Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Personal Guard 2009


  • This topic is locked This topic is locked
18 replies to this topic

#1 jxt

jxt

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 21 November 2009 - 12:20 AM

My bosses computer has recently become infected with Personal Guard 2009 and I tried to remove it with no avail. It keeps reinstalling itself. I installed Norton Antivirus after to see if it would be able to get rid of it and seems unable to as well. Also, Norton noted that there is Vundo and some other virus I cannot recall on the laptop that keeps coming back as well. I assume it is part of Personal Guard 2009. I'm not sure what else to do. I followed instructions and made a DDS log and a Rootrepeal log as well. Hope I can get some help with it, thank you.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Richard Hom at 19:20:12.78 on Sun 11/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.330 [GMT -8:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\HPMProp.bin
C:\Program Files\Norton AntiVirus\navw32.exe
c:\windows\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc-rel&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_01\bin\jusched.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [<NO NAME>]
mRun: [HPUsageTracking] c:\program files\hp\hp ut\bin\hppusg.exe "c:\program files\hp\hp ut\"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Jvesowal] rundll32.exe "c:\windows\ugivafideluj.dll",Startup
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [hapadeweh] Rundll32.exe "c:\windows\system32\devajusi.dll",a
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\richar~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\richar~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mobile~1.lnk - c:\program files\intellisync mobile suite\client\ClientShell.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_01\bin\npjpi150_01.dll
LSP: bmnet.dll
Trusted Zone: snapon.com\my
Trusted Zone: snapon.com\www
DPF: {3CBA13C3-58C7-47F1-9758-D4B255A50D52} - file:///C:/Snapon/Catalog/SourceFiles/ses_ocx/sessearch.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll vogomiyi.dll c:\windows\system32\devajusi.dll
SSODL: SysNet - {837FFFC7-1027-43FD-9A5E-C056E2ED08E1} - c:\documents and settings\all users\microsoft adata\sysnet.dll
SSODL: pudovoyuv - {9f87f9ec-66cb-448c-9154-c2a96bba6e3b} - c:\windows\system32\devajusi.dll
STS: kupuhivus: {9f87f9ec-66cb-448c-9154-c2a96bba6e3b} - c:\windows\system32\devajusi.dll
LSA: Notification Packages = scecli avcfxmet.dll rugawaba.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richar~1\applic~1\mozilla\firefox\profiles\njgwvm6a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {1ADED5C7-57B8-4558-9CB3-6DC56893366F} - c:\documents and settings\richard hom\local settings\application data\{1ADED5C7-57B8-4558-9CB3-6DC56893366F}

============= SERVICES / DRIVERS ===============

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [2007-1-15 73728]
R3 bcmbusctr;Beceem Devices' Enumerator;c:\windows\system32\drivers\BcmBusCtr.sys [2009-6-3 51328]
R3 cm_ser;C-motech USB Serial Port2 Driver;c:\windows\system32\drivers\cm_ser.sys [2009-11-13 103680]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-15 102448]
S3 bcm;Beceem Communications Inc. Tarang3;c:\windows\system32\drivers\drxvi314.sys [2009-6-3 272384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 jbridgep;jbridgep;c:\docume~1\richar~1\locals~1\temp\jbridgep.sys [2004-10-4 15872]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [2007-10-3 26304]
S3 NWVNDIS;Novatel Wireless Virtual Network Adapter;c:\windows\system32\drivers\NWVNdis.sys [2006-11-7 196096]
S3 SBUSB;ScanBay EMB Programmer;c:\windows\system32\drivers\SBUSB.sys [2006-12-5 101248]

