Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with several problems


  • This topic is locked This topic is locked
28 replies to this topic

#1 garreck

garreck

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 17 March 2009 - 10:04 PM

Popus constantly while using the internet.

My AVG just deleted itself.

When booting up Windows screen says cannot find C:\Windows\system32\yitidena.dll
and C:\Windows\system32\haferbo.dll

While on the internet, a lot (30 to 40) different web browser screens will begin to open
at the same time.

DDS post below

Thanks


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 22:27:22.56 on Tue 03/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.659 [GMT -4:00]

AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated)
============= FINISH: 22:29:19.21 ===============

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {582e1d77-2ba0-42bd-bf2f-9dcb44da2139} - c:\windows\system32\nozahiti.dll
BHO: {44695878-b19f-a8e9-9964-19ce2cdad837}: {738dadc2-ec91-4699-9e8a-f91b87859644} - c:\windows\system32\mqkhzi.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunKist] c:\program files\digital media reader\shwicon2k.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\bcmntray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MpsOnn] c:\windows\system32\spool\drivers\w32x86\3\MpsOnn.exe
mRun: [Lexmark 4200 Series] "c:\program files\lexmark 4200 series\lxbmbmgr.exe"
mRun: [temularoba] Rundll32.exe "c:\windows\system32\haferabo.dll",s
mRun: [a8e57c90] rundll32.exe "c:\windows\system32\nizefipu.dll",b
mRun: [CPMabd64f0c] Rundll32.exe "c:\windows\system32\wivagoge.dll",a
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} - hxxp://viewers.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\fupipivo.dll cdnoqw.dll c:\windows\system32\vehuyafa.dll acskkg.dll c:\windows\system32\fakubija.dll mqkhzi.dll c:\windows\system32\wivagoge.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wivagoge.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\wivagoge.dll
LSA: Notification Packages = scecli c:\windows\system32\fupipivo.dll c:\windows\system32\vehuyafa.dll c:\windows\system32\fakubija.dll

============= SERVICES / DRIVERS ===============

R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-1-14 13088]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-6-15 200192]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys --> c:\windows\system32\drivers\avg7core.sys [?]
S1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys --> c:\windows\system32\drivers\avg7rsw.sys [?]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys --> c:\windows\system32\drivers\avg7rsxp.sys [?]
S1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys --> c:\windows\system32\drivers\avgclean.sys [?]
S2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe --> c:\progra~1\grisoft\avg7\avgamsvr.exe [?]
S2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe --> c:\progra~1\grisoft\avg7\avgupsvc.exe [?]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\owner\locals~1\temp\safe to delete 3_0_4_8\amdmsrio.sys --> c:\docume~1\owner\locals~1\temp\safe to delete 3_0_4_8\AMDMSRIO.sys [?]

=============== Created Last 30 ================

2009-03-16 09:48 4,015 ---sh--- c:\windows\system32\wefojuho.dll
2009-03-16 09:48 1,714,509 ---sh--- c:\windows\system32\oritetid.ini
2009-03-16 09:47 142,848 a--sh--- c:\windows\system32\exbeot.dll
2009-03-16 08:56 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-16 07:32 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-16 07:32 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-16 07:32 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-03-16 07:32 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-16 07:32 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-16 07:32 <DIR> --d----- c:\docume~1\owner\applic~1\AVGTOOLBAR
2009-03-16 07:30 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-03-16 07:30 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-03-16 07:30 <DIR> --d----- c:\program files\AVG
2009-03-16 07:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-15 21:47 1,714,490 ---sh--- c:\windows\system32\obuwadek.ini
2009-03-15 09:46 1,714,499 ---sh--- c:\windows\system32\awenamay.ini
2009-03-15 09:46 141,312 a--sh--- c:\windows\system32\mnsipr.dll
2009-03-14 16:03 161,792 a------- c:\windows\SWREG.exe
2009-03-14 16:03 98,816 a------- c:\windows\sed.exe
2009-03-14 11:07 141,312 a------- c:\windows\system32\mqkhzi.dll
2009-03-14 11:03 1,749,281 ---sh--- c:\windows\system32\upifezin.ini
2009-03-14 11:03 2,098 ---sh--- c:\windows\system32\volorume.dll
2009-03-14 11:00 141,312 a------- c:\windows\system32\bulilufu.dll
2009-03-14 11:00 105,984 a------- c:\windows\system32\wivagoge.dll
2009-03-13 16:06 142,336 a--sh--- c:\windows\system32\hcsxvb.dll
2009-03-12 20:32 1,808,094 ---sh--- c:\windows\system32\uniboyil.ini
2009-03-12 08:29 1,808,081 ---sh--- c:\windows\system32\ohirepas.ini
2009-03-09 16:17 121 ---sh--- c:\windows\system32\ahowayas.ini
2009-03-07 20:53 1,807,293 ---sh--- c:\windows\system32\ofubapug.ini
2009-02-19 21:37 <DIR> --d----- c:\docume~1\owner\applic~1\Intuit
2009-02-19 21:32 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0
2009-02-19 21:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2009-02-19 21:28 <DIR> --d----- c:\program files\common files\Intuit
2009-02-19 21:23 <DIR> --d----- c:\program files\TurboTax
2009-02-18 18:46 <DIR> --d----- c:\program files\Lexmark 4200 Series
2009-02-18 18:36 286,720 a------- c:\windows\system32\LXBMPMNT.DLL

