
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\program files\QuickTime
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\program files\iTunes
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\program files\iPod
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\program files\Bonjour
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-01 00:00 . 2008-12-01 00:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-01 00:00 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-01 00:00 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-30 23:59 . 2008-12-01 00:00 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-30 23:59 . 2008-11-30 23:59 <DIR> d-------- c:\program files\Apple Software Update
2008-11-30 23:59 . 2008-11-30 23:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-23 18:29 . 2008-11-25 15:34 <DIR> d-------- c:\windows\system\FONTS
2008-11-23 18:29 . 2008-11-23 18:29 <DIR> d-------- C:\IDAPI
2008-11-23 18:29 . 2008-11-23 18:29 0 --a------ C:\VDM105.tmp
2008-11-23 18:29 . 2008-11-23 18:29 0 --a------ C:\VDM104.tmp
2008-11-23 18:28 . 2008-11-23 18:29 <DIR> d-------- C:\WOW
2008-11-23 18:27 . 1996-07-11 19:02 21,648 --a------ c:\windows\system\ctl3dv2.dll
2008-11-21 06:18 . 2008-11-21 06:18 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-21 06:18 . 2008-11-21 06:18 <DIR> d-------- C:\b14e4216653ebe8381f4
2008-11-21 06:17 . 2008-11-21 06:17 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-21 06:17 . 2008-11-21 06:17 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-21 06:17 . 2008-11-21 06:18 <DIR> d-------- C:\db6afe0b057a7d9c90f13099
2008-11-21 06:17 . 2008-11-21 06:17 <DIR> d-------- C:\58943d4356f9a29033
2008-11-11 20:03 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:03 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 00:53 --------- d-----w c:\program files\Spyware Guard 2008
2008-11-24 18:31 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 13:55 --------- d-----w c:\documents and settings\KontrolledChaos\Application Data\AVGTOOLBAR
2008-10-15 00:47 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-15 00:47 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-15 00:47 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-09 06:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-09 06:33 --------- d-----w c:\program files\Macromedia
2008-10-09 06:33 --------- d-----w c:\program files\Common Files\Macromedia
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55004B1F-5DB2-41DF-92D7-6D8175CA65DC}]
c:\windows\system32\fccdawTn.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"spywareguard"="c:\program files\Spyware Guard 2008\spywareguard.exe" [2008-12-08 788992]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2008-09-07 986]
Microsoft Office.lnk.disabled [2008-09-08 1725]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ieModule"= {E3268CFB-D005-4E0F-B0D2-D601193578A7} - c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll [2008-12-07 3312128]
"InternetConnection"= {73E1633C-D888-4E1C-A7A2-911CC6E01FA9} - c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ikszlvxdnv.dll [2008-12-07 926720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 10:09 10536 c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=azmgth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"spywareguard"=c:\program files\Spyware Guard 2008\spywareguard.exe
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"Persistence"=c:\windows\system32\igfxpers.exe
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"HotKeysCmds"=c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\KontrolledChaos\\My Documents\\LimeWire\\LimeWire.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-14 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-14 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-14 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-14 76040]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2007-07-16 229592]
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080806

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FireFox -: Profile - c:\documents and settings\KontrolledChaos\Application Data\Mozilla\Firefox\Profiles\1wpkqtyd.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 16:53:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\winscenter.exe 294912 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\winscenter.exe
.
**************************************************************************
.
Completion time: 2008-12-08 17:01:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 01:01:18
ComboFix2.txt 2008-12-09 00:26:02
ComboFix3.txt 2008-12-08 00:54:32
ComboFix4.txt 2008-12-07 18:36:40

Pre-Run: 147,401,433,088 bytes free
Post-Run: 147,422,482,432 bytes free

190 --- E O F --- 2008-11-22 11:01:15


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:17 PM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\winscenter.exe
C:\Program Files\Spyware Guard 2008\spywareguard.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080806
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz.del...amp;ibd=5080806
O2 - BHO: (no name) - {55004B1F-5DB2-41DF-92D7-6D8175CA65DC} - C:\WINDOWS\system32\fccdawTn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.industry-la.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: azmgth.dll
O21 - SSODL: ieModule - {E3268CFB-D005-4E0F-B0D2-D601193578A7} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {73E1633C-D888-4E1C-A7A2-911CC6E01FA9} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ikszlvxdnv.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe

--
End of file - 5897 bytes

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:55 AM

Posted 08 December 2008 - 08:43 PM

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
c:\windows\system32\vxlqfjku.exe
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ikszlvxdnv.dll 
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll 

Folders to delete:
c:\program files\Spyware Guard 2008

Registry keys to delete:
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55004B1F-5DB2-41DF-92D7-6D8175CA65DC}

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | spywareguard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | InternetConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | ieModule

Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows | AppInit_DLLs

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
============================
Then also post this log.