=============== Created Last 30 ================

2009-11-15 21:27:40 0 d-----w- c:\program files\Norton AntiVirus
2009-11-15 21:26:52 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-11-15 21:26:52 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-15 21:26:52 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-15 21:26:52 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-11-15 21:03:38 0 d-----w- c:\docume~1\richar~1\applic~1\GetRightToGo
2009-11-15 20:58:38 0 d-----w- c:\program files\Personal Guard 2009
2009-11-13 20:19:39 103680 ----a-r- c:\windows\system32\drivers\cm_ser32.sys
2009-11-13 20:19:39 103680 ----a-r- c:\windows\system32\drivers\cm_ser.sys
2009-11-13 20:17:36 0 d-----w- c:\windows\pss
2009-11-13 20:15:25 0 d-----w- c:\docume~1\richar~1\applic~1\Sprint
2009-11-13 20:15:05 17920 ----a-w- c:\windows\system32\apintfnt.dll
2009-11-13 20:14:54 28288 ----a-w- c:\windows\system32\drivers\swmsflt.sys
2009-11-13 20:14:54 0 d-----w- c:\docume~1\richar~1\applic~1\Sierra Wireless
2009-11-13 20:11:59 0 d-----w- c:\program files\Sierra Wireless
2009-11-13 20:11:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Sprint
2009-11-13 20:11:40 0 d-----w- c:\program files\Sprint
2009-11-12 20:47:04 0 d-----w- c:\docume~1\richar~1\applic~1\Malwarebytes
2009-11-12 20:44:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 05:25:37 0 ----a-w- c:\windows\Vgupiyedohaq.bin
2009-11-10 05:25:36 120 ----a-w- c:\windows\Clirawanubililah.dat
2009-11-10 04:42:15 51197 ----a-w- c:\windows\spoov.exe
2009-11-10 04:42:15 47872 ----a-w- c:\windows\certsystem.exe
2009-11-10 04:42:15 38352 ----a-w- c:\windows\regred.exe
2009-11-10 04:42:15 33149 ----a-w- c:\windows\usexplorer.exe
2009-11-10 04:42:15 28320 ----a-w- c:\windows\securits.com
2009-11-10 04:42:15 18941 ----a-w- c:\windows\microsoftdef.dll
2009-11-10 04:42:09 0 d-----w- c:\documents and settings\all users\Microsoft AData
2009-11-10 04:41:47 0 d-sh--w- c:\windows\system32\lowsec
2009-10-22 06:25:26 0 d-----w- c:\windows\system32\winbksb
2009-10-20 17:05:19 1089601 ------w- c:\windows\system32\dllcache\ntprint.cat
2009-10-20 03:44:47 0 d-----w- c:\windows\system32\XPSViewer
2009-10-20 03:43:43 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-20 03:43:43 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-20 03:43:43 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-20 03:43:43 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-20 03:43:43 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-20 03:43:43 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-20 03:43:43 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-20 03:43:42 0 d-----w- C:\55a4ec55091e9f0b0e11a9c545fb
2009-10-20 03:43:23 0 d-----w- c:\windows\SxsCaPendDel
2009-10-20 03:38:20 0 d-----w- c:\program files\MSXML 6.0

==================== Find3M ====================

2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:03:37 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 23:48:20 8464 ----a-w- c:\windows\system32\sporder.dll
2009-09-10 23:48:20 719360 ----a-w- c:\windows\system32\bmutil.dll
2009-09-10 23:48:20 471040 ----a-w- c:\windows\system32\bmnet.dll
2009-09-10 23:48:20 126976 ----a-w- c:\windows\system32\bmdumpd.bin
2009-09-10 23:46:46 61440 ----a-w- c:\windows\system32\pxfhwmcp.dll
2009-09-10 23:46:46 32408 ----a-w- c:\windows\system32\PCTINDIS5.sys
2009-09-10 23:46:46 137752 ----a-w- c:\windows\system32\PCTIN50.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:45:26 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-08-14 17:38:15 38400 --sha-w- c:\windows\system32\dawusere.dll
2009-08-15 20:17:13 89088 --sha-w- c:\windows\system32\devajusi.dll
2009-08-13 05:42:26 39424 --sha-w- c:\windows\system32\fubaneko.dll
2009-08-09 19:46:31 37888 --sha-w- c:\windows\system32\gesewufi.dll
2009-08-09 19:46:31 89088 --sha-w- c:\windows\system32\gohifodi.dll
2009-08-13 20:44:37 51712 --sha-w- c:\windows\system32\hetuvigu.dll
2009-08-13 20:43:12 51712 --sha-w- c:\windows\system32\jazukimo.dll
2009-08-08 00:03:50 89088 --sha-w- c:\windows\system32\kewowupa.dll
2009-08-09 19:46:31 51200 --sha-w- c:\windows\system32\mafopiwo.dll
2009-08-10 18:15:03 51200 --sha-w- c:\windows\system32\meseleru.dll
2009-08-15 05:38:35 37888 --sha-w- c:\windows\system32\mozuzubi.dll
2009-08-10 18:15:03 89088 --sha-w- c:\windows\system32\murevalo.dll
2009-08-13 20:44:37 51712 --sha-w- c:\windows\system32\rugawaba.dll
2009-08-11 06:15:18 61440 --sha-w- c:\windows\system32\ruhefife.dll
2009-08-12 17:42:01 90112 --sha-w- c:\windows\system32\segivubo.dll
2009-08-13 20:43:12 38400 --sha-w- c:\windows\system32\tehomake.dll
2009-08-13 20:44:37 51712 --sha-w- c:\windows\system32\vogomiyi.dll
2009-08-08 00:03:50 37888 --sha-w- c:\windows\system32\yivimefe.dll
2009-08-15 20:17:12 38400 --sha-w- c:\windows\system32\zodofigu.dll