==================== Find3M ====================

2009-03-16 09:47 102,400 a--sh--- c:\windows\system32\ditetiro.dll
2009-03-16 09:47 142,848 a--sh--- c:\windows\system32\leheziti.dll
2009-03-15 09:46 106,496 a--sh--- c:\windows\system32\vobujaza.dll
2009-03-15 09:46 141,312 a--sh--- c:\windows\system32\sekapehu.dll
2009-03-14 11:03 100,864 -------- c:\windows\system32\nizefipu.dll
2009-03-13 16:06 101,888 a--sh--- c:\windows\system32\wuholove.dll
2009-03-13 16:06 142,336 a--sh--- c:\windows\system32\soyabodu.dll
2009-03-12 20:32 107,008 a--sh--- c:\windows\system32\hilozepi.dll
2009-03-11 15:52 101,376 a--sh--- c:\windows\system32\lebobofu.dll
2009-03-07 20:52 86,016 a--sh--- c:\windows\system32\silegoje.dll
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-28 21:21 6 a------- c:\windows\fonts\wfonts.key
2008-01-21 16:24 610 a---h--- c:\docume~1\owner\applic~1\wklnhst.dat
2007-01-08 14:40 56,912 a---h--- c:\documents and settings\owner\g2mdlhlpx.exe
0000-00-00 00:00 0 a--sh--- c:\windows\system32\jejesahe.dll

FW: AVG Firewall *disabled*

Attached Files



BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 28 March 2009 - 12:40 PM

Hello qarreck,

I apologise for the delay, the forum is busy.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Checked (tick) all items except items in the C:\System Volume Information folder, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
----------------------------------------------
Post back:
Malwarebytes' Anti-Malware report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 garreck

garreck
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 29 March 2009 - 10:37 PM

Thanks for your responce. I understand completely.

Malwarebytes Log

Malwarebytes' Anti-Malware 1.35
Database version: 1917
Windows 5.1.2600 Service Pack 2

3/29/2009 11:24:46 PM
mbam-log-2009-03-29 (23-24-46).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 133140
Time elapsed: 35 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 10
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nizefipu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\wivagoge.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mqkhzi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{738dadc2-ec91-4699-9e8a-f91b87859644} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{738dadc2-ec91-4699-9e8a-f91b87859644} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{582e1d77-2ba0-42bd-bf2f-9dcb44da2139} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{582e1d77-2ba0-42bd-bf2f-9dcb44da2139} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{738dadc2-ec91-4699-9e8a-f91b87859644} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{582e1d77-2ba0-42bd-bf2f-9dcb44da2139} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a8e57c90 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\temularoba (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmabd64f0c (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wivagoge.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wivagoge.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mqkhzi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ditetiro.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oritetid.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nizefipu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\upifezin.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wivagoge.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP722\A0113659.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP723\A0113778.exe (Trojan.Fakealert) -> Not selected for removal.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP723\A0113781.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP723\A0113782.dll (Trojan.Vundo) -> Not selected for removal.
C:\WINDOWS\system32\bulilufu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\results.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wuholove.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\leheziti.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sekapehu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\volorume.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:56 PM, on 3/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKUS\S-1-5-19\..\Run: [temularoba] Rundll32.exe "C:\WINDOWS\system32\haferabo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [temularoba] Rundll32.exe "C:\WINDOWS\system32\haferabo.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\fupipivo.dll cdnoqw.dll C:\WINDOWS\system32\vehuyafa.dll acskkg.dll C:\WINDOWS\system32\fakubija.dll mqkhzi.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5521 bytes

Thanks

#4 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 30 March 2009 - 10:43 AM

Hello garreck,

I hope you rebooted after you run Malwarebytes' Anti-Malware.

Now let's proceed.

I see you have installed AVG7 Antivirus. This version has expired and is not getting updates anymore, so you are open to infections. It's like you don't have an Anti-virus, as it's not getting the latest updates.

I will explain how to uninstall AVG7 and install another free Anti-Virus, including links. After you install the new Anti-Virus, update it, let it run and guarantee what it finds.
----------------------------------------------
INSTALLING & RUNNING AN ANTIVIRUS

Please follow below details regarding to Antivirus installation-see my post below:
  • download the installer
  • disconnect from internet
  • remove old one
  • install new one
  • reconnect, immediately update, and
  • run the Anti-virus and let it quarantine all its findings.
----------------------------------------------
Install a new Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently.  Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.
----------------------------------------------
Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#5 garreck

garreck
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 30 March 2009 - 11:51 PM

Ran Antivir and everything went well. Can't seem to get rid of AVG. I tried to disable and can't find prompts. Unistalled but ComboFix says it is still running and I can't seem to disable.

What do you recommend?

#6 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 31 March 2009 - 03:06 AM

Hello garreck,

Can you still see it in your Add/Remove programs? You should reboot after you uninstalled it.
----------------------------------------------
Did you run Combofix or not yet?

Can you post a new HijackThis so i can see if it still shows there?

Edited by chryssi2001, 31 March 2009 - 03:07 AM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#7 garreck

garreck
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 31 March 2009 - 09:29 AM

Thanks for your patience.

* No, I don't see AVG in my Add/Remove
* I did reboot after I uninstalled and after Malwarebytes as you inquired earlier.
* I did not run Combofix; wanted your opinion first.

New Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:23 AM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKUS\S-1-5-19\..\Run: [temularoba] Rundll32.exe "C:\WINDOWS\system32\haferabo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [temularoba] Rundll32.exe "C:\WINDOWS\system32\haferabo.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\fupipivo.dll cdnoqw.dll C:\WINDOWS\system32\vehuyafa.dll acskkg.dll C:\WINDOWS\system32\fakubija.dll mqkhzi.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5568 bytes



I still cannot find AVG to uninstall.

Thanks

#8 garreck

garreck
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 31 March 2009 - 09:45 AM

Thought I would add that when I go to Outlook for e-mail this pops up:

The add-in "C:\PROGRAM~1\Grisoft\AVG7\avgxch32.dll" could not be installed or loaded. This problem may be resolved by using Detect and Repair on the Help Menu.

