Rogue antivirus security tools will not be removed by Malwarebytes, Help please

Resolved
By JayNori
Nov 20, 2010
Topic Status:
Not open for further replies.
  1. As of yesterday my computer became infected with a rogue antivirus known as Security Tools, I ran my AVG and it found nothing, I ran Malwarebytes and it found 4 infections and when I clicked remove all and rebooted my computer the rogue antivirus had not been removed. I did also run ccleaner and my tuneup 1-click maintenance just to be pre-cautious. Also I ran in safe mode with networking because the rogue would not let me use any programs and I'm afraid my system has been hijacked because it redirects my IE 8 and Firefox whenever I click on any search results from google. Please Help me.
  2. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

  3. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    So I completed all the steps and I am Posting all four logs on this page. Also Malwarebytes did find the rogue and needed to restart but I didn't restart because last time it restarted the rogue didn't remove. I also have concerns because within the last few days I did access my bank account and used a couple passwords on a few other sites. I immediately changed my passwords and anything I could as soon as I found out I could possibly have been hijacked.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Welcome to TechSpot- I'll help with the malware. But first I will ask that you re-post all logs, pasting them into the next reply. Guess you missed that part. It is way too time consuming if we have to do a copy and pasy of any entry to identify it as happens with attached logs. When they are pasted in, we can do the search directly from within out browser.

    Don't try to edit the first post. Start with a reply after my posts and use multiple posts if needed.

    Thanks.
  5. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Sorry I didn't understand that part but I will do.
    I'm hoping this is what you mean.

    Malwarebytes' Anti-Malware 1.44
    Database version