============= FINISH: 19:20:29.40 ===============


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/19 11:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9F94000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7ADC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7E42000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\system32\catroot2\dberr.txt
Status: Size mismatch (API: 56114, Raw: 54722)

Path: c:\documents and settings\richard hom\local settings\temp\fla4bc.tmp
Status: Size mismatch (API: 8531826, Raw: 6878826)

Path: c:\documents and settings\richard hom\application data\sprint\sprint smartview\diagnostics.txt
Status: Size mismatch (API: 525527, Raw: 1040727)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x86d6a578

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86c5e3d0

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x86c33858

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86d31b50

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa2fd020

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x86c445e0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x860cb958

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x86c2f7a0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa2fd2a0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa2fd800

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x860f69d8

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x86d4e678

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86bf5c50

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x855d0608

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86c7b640

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86bf4870

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x86c2f860

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x86c573f8

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x86c3a4a8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86d30a08

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86c889c0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x86c7b678

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa2fda50

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86c444d8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86c2fb28

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86c43318

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86bd8318

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x86c12810

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x85fab2f8

==EOF==

Attached Files

  • Attached File  DDS.txt   16.06KB   13 downloads
  • Attached File  Attach.txt   25.69KB   10 downloads
  • Attached File  ark.txt   8.11KB   12 downloads

Edited by jxt, 21 November 2009 - 12:21 AM.


BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:06:59 PM

Posted 28 November 2009 - 07:56 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 jxt

jxt
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 01 December 2009 - 10:01 PM

Ok, so this is what happened afterwards. I installed Norton AV but the problem with that was that it interfered with my bosses program that we need to do our business so we had to uninstall it and I doubt the AV was able to do it's job. I also attempted to manually remove it but I believe I missed a script that kept reinstalling Personal Guard 2009 or at least just making the files reappear. I also was unable to get into safe mode to delete certain files like winsc.exe. I assume that Personal Guard is a reason for that as well. I spoke with our company and was told that AVG should work fine with the software so I installed that and it removed a lot of things. I was now able to delete the Personal Guard folder and related things in regedit but I am unsure if it got rid of everything. I will perform another DDS scan when I can because currently I am unable to do so because I don't not have his laptop in my possession. Should I also do another RootRepeal scan as well?

#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:06:59 PM

Posted 02 December 2009 - 07:00 AM

jxt,

Just Scan with DDS and post the new Log for now. :(

Doc.

#5 jxt

jxt
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 04 December 2009 - 07:05 AM

Hey Doc, here is the new log. I'm not sure why it says Norton is enabled though since it has already been uninstalled.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Richard Hom at 14:12:01.69 on Thu 12/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.216 [GMT -8:00]

FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\dss\Dss2v.exe
C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe
C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
c:\dss\dssw.exe
C:\Program Files\Sprint\Sprint SmartView\bmctl.exe
C:\WINDOWS\system32\HPMProp.bin
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Active-Charge\active-charge.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc-rel&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: {e9133127-059e-47bd-b9fc-beeaf2987770} - davafuhu.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [<NO NAME>]
mRun: [HPUsageTracking] c:\program files\hp\hp ut\bin\hppusg.exe "c:\program files\hp\hp ut\"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Jvesowal] rundll32.exe "c:\windows\ugivafideluj.dll",Startup
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [kbrxtgux] c:\documents and settings\richard hom\local settings\application data\yqekwm\wcipsysguard.exe
mRun: [hapadeweh] Rundll32.exe "c:\windows\system32\pidezabi.dll",a
mRun: [tanunakapo] Rundll32.exe "zugowuva.dll",s
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\richar~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\richar~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mobile~1.lnk - c:\program files\intellisync mobile suite\client\ClientShell.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_01\bin\npjpi150_01.dll
LSP: bmnet.dll
Trusted Zone: snapon.com\my
Trusted Zone: snapon.com\www
DPF: {3CBA13C3-58C7-47F1-9758-D4B255A50D52} - file:///C:/Snapon/Catalog/SourceFiles/ses_ocx/sessearch.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {9082E023-A851-49C4-82D5-7BD536AC946B} = 68.28.50.91 68.28.58.92
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\pidezabi.dll,huhugafe.dll c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: SysNet - {837FFFC7-1027-43FD-9A5E-C056E2ED08E1} - c:\documents and settings\all users\microsoft adata\sysnet.dll
SSODL: darawamor - {6455a172-f7d8-4781-b886-ff788d4fe670} - c:\windows\system32\pidezabi.dll
STS: tokatiluy: {6455a172-f7d8-4781-b886-ff788d4fe670} - c:\windows\system32\pidezabi.dll
LSA: Notification Packages = scecli avcfxmet.dll zugowuva.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richar~1\applic~1\mozilla\firefox\profiles\njgwvm6a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {1ADED5C7-57B8-4558-9CB3-6DC56893366F} - c:\documents and settings\richard hom\local settings\application data\{1ADED5C7-57B8-4558-9CB3-6DC56893366F}

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-27 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-27 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-27 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-27 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-27 285392]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [2007-1-15 73728]
R3 bcmbusctr;Beceem Devices' Enumerator;c:\windows\system32\drivers\BcmBusCtr.sys [2009-6-3 51328]
R3 cm_ser;C-motech USB Serial Port2 Driver;c:\windows\system32\drivers\cm_ser.sys [2009-11-13 103680]
S3 bcm;Beceem Communications Inc. Tarang3;c:\windows\system32\drivers\drxvi314.sys [2009-6-3 272384]
S3 jbridgep;jbridgep;c:\docume~1\richar~1\locals~1\temp\jbridgep.sys [2004-10-4 15872]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [2007-10-3 26304]
S3 NWVNDIS;Novatel Wireless Virtual Network Adapter;c:\windows\system32\drivers\NWVNdis.sys [2006-11-7 196096]
S3 SBUSB;ScanBay EMB Programmer;c:\windows\system32\drivers\SBUSB.sys [2006-12-5 101248]

=============== Created Last 30 ================

2009-11-27 18:09:41 0 d--h--w- C:\$AVG
2009-11-27 18:09:23 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-27 18:09:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-27 18:09:22 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-27 18:09:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-27 18:08:59 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-27 18:08:07 0 d-----w- c:\program files\AVG
2009-11-27 18:07:59 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-26 22:06:05 2962 ----a-w- c:\windows\uyapapoxu.dll
2009-11-15 21:03:38 0 d-----w- c:\docume~1\richar~1\applic~1\GetRightToGo
2009-11-13 20:19:39 103680 ----a-r- c:\windows\system32\drivers\cm_ser32.sys
2009-11-13 20:19:39 103680 ----a-r- c:\windows\system32\drivers\cm_ser.sys
2009-11-13 20:17:36 0 d-----w- c:\windows\pss
2009-11-13 20:15:25 0 d-----w- c:\docume~1\richar~1\applic~1\Sprint
2009-11-13 20:15:05 17920 ----a-w- c:\windows\system32\apintfnt.dll
2009-11-13 20:14:54 28288 ----a-w- c:\windows\system32\drivers\swmsflt.sys
2009-11-13 20:14:54 0 d-----w- c:\docume~1\richar~1\applic~1\Sierra Wireless
2009-11-13 20:11:59 0 d-----w- c:\program files\Sierra Wireless
2009-11-13 20:11:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Sprint
2009-11-13 20:11:40 0 d-----w- c:\program files\Sprint
2009-11-12 20:47:04 0 d-----w- c:\docume~1\richar~1\applic~1\Malwarebytes
2009-11-12 20:44:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 05:25:37 0 ----a-w- c:\windows\Vgupiyedohaq.bin
2009-11-10 05:25:36 120 ----a-w- c:\windows\Clirawanubililah.dat
2009-11-10 04:42:15 51197 ----a-w- c:\windows\spoov.exe
2009-11-10 04:42:15 47872 ----a-w- c:\windows\certsystem.exe
2009-11-10 04:42:15 38352 ----a-w- c:\windows\regred.exe
2009-11-10 04:42:15 33149 ----a-w- c:\windows\usexplorer.exe
2009-11-10 04:42:15 28320 ----a-w- c:\windows\securits.com
2009-11-10 04:42:15 18941 ----a-w- c:\windows\microsoftdef.dll
2009-11-10 04:42:09 0 d-----w- c:\documents and settings\all users\Microsoft AData
2009-11-10 04:41:47 0 d-sh--w- c:\windows\system32\lowsec