This popup began when I tried to upgrade to AVG 8 and then the AVG 8 would not run nor did it overide AVG 7. Seems AVG 7 is still here somewhere. I uninstalled AVG 8 as well.

Thanks

#9 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 31 March 2009 - 10:49 AM

Hello garreck,

Yes AVG7 is still there. It seems like maybe while you uninstalled it somehow it didn't uninstall well.

The add-in "C:\PROGRAM~1\Grisoft\AVG7\avgxch32.dll" could not be installed or loaded. This problem may be resolved by using Detect and Repair on the Help Menu.

This is because AVG7 has an email scanner and when opening your email, the program is looking for it to load it, so it can scan emails.

Lets fix some AVG7 lines now, as it's showing it runs on start-up as well, and we will remove the rest later.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#10 garreck

garreck
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 31 March 2009 - 12:18 PM

Combo Fix Log

ComboFix 09-03-30.02 - Owner 2009-03-31 12:18:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.682 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated)
FW: AVG Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Owner\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\ahowayas.ini
c:\windows\system32\awenamay.ini
c:\windows\system32\jejesahe.dll
c:\windows\system32\obuwadek.ini
c:\windows\system32\ofubapug.ini
c:\windows\system32\ohirepas.ini
c:\windows\system32\silegoje.dll
c:\windows\system32\uniboyil.ini

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-30 21:52 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-03-30 16:22 . 2009-03-30 16:22 <DIR> d-------- c:\program files\Avira
2009-03-30 16:22 . 2009-03-30 16:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-29 23:30 . 2009-03-29 23:30 <DIR> d-------- c:\program files\Trend Micro
2009-03-29 22:30 . 2009-03-29 22:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-29 22:30 . 2009-03-29 22:30 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-29 22:30 . 2009-03-29 22:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-29 22:30 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-29 22:30 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-17 08:26 . 2009-03-27 17:20 4,176,312 --a------ c:\windows\pfirewall.log.old
2009-03-16 09:48 . 2009-03-16 09:48 4,015 ---hs---- c:\windows\system32\wefojuho.dll
2009-03-16 07:32 . 2009-03-16 08:33 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-16 07:32 . 2009-03-16 07:32 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-16 07:32 . 2009-03-16 07:32 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-16 07:32 . 2009-03-16 07:32 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-03-16 07:32 . 2009-03-16 07:32 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-16 07:30 . 2009-03-16 07:30 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-03-16 07:30 . 2009-03-16 07:30 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-03-12 10:35 . 2005-03-27 02:26 <DIR> d-------- c:\documents and settings\Administrator.YOUR-F2BB931F71\WINDOWS
2009-03-12 10:35 . 2005-06-15 22:08 <DIR> d-------- c:\documents and settings\Administrator.YOUR-F2BB931F71\Application Data\SampleView
2009-03-12 10:35 . 2009-03-30 21:47 <DIR> d-------- c:\documents and settings\Administrator.YOUR-F2BB931F71
2009-02-19 21:37 . 2009-02-19 21:37 <DIR> d-------- c:\documents and settings\Owner\Application Data\Intuit
2009-02-19 21:32 . 2009-02-19 21:32 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2009-02-19 21:28 . 2009-02-19 21:30 <DIR> d-------- c:\program files\Common Files\Intuit
2009-02-19 21:28 . 2009-02-19 21:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intuit
2009-02-19 21:23 . 2009-02-19 21:23 <DIR> d-------- c:\program files\TurboTax
2009-02-18 18:46 . 2009-02-18 18:47 <DIR> d-------- c:\program files\Lexmark 4200 Series
2009-02-18 18:36 . 2004-01-13 19:16 286,720 --a------ c:\windows\system32\LXBMPMNT.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 20:46 --------- d-----w c:\program files\Google
2009-03-12 13:40 --------- d-----w c:\program files\Spyware Doctor
2009-03-12 13:39 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-29 01:21 6 ----a-w c:\windows\Fonts\wfonts.key
2008-01-21 20:24 610 ---ha-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2007-01-08 18:40 56,912 ---ha-w c:\documents and settings\Owner\g2mdlhlpx.exe
.

------- Sigcheck -------

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-04 15:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\svchost.exe

2008-04-13 20:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
2004-08-04 15:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\ws2_32.dll

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2005-05-25 15:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 22:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\drivers\tcpip.sys

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-08-04 15:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\winlogon.exe

2008-04-13 15:20 182656 1df7f42665c94b825322fae71721130d c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2004-08-04 15:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2008-04-13 14:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2004-08-04 15:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\drivers\ip6fw.sys

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-04 15:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\services.exe

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-04 15:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\lsass.exe

2008-04-13 20:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2004-08-04 15:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\ctfmon.exe

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2004-08-04 15:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\userinit.exe

2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
2004-08-04 15:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\termsrv.dll

2008-04-13 20:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll
2004-08-04 15:00 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\powrprof.dll

2008-04-13 20:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll
2004-08-04 15:00 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\bcmntray" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-26 139264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-15 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"MpsOnn"="c:\windows\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe" [2003-06-09 22528]
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-30 108289]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-01-14 13088]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-06-15 200192]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys --> c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 12:26:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\bcmntray.EXE
c:\program files\Lexmark 4200 Series\lxbmbmon.exe
.
**************************************************************************
.
Completion time: 2009-03-31 12:29:02 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-03-31 16:28:55
ComboFix2.txt 2009-01-25 00:52:35

Pre-Run: 74,419,744,768 bytes free
Post-Run: 74,387,156,992 bytes free

181 --- E O F --- 2009-03-17 18:53:07



HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:28 PM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5304 bytes

#11 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 01 April 2009 - 01:24 AM