Download GMER from Here :
Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 industry_kitty

industry_kitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 08 December 2008 - 10:15 PM

When I attempt to download unzip and open gmer from the link you provided I receive the following error messages

! Unexpected end of archive
! C:\Documents and Settings\KontrolledChaos\Local Settings\Temporary Internet Files\Content.IE5\DLPV1PX0\gmer[1].zip: Either multipart or corrupt ZIP archive


Below is the log from Avenger

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\vxlqfjku.exe" deleted successfully.
File "c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ikszlvxdnv.dll" deleted successfully.
File "c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll" deleted successfully.
Folder "c:\program files\Spyware Guard 2008" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55004B1F-5DB2-41DF-92D7-6D8175CA65DC}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55004B1F-5DB2-41DF-92D7-6D8175CA65DC}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|spywareguard" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|InternetConnection" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|ieModule" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows|AppInit_DLLs" replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:55 AM

Posted 08 December 2008 - 10:25 PM

Please disable Avg resident shield before running these tools.
You can enable it back after the Ot scan it log is done.

=======================
Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
===========================================
Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Under Additional Scans click the checkboxes in front of the following items to select them:

    • File - Lop check
      File - Purity Scan

      Under Basic scans:
      Rootkit Search -Yes
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Attach the information back here. I will review it when it comes in.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 industry_kitty

industry_kitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 08 December 2008 - 10:51 PM

[quote name='kahdah' date='Dec 8 2008, 10:25 PM' post='1038011']
Please disable Avg resident shield before running these tools.
You can enable it back after the Ot scan it log is done.

=======================

After all this I'm going to get stuck on something retarded like disabling AVG. How do I disable it? I can't figure out where it's running from, no icon in the tray?

#12 industry_kitty

industry_kitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 08 December 2008 - 11:56 PM

Unfortunately, the report is too large to be attached. It's 2.60MB and the limit is 512k. Now what?

Oh, as you may have figured I was finally able to locate and disable AVG resident shield.

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:55 AM

Posted 09 December 2008 - 07:33 AM

Click Here to upload the file please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 industry_kitty

industry_kitty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 09 December 2008 - 08:25 PM

I think I sent it correctly, I received a confirmation message anyway. :thumbsup:

~K

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:55 AM

Posted 09 December 2008 - 09:47 PM

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {55004B1F-5DB2-41DF-92D7-6D8175CA65DC} [HKLM] -> %SystemRoot%\system32\fccdawTn.dll [Reg Error: Value  does not exist or could not be read.]
[Files/Folders - Created Within 30 Days]
NY -> reged.exe -> %SystemRoot%\reged.exe
NY -> vmreg.dll -> %SystemRoot%\vmreg.dll
NY -> sysexplorer.exe -> %SystemRoot%\sysexplorer.exe
NY -> sys.com -> %SystemRoot%\sys.com
NY -> syscert.exe -> %SystemRoot%\syscert.exe
NY -> spoolsystem.exe -> %SystemRoot%\spoolsystem.exe
NY -> winscenter.exe -> %SystemRoot%\System32\winscenter.exe
NY -> Spyware Guard 2008.lnk -> %UserProfile%\Desktop\Spyware Guard 2008.lnk
[Files/Folders - Modified Within 30 Days]
NY -> sysexplorer.exe -> %SystemRoot%\sysexplorer.exe
NY -> reged.exe -> %SystemRoot%\reged.exe
NY -> vmreg.dll -> %SystemRoot%\vmreg.dll
NY -> sys.com -> %SystemRoot%\sys.com
NY -> syscert.exe -> %SystemRoot%\syscert.exe
NY -> spoolsystem.exe -> %SystemRoot%\spoolsystem.exe
NY -> winscenter.exe -> %SystemRoot%\System32\winscenter.exe
NY -> Spyware Guard 2008.lnk -> %UserProfile%\Desktop\Spyware Guard 2008.lnk
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.
=================================
After that update MalwareBytes Antimalware and run a scan as directed below please.


Double Click MalwareBytes Antimalware to run the application.
  • Next choose the Update tab and then choose check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has finished,go to the scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
================
After that please run OTscan2 it again with the same instructions as before and save the file you can upload the file Here
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users