==================== Find3M ====================

2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:03:37 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 23:48:20 8464 ----a-w- c:\windows\system32\sporder.dll
2009-09-10 23:48:20 719360 ----a-w- c:\windows\system32\bmutil.dll
2009-09-10 23:48:20 471040 ----a-w- c:\windows\system32\bmnet.dll
2009-09-10 23:48:20 126976 ----a-w- c:\windows\system32\bmdumpd.bin
2009-09-10 23:46:46 61440 ----a-w- c:\windows\system32\pxfhwmcp.dll
2009-09-10 23:46:46 32408 ----a-w- c:\windows\system32\PCTINDIS5.sys
2009-09-10 23:46:46 137752 ----a-w- c:\windows\system32\PCTIN50.dll
2009-08-16 08:35:31 1 --sha-w- c:\windows\system32\guyeroso.dll
2009-08-20 07:22:03 61440 --sha-w- c:\windows\system32\kuyahere.dll
2009-08-16 08:35:34 1 --sha-w- c:\windows\system32\pakunuvo.dll
2009-08-18 19:21:53 43520 --sha-w- c:\windows\system32\zimizapa.dll

============= FINISH: 14:12:58.17 ===============

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 04 December 2009 - 10:15 AM

Hello.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 jxt

jxt
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 07 December 2009 - 05:17 PM

I will try to get that done as soon as I can, thank you.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 07 December 2009 - 05:45 PM

Sure.

Thanks for letting me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 11 December 2009 - 08:25 PM

How's everything coming along?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 jxt

jxt
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 12 December 2009 - 02:54 AM

Sorry for not having an update. This is finals week for me so I will not be going to work until next week possibly Tuesday. I told my boss just to stay offline for the time being. Thanks for your patience with me.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 12 December 2009 - 12:41 PM

Okay. Thanks for letting me know.

I'll leave this topic open until then.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 jxt

jxt
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 December 2009 - 04:43 PM

Hi, I just got to see my bosses computer and it seems that things got worse. Some infection made it so the laptop would loop the welcome screen. I was able to fix that. When I tried to download combofix, it stated that there were bugs so at the moment I am just waiting. I was contemplating whether or not I should just format the laptop as it seems this bugger is still trying to make things worse. After a forced reboot, the background was changed to one with the message "Your system is infected...etc" while also locking me out from changing it to any other background. Well that is my update, thank you.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 15 December 2009 - 09:27 PM

From the previous logs, one of them IS a backdoor trojan.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 jxt

jxt
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 December 2009 - 10:54 PM

Wow, didn't know it was that serious. Well I would like to clean it for now and will format it in the near future. Hopefully I can get rid of all the viruses and malware by tonight while I have the laptop. The reason I can't format yet is because we currently don't have all the software needed to get it back to business and won't get it until probably Friday. So, help me get rid of these viruses please. Thank you for your time.

#15 jxt

jxt
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 16 December 2009 - 07:29 AM

So I decided to try and fix some of the things but I doubt I really got everything. Mozilla seems to be suffering still form pop ups and such. Anway, I decided to run DDS again and also Rootrepeal. Hopefully I made a dent atleast.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Richard Hom at 4:00:33.64 on Wed 12/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.429 [GMT -8:00]

FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\Richard Hom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc-rel&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: {e9133127-059e-47bd-b9fc-beeaf2987770} - fegovoku.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Internet Security 2010] c:\program files\internetsecurity2010\IS2010.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [<NO NAME>]
mRun: [HPUsageTracking] c:\program files\hp\hp ut\bin\hppusg.exe "c:\program files\hp\hp ut\"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [hapadeweh] Rundll32.exe "c:\windows\system32\dujiyera.dll",a
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\richar~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\richar~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mobile~1.lnk - c:\program files\intellisync mobile suite\client\ClientShell.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_01\bin\npjpi150_01.dll
LSP: bmnet.dll
Trusted Zone: snapon.com\my
Trusted Zone: snapon.com\www
DPF: {3CBA13C3-58C7-47F1-9758-D4B255A50D52} - file:///C:/Snapon/Catalog/SourceFiles/ses_ocx/sessearch.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\pidezabi.dll huhugafe.dll c:\progra~1\google\google~1\goec62~1.dll c:\windows\temp\tmp5c5.dll hipujage.dll c:\windows\system32\dujiyera.dll
SSODL: SysNet - {837FFFC7-1027-43FD-9A5E-C056E2ED08E1} - c:\documents and settings\all users\microsoft adata\sysnet.dll
SSODL: darawamor - {6455a172-f7d8-4781-b886-ff788d4fe670} - c:\windows\system32\pidezabi.dll
SSODL: piduwifab - {8b92ca66-b794-4899-ab8b-d2d683944dfe} - c:\windows\system32\dujiyera.dll
STS: tokatiluy: {6455a172-f7d8-4781-b886-ff788d4fe670} - c:\windows\system32\pidezabi.dll
STS: gahurihor: {8b92ca66-b794-4899-ab8b-d2d683944dfe} - c:\windows\system32\dujiyera.dll
LSA: Notification Packages = scecli avcfxmet.dll zugowuva.dll vunakifa.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richar~1\applic~1\mozilla\firefox\profiles\njgwvm6a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {1ADED5C7-57B8-4558-9CB3-6DC56893366F} - c:\documents and settings\richard hom\local settings\application data\{1ADED5C7-57B8-4558-9CB3-6DC56893366F}

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-27 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-27 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-27 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-27 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-27 285392]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [2007-1-15 73728]
S3 bcm;Beceem Communications Inc. Tarang3;c:\windows\system32\drivers\drxvi314.sys [2009-6-3 272384]
S3 bcmbusctr;Beceem Devices' Enumerator;c:\windows\system32\drivers\BcmBusCtr.sys [2009-6-3 51328]
S3 cm_ser;C-motech USB Serial Port2 Driver;c:\windows\system32\drivers\cm_ser.sys [2009-11-13 103680]
S3 jbridgep;jbridgep;c:\docume~1\richar~1\locals~1\temp\jbridgep.sys [2004-10-4 15872]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [2007-10-3 26304]
S3 NWVNDIS;Novatel Wireless Virtual Network Adapter;c:\windows\system32\drivers\NWVNdis.sys [2006-11-7 196096]
S3 SBUSB;ScanBay EMB Programmer;c:\windows\system32\drivers\SBUSB.sys [2006-12-5 101248]

=============== Created Last 30 ================

2009-12-03 22:17:16 0 d-----w- c:\docume~1\richar~1\applic~1\AVG9
2009-11-27 18:09:41 0 d--h--w- C:\$AVG
2009-11-27 18:09:23 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-27 18:09:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-27 18:09:22 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-27 18:09:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-27 18:08:59 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-27 18:08:07 0 d-----w- c:\program files\AVG
2009-11-27 18:07:59 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-26 22:06:05 2962 ----a-w- c:\windows\uyapapoxu.dll

==================== Find3M ====================

2009-09-13 17:58:24 38912 --sha-w- c:\windows\system32\dileloso.dll
2009-09-14 19:05:45 92672 --sha-w- c:\windows\system32\dujiyera.dll
2009-09-13 17:58:24 92160 --sha-w- c:\windows\system32\fevusota.dll
2009-09-14 19:05:45 38400 --sha-w- c:\windows\system32\ginameye.dll
2009-08-16 08:35:31 1 --sha-w- c:\windows\system32\guyeroso.dll
2009-08-16 08:35:34 1 --sha-w- c:\windows\system32\pakunuvo.dll
2009-09-13 01:00:14 39424 --sha-w- c:\windows\system32\palifomu.dll
2009-09-13 01:00:14 91648 --sha-w- c:\windows\system32\povufuyu.dll
2009-08-18 19:21:53 43520 --sha-w- c:\windows\system32\zimizapa.dll

============= FINISH: 4:01:45.32 ===============

and here is RootRepeal
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/16 04:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA04E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AA2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8CBC000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\richard hom\local settings\temp\7c8ab179-d74d-4910-9a30-80444de5f56d.tmp
Status: Allocation size mismatch (API: 8519680, Raw: 0)

Path: c:\documents and settings\richard hom\local settings\temp\89d8676f-acac-47e6-9445-f5cef617da4f.tmp
Status: Allocation size mismatch (API: 4784128, Raw: 0)

==EOF==

Hope to take care of this soon, thanks.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users