Hello garreck,

c:\documents and settings\Administrator.YOUR-F2BB931F71\WINDOWS
c:\documents and settings\Administrator.YOUR-F2BB931F71\Application Data\SampleView
c:\documents and settings\Administrator.YOUR-F2BB931F71

All the above folders were created recently. Are you that Administrator, and you know what they are?
----------------------------------------------
Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 13.
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 13
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u13-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
----------------------------------------------
Please go here and run AVG Remover(32bit).
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/211967/infected-with-several-problems/?p=1201838
    
    Collect::
    c:\windows\system32\wefojuho.dll
    
    File::
    c:\windows\system32\drivers\avgldx86.sys
    c:\windows\system32\drivers\avgtdix.sys
    c:\windows\system32\drivers\avgrkx86.sys
    c:\windows\system32\avgrsstx.dll
    c:\windows\system32\avgfwdx.dll
    c:\windows\system32\drivers\avgfwdx.sys
    
    Folder::
    c:\windows\system32\drivers\Avg
    C:\PROGRAM FILES\Grisoft
    
    Driver::
    Avg7Alrt
    Avg7UpdSvc
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
----------------------------------------------
Post back:
Combofix report.
Kaspersky report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#12 garreck

garreck
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 April 2009 - 08:40 AM

I am the administrator, and I am not aware of what the folders are for.

I have:

Java 2 Runtime Environment Standard Edition v1.3.1_02
and
J2SE Runtime Environment 5.0 Update 2

Do I unistall one or both?

I have completed everything else except Kaspersky. It required updated JAVA.

While running ComboFix, it says that AVG is still running. I had already uninstalled with AVG Remover(32bit). Just an FYI

ComboFix Log

ComboFix 09-03-31.03 - Owner 2009-04-01 9:10:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.678 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated)
FW: AVG Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\avgfwdx.dll
c:\windows\system32\avgrsstx.dll
c:\windows\system32\drivers\avgfwdx.sys
c:\windows\system32\drivers\avgldx86.sys
c:\windows\system32\drivers\avgrkx86.sys
c:\windows\system32\drivers\avgtdix.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Grisoft
c:\windows\system32\wefojuho.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVG7ALRT
-------\Legacy_AVG7UPDSVC
-------\Service_Avg7Alrt
-------\Service_Avg7UpdSvc


((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-03-30 21:52 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-03-30 16:22 . 2009-03-30 16:22 <DIR> d-------- c:\program files\Avira
2009-03-30 16:22 . 2009-03-30 16:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-29 23:30 . 2009-03-29 23:30 <DIR> d-------- c:\program files\Trend Micro
2009-03-29 22:30 . 2009-03-29 22:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-29 22:30 . 2009-03-29 22:30 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-29 22:30 . 2009-03-29 22:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-29 22:30 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-29 22:30 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-17 08:26 . 2009-03-31 17:21 4,194,641 --a------ c:\windows\pfirewall.log.old
2009-03-12 10:35 . 2005-03-27 02:26 <DIR> d-------- c:\documents and settings\Administrator.YOUR-F2BB931F71\WINDOWS
2009-03-12 10:35 . 2005-06-15 22:08 <DIR> d-------- c:\documents and settings\Administrator.YOUR-F2BB931F71\Application Data\SampleView
2009-03-12 10:35 . 2009-03-30 21:47 <DIR> d-------- c:\documents and settings\Administrator.YOUR-F2BB931F71

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 20:46 --------- d-----w c:\program files\Google
2009-03-12 13:40 --------- d-----w c:\program files\Spyware Doctor
2009-03-12 13:39 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-20 01:37 --------- d-----w c:\documents and settings\Owner\Application Data\Intuit
2009-02-20 01:32 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-02-20 01:30 --------- d-----w c:\program files\Common Files\Intuit
2009-02-20 01:30 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-02-20 01:23 --------- d-----w c:\program files\TurboTax
2009-02-18 22:47 --------- d-----w c:\program files\Lexmark 4200 Series
2009-01-29 01:21 6 ----a-w c:\windows\Fonts\wfonts.key
2008-01-21 20:24 610 ---ha-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2007-01-08 18:40 56,912 ---ha-w c:\documents and settings\Owner\g2mdlhlpx.exe
.

------- Sigcheck -------

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-04 15:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\svchost.exe

2008-04-13 20:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
2004-08-04 15:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\ws2_32.dll

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2005-05-25 15:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 22:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\drivers\tcpip.sys

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-08-04 15:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\winlogon.exe

2008-04-13 15:20 182656 1df7f42665c94b825322fae71721130d c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2004-08-04 15:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2008-04-13 14:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2004-08-04 15:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\drivers\ip6fw.sys

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-04 15:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\services.exe

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-04 15:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\lsass.exe

2008-04-13 20:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2004-08-04 15:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\ctfmon.exe

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2004-08-04 15:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\userinit.exe

2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
2004-08-04 15:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\termsrv.dll

2008-04-13 20:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll
2004-08-04 15:00 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\powrprof.dll

2008-04-13 20:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll
2004-08-04 15:00 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\bcmntray" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-26 139264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-15 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"MpsOnn"="c:\windows\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe" [2003-06-09 22528]
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-30 108289]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-01-14 13088]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-06-15 200192]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys --> c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 09:14:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\bcmntray.EXE
c:\program files\Lexmark 4200 Series\lxbmbmon.exe
.
**************************************************************************
.
Completion time: 2009-04-01 9:17:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-01 13:17:03
ComboFix2.txt 2009-03-31 16:29:03
ComboFix3.txt 2009-01-25 00:52:35

Pre-Run: 74,413,273,088 bytes free
Post-Run: 74,407,337,984 bytes free

174 --- E O F --- 2009-03-17 18:53:07



Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:37 AM, on 4/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4909 bytes

#13 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 01 April 2009 - 09:05 AM

Hello garreck,

I had already uninstalled with AVG Remover(32bit).

Do you mind re-running it?

c:\documents and settings\Administrator.YOUR-F2BB931F71

This folder was created very recentrly on 12.3.09
Did you download vista, or windows7 to see how it is? There is a SampleView folder also.

Have a look inside all of them, and see if they have something familiar.
c:\documents and settings\Administrator.YOUR-F2BB931F71\WINDOWS
c:\documents and settings\Administrator.YOUR-F2BB931F71\Application Data\SampleView

Java 2 Runtime Environment Standard Edition v1.3.1_02
and
J2SE Runtime Environment 5.0 Update 2

Uninstall all, they are very old versions.

I have completed everything else except Kaspersky. It required updated JAVA.

I know, that's why i posted to update Java.

While running ComboFix, it says that AVG is still running. I had already uninstalled with AVG Remover(32bit). Just an FYI

AVG Anti-Virus Network Edition

Combofix shows that the above is running. That is AVG Network Edition.
Is this pc connected with a Network?

Go Start > Search > For Files and Folders and copy/paste in the search box, and click on search:
AVG Anti-Virus Network Edition

When the search is done, note down or save in notepad, the places AVG is found, and post them back here.

Edited by chryssi2001, 01 April 2009 - 09:08 AM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#14 garreck

garreck
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 April 2009 - 12:47 PM

Hello Chrissy2001,

Do you mind re-running it?


Re-ran AVG Remover

c:\documents and settings\Administrator.YOUR-F2BB931F71

This folder was created very recentrly on 12.3.09
Did you download vista, or windows7 to see how it is? There is a SampleView folder also.

Have a look inside all of them, and see if they have something familiar.
c:\documents and settings\Administrator.YOUR-F2BB931F71\WINDOWS
c:\documents and settings\Administrator.YOUR-F2BB931F71\Application Data\SampleView


Took a look and the folders were empty. Not sure what happened there.

Go Start > Search > For Files and Folders and copy/paste in the search box, and click on search:
AVG Anti-Virus Network Edition

When the search is done, note down or save in notepad, the places AVG is found, and post them back here.


No results found

AVG Remover created this

2009-04-01 16:35:39,609 DEBUG Avg8Uninstall\Directories key failed to open (error: e0010013)
2009-04-01 16:35:39,609 WARN AvgDir param empty.
2009-04-01 16:35:39,609 WARN AvgDataDir param empty.
2009-04-01 16:35:46,281 INFO AvgRemover runs in attempt number 1
2009-04-01 16:35:46,281 INFO ***** Services *****
2009-04-01 16:35:46,281 INFO Processing service avg8emc
2009-04-01 16:35:46,281 INFO Service avg8emc is not installed
2009-04-01 16:35:46,281 DEBUG Service avg8emc RegCleanup
2009-04-01 16:35:46,281 DEBUG Registry keys for service avg8emc are not present
2009-04-01 16:35:46,281 INFO Processing service avgfws8
2009-04-01 16:35:46,281 INFO Service avgfws8 is not installed
2009-04-01 16:35:46,281 DEBUG Service avgfws8 RegCleanup
2009-04-01 16:35:46,281 DEBUG Registry keys for service avgfws8 are not present
2009-04-01 16:35:46,281 INFO Processing service avg8wd
2009-04-01 16:35:46,281 INFO Service avg8wd is not installed
2009-04-01 16:35:46,281 DEBUG Service avg8wd RegCleanup
2009-04-01 16:35:46,281 DEBUG Registry keys for service avg8wd are not present
2009-04-01 16:35:46,281 INFO Processing service AvgMfx86
2009-04-01 16:35:46,281 INFO Service AvgMfx86 is not installed
2009-04-01 16:35:46,281 DEBUG Service AvgMfx86 RegCleanup
2009-04-01 16:35:46,281 DEBUG Registry keys for service AvgMfx86 are not present
2009-04-01 16:35:46,281 INFO Processing service AvgMfx64
2009-04-01 16:35:46,281 INFO Service AvgMfx64 is not installed
2009-04-01 16:35:46,281 DEBUG Service AvgMfx64 RegCleanup
2009-04-01 16:35:46,281 DEBUG Registry keys for service AvgMfx64 are not present
2009-04-01 16:35:46,281 INFO Processing service AvgLdx86
2009-04-01 16:35:46,281 INFO Service AvgLdx86 is not installed
2009-04-01 16:35:46,281 DEBUG Service AvgLdx86 RegCleanup
2009-04-01 16:35:46,281 DEBUG Registry keys for service AvgLdx86 are not present
2009-04-01 16:35:46,281 INFO Processing service AvgLdx64
2009-04-01 16:35:46,281 INFO Service AvgLdx64 is not installed
2009-04-01 16:35:46,281 DEBUG Service AvgLdx64 RegCleanup
2009-04-01 16:35:46,281 DEBUG Registry keys for service AvgLdx64 are not present
2009-04-01 16:35:46,281 INFO Processing service AvgTdiX
2009-04-01 16:35:46,281 INFO Service AvgTdiX is not installed
2009-04-01 16:35:46,281 DEBUG Service AvgTdiX RegCleanup
2009-04-01 16:35:46,281 DEBUG Registry keys for service AvgTdiX are not present
2009-04-01 16:35:46,281 INFO Processing service AvgTdiA
2009-04-01 16:35:46,281 INFO Service AvgTdiA is not installed
2009-04-01 16:35:46,296 DEBUG Service AvgTdiA RegCleanup
2009-04-01 16:35:46,296 DEBUG Registry keys for service AvgTdiA are not present
2009-04-01 16:35:46,296 INFO Processing service AvgWFPx
2009-04-01 16:35:46,296 INFO Service AvgWFPx is not installed
2009-04-01 16:35:46,296 DEBUG Service AvgWFPx RegCleanup
2009-04-01 16:35:46,296 DEBUG Registry keys for service AvgWFPx are not present
2009-04-01 16:35:46,296 INFO Processing service AvgWFPa
2009-04-01 16:35:46,296 INFO Service AvgWFPa is not installed
2009-04-01 16:35:46,296 DEBUG Service AvgWFPa RegCleanup
2009-04-01 16:35:46,296 DEBUG Registry keys for service AvgWFPa are not present
2009-04-01 16:35:46,296 INFO Processing service AvgRkx86
2009-04-01 16:35:46,296 INFO Service AvgRkx86 is not installed
2009-04-01 16:35:46,296 DEBUG Service AvgRkx86 RegCleanup
2009-04-01 16:35:46,296 DEBUG Registry keys for service AvgRkx86 are not present
2009-04-01 16:35:46,296 INFO ***** Registry keys and values *****
2009-04-01 16:35:46,296 INFO Processing registry SOFTWARE\Mozilla\Firefox\Extensions
2009-04-01 16:35:46,296 DEBUG Value SOFTWARE\Mozilla\Firefox\Extensions:{3f963a5b-e555-4543-90e2-c3908898db71} Remove
2009-04-01 16:35:46,296 INFO Value SOFTWARE\Mozilla\Firefox\Extensions:{3f963a5b-e555-4543-90e2-c3908898db71} is not present
2009-04-01 16:35:46,296 INFO Processing registry SOFTWARE\Mozilla\Firefox\Extensions
2009-04-01 16:35:46,296 DEBUG Value SOFTWARE\Mozilla\Firefox\Extensions:{1d5287d1-8a92-0001-1f31-1cec198018d8} Remove
2009-04-01 16:35:46,296 INFO Value SOFTWARE\Mozilla\Firefox\Extensions:{1d5287d1-8a92-0001-1f31-1cec198018d8} is not present
2009-04-01 16:35:46,296 INFO Processing registry SYSTEM\CurrentControlSet\Services\Eventlog\Application\Avg8Alrt
2009-04-01 16:35:46,296 DEBUG Key SYSTEM\CurrentControlSet\Services\Eventlog\Application\Avg8Alrt ForceRemove
2009-04-01 16:35:46,296 DEBUG Key SYSTEM\CurrentControlSet\Services\Eventlog\Application\Avg8Alrt not found
2009-04-01 16:35:46,296 INFO Processing registry SYSTEM\CurrentControlSet\Services\Eventlog\Application\AvgEms
2009-04-01 16:35:46,296 DEBUG Key SYSTEM\CurrentControlSet\Services\Eventlog\Application\AvgEms ForceRemove
2009-04-01 16:35:46,296 DEBUG Key SYSTEM\CurrentControlSet\Services\Eventlog\Application\AvgEms not found
2009-04-01 16:35:46,296 INFO Processing registry SYSTEM\CurrentControlSet\Services\Avg
2009-04-01 16:35:46,296 DEBUG Key SYSTEM\CurrentControlSet\Services\Avg ForceRemove
2009-04-01 16:35:46,296 DEBUG Key SYSTEM\CurrentControlSet\Services\Avg not found
2009-04-01 16:35:46,296 INFO Processing registry SYSTEM\CurrentControlSet\Services\Avg
2009-04-01 16:35:46,296 DEBUG Key SYSTEM\CurrentControlSet\Services\Avg ForceRemove
2009-04-01 16:35:46,296 DEBUG Key SYSTEM\CurrentControlSet\Services\Avg not found
2009-04-01 16:35:46,296 INFO Processing registry SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2AF1721-312E-4B07-8B17-CEB780DCD054}
2009-04-01 16:35:46,296 DEBUG Key SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2AF1721-312E-4B07-8B17-CEB780DCD054} ForceRemove
2009-04-01 16:35:46,296 DEBUG Key SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2AF1721-312E-4B07-8B17-CEB780DCD054} not found
2009-04-01 16:35:46,296 INFO Processing registry SOFTWARE\Microsoft\Exchange\Client\Extensions
2009-04-01 16:35:46,296 DEBUG Value SOFTWARE\Microsoft\Exchange\Client\Extensions:Outlook Setup Extension Remove
2009-04-01 16:35:46,296 INFO Value SOFTWARE\Microsoft\Exchange\Client\Extensions:Outlook Setup Extension is not present
2009-04-01 16:35:46,296 INFO Processing registry SOFTWARE\Microsoft\Exchange\Client\Extensions
2009-04-01 16:35:46,296 DEBUG Value SOFTWARE\Microsoft\Exchange\Client\Extensions:AVG Exchange Extension Remove
2009-04-01 16:35:46,296 INFO Value SOFTWARE\Microsoft\Exchange\Client\Extensions:AVG Exchange Extension is not present
2009-04-01 16:35:46,296 INFO Processing registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
2009-04-01 16:35:46,296 DEBUG Value SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:AppInit_DLLs Modify
2009-04-01 16:35:46,296 DEBUG Reading SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:AppInit_DLLs failed (error: e001003d)
2009-04-01 16:35:46,296 DEBUG Value SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:AppInit_DLLs Modify failed
2009-04-01 16:35:46,296 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
2009-04-01 16:35:46,296 DEBUG Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} Remove
2009-04-01 16:35:46,296 INFO Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} is not present
2009-04-01 16:35:46,296 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
2009-04-01 16:35:46,296 DEBUG Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} Remove
2009-04-01 16:35:46,296 INFO Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} is not present
2009-04-01 16:35:46,296 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
2009-04-01 16:35:46,296 DEBUG Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} Remove
2009-04-01 16:35:46,296 INFO Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} is not present
2009-04-01 16:35:46,296 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
2009-04-01 16:35:46,312 DEBUG Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} Remove
2009-04-01 16:35:46,312 INFO Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} is not present
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2009-04-01 16:35:46,312 DEBUG Value SOFTWARE\Microsoft\Windows\CurrentVersion\Run:AVG8_TRAY Remove
2009-04-01 16:35:46,312 INFO Value SOFTWARE\Microsoft\Windows\CurrentVersion\Run:AVG8_TRAY is not present
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG8Uninstall
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG8Uninstall ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG8Uninstall not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3 ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3 not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3 ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3 not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\Classes\AvgDiagFile
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\AvgDiagFile ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\AvgDiagFile not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\Classes\AvgDiagFile
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\AvgDiagFile ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\AvgDiagFile not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\Classes\.avgdi
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\.avgdi ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\.avgdi not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\AVG8 Shell Extension
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\AVG8 Shell Extension ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\AVG8 Shell Extension not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG8 Shell Extension
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG8 Shell Extension ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG8 Shell Extension not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG8 Shell Extension
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG8 Shell Extension ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG8 Shell Extension not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\AVG\Clients
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\AVG\Clients ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\AVG\Clients not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\AVG\AVG8
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\AVG\AVG8 ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\AVG\AVG8 not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\AVG
2009-04-01 16:35:46,312 DEBUG Value SOFTWARE\AVG:DumpType Remove
2009-04-01 16:35:46,312 DEBUG Value SOFTWARE\AVG:DumpType not present - Key not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\AVG
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\AVG Remove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\AVG not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\AVG\AVG8
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\AVG\AVG8 ForceRemove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\AVG\AVG8 not found
2009-04-01 16:35:46,312 INFO Processing registry SOFTWARE\AVG
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\AVG Remove
2009-04-01 16:35:46,312 DEBUG Key SOFTWARE\AVG not found
2009-04-01 16:35:46,312 INFO Processing registry aAvgAPI.AvgBro
2009-04-01 16:35:46,312 DEBUG Key aAvgAPI.AvgBro ForceRemove
2009-04-01 16:35:46,312 DEBUG Key aAvgAPI.AvgBro not found
2009-04-01 16:35:46,312 INFO Processing registry AVG.Office
2009-04-01 16:35:46,312 DEBUG Key AVG.Office ForceRemove
2009-04-01 16:35:46,312 DEBUG Key AVG.Office not found
2009-04-01 16:35:46,312 INFO Processing registry AVG.Office.8
2009-04-01 16:35:46,312 DEBUG Key AVG.Office.8 ForceRemove
2009-04-01 16:35:46,312 DEBUG Key AVG.Office.8 not found
2009-04-01 16:35:46,312 INFO Processing registry avgtoolbar.AVGTOOLBAR
2009-04-01 16:35:46,312 DEBUG Key avgtoolbar.AVGTOOLBAR ForceRemove
2009-04-01 16:35:46,312 DEBUG Key avgtoolbar.AVGTOOLBAR not found
2009-04-01 16:35:46,312 INFO Processing registry avgtoolbar.AVGTOOLBARMenu Button
2009-04-01 16:35:46,312 DEBUG Key avgtoolbar.AVGTOOLBARMenu Button ForceRemove
2009-04-01 16:35:46,312 DEBUG Key avgtoolbar.AVGTOOLBARMenu Button not found
2009-04-01 16:35:46,312 INFO Processing registry avgtoolbar.AVGTOOLBARToggle Button
2009-04-01 16:35:46,312 DEBUG Key avgtoolbar.AVGTOOLBARToggle Button ForceRemove
2009-04-01 16:35:46,312 DEBUG Key avgtoolbar.AVGTOOLBARToggle Button not found
2009-04-01 16:35:46,312 INFO Processing registry LinkScannerIE.NavFilter
2009-04-01 16:35:46,312 DEBUG Key LinkScannerIE.NavFilter ForceRemove
2009-04-01 16:35:46,312 DEBUG Key LinkScannerIE.NavFilter not found
2009-04-01 16:35:46,312 INFO Processing registry LinkScannerIE.NavFilter.1
2009-04-01 16:35:46,312 DEBUG Key LinkScannerIE.NavFilter.1 ForceRemove
2009-04-01 16:35:46,312 DEBUG Key LinkScannerIE.NavFilter.1 not found
2009-04-01 16:35:46,312 INFO Processing registry CLSID\{04373D9C-5ED8-44f2-BA00-7895D6A5A2DA}
2009-04-01 16:35:46,312 DEBUG Key CLSID\{04373D9C-5ED8-44f2-BA00-7895D6A5A2DA} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key CLSID\{04373D9C-5ED8-44f2-BA00-7895D6A5A2DA} not found
2009-04-01 16:35:46,312 INFO Processing registry CLSID\{18B30EBF-6B58-425E-AC54-831C05D91B5A}
2009-04-01 16:35:46,312 DEBUG Key CLSID\{18B30EBF-6B58-425E-AC54-831C05D91B5A} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key CLSID\{18B30EBF-6B58-425E-AC54-831C05D91B5A} not found
2009-04-01 16:35:46,312 INFO Processing registry CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
2009-04-01 16:35:46,312 DEBUG Key CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} not found
2009-04-01 16:35:46,312 INFO Processing registry CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
2009-04-01 16:35:46,312 DEBUG Key CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} not found
2009-04-01 16:35:46,312 INFO Processing registry CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
2009-04-01 16:35:46,312 DEBUG Key CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} not found
2009-04-01 16:35:46,312 INFO Processing registry CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}
2009-04-01 16:35:46,312 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E2698E} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E2698E} not found
2009-04-01 16:35:46,312 INFO Processing registry CLSID\{A057A204-BACC-4D26-9990-79A187E2698F}
2009-04-01 16:35:46,312 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E2698F} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E2698F} not found
2009-04-01 16:35:46,312 INFO Processing registry CLSID\{A057A204-BACC-4D26-9990-79A187E26990}
2009-04-01 16:35:46,312 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E26990} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E26990} not found
2009-04-01 16:35:46,312 INFO Processing registry CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}
2009-04-01 16:35:46,312 DEBUG Key CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} not found
2009-04-01 16:35:46,312 INFO Processing registry Interface\{52261B0E-CA1A-4FA9-9805-4D01202DF09D}
2009-04-01 16:35:46,312 DEBUG Key Interface\{52261B0E-CA1A-4FA9-9805-4D01202DF09D} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key Interface\{52261B0E-CA1A-4FA9-9805-4D01202DF09D} not found
2009-04-01 16:35:46,312 INFO Processing registry Interface\{8EA1F9F2-997A-4832-8E09-815E3D0C0A0C}
2009-04-01 16:35:46,312 DEBUG Key Interface\{8EA1F9F2-997A-4832-8E09-815E3D0C0A0C} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key Interface\{8EA1F9F2-997A-4832-8E09-815E3D0C0A0C} not found
2009-04-01 16:35:46,312 INFO Processing registry TypeLib\{3E536428-8E1A-4A2C-8463-4A8F74763C30}
2009-04-01 16:35:46,312 DEBUG Key TypeLib\{3E536428-8E1A-4A2C-8463-4A8F74763C30} ForceRemove
2009-04-01 16:35:46,312 DEBUG Key TypeLib\{3E536428-8E1A-4A2C-8463-4A8F74763C30} not found
2009-04-01 16:35:46,312 INFO Processing registry TypeLib\{5DAB1D4C-D020-41CD-936F-D63FF662E9F7}
2009-04-01 16:35:46,328 DEBUG Key TypeLib\{5DAB1D4C-D020-41CD-936F-D63FF662E9F7} ForceRemove
2009-04-01 16:35:46,328 DEBUG Key TypeLib\{5DAB1D4C-D020-41CD-936F-D63FF662E9F7} not found
2009-04-01 16:35:46,328 INFO Processing registry TypeLib\{A0C8F0F1-DE25-4ADB-8F0B-508F6CA43DE9}
2009-04-01 16:35:46,328 DEBUG Key TypeLib\{A0C8F0F1-DE25-4ADB-8F0B-508F6CA43DE9} ForceRemove
2009-04-01 16:35:46,328 DEBUG Key TypeLib\{A0C8F0F1-DE25-4ADB-8F0B-508F6CA43DE9} not found
2009-04-01 16:35:46,328 INFO ***** Files and folders *****
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 0
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 1
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 2
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 3
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 4
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 5
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 6
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 7
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 8
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 9
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 10
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 11
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 12
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 13
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 14
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 15
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 16
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 17
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 18
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 19
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 20
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 21
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 22
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 23
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 24
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 25
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 26
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 27
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 28
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 29
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 30
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 31
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 32
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 33
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 34
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 35
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 36
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 37
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 38
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 39
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 40
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 41
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 42
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 43
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 44
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 45
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 46
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 47
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 48
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 49
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 50
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 51
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 52
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 53
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 54
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 55
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 56
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 57
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 58
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 59
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 60
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 61
2009-04-01 16:35:46,328 DEBUG Missing ParentDir path for fileItem number 62
2009-04-01 16:35:46,328 DEBUG Processing item C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2009-04-01 16:35:46,328 INFO Directory C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR not found
2009-04-01 16:35:46,328 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-04-01 16:35:46,328 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-04-01 16:35:46,328 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-04-01 16:35:46,328 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-04-01 16:35:46,328 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-04-01 16:35:46,328 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-04-01 16:35:46,328 DEBUG Processing item C:\WINDOWS\System32\Drivers\avg
2009-04-01 16:35:46,328 INFO Directory C:\WINDOWS\System32\Drivers\avg not found
2009-04-01 16:35:46,328 DEBUG Processing item C:\WINDOWS\System32
2009-04-01 16:35:46,328 DEBUG Processing item C:\Documents and Settings\All Users\Start Menu\Programs\avg 8.0
2009-04-01 16:35:46,328 INFO Directory C:\Documents and Settings\All Users\Start Menu\Programs\avg 8.0 not found
2009-04-01 16:35:46,328 DEBUG Processing item C:\Documents and Settings\All Users\Start Menu\Programs\avg free 8.0
2009-04-01 16:35:46,328 INFO Directory C:\Documents and Settings\All Users\Start Menu\Programs\avg free 8.0 not found
2009-04-01 16:35:46,328 DEBUG Processing item C:\Documents and Settings\All Users\Desktop\avg 8.0.lnk
2009-04-01 16:35:46,328 INFO File C:\Documents and Settings\All Users\Desktop\avg 8.0.lnk not found
2009-04-01 16:35:46,328 DEBUG Processing item C:\Documents and Settings\All Users\Desktop\avg free 8.0.lnk
2009-04-01 16:35:46,328 INFO File C:\Documents and Settings\All Users\Desktop\avg free 8.0.lnk not found
2009-04-01 16:35:46,328 DEBUG Processing item C:\Program Files\AVG
2009-04-01 16:35:46,328 INFO Directory C:\Program Files\AVG not found
2009-04-01 16:35:46,328 INFO ***** Avg Fw NDIS driver *****
2009-04-01 16:35:47,406 INFO FW NDIS driver not present


Kaspersky File to follow

#15 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 01 April 2009 - 12:58 PM

Ok i will wait your Kaspersky report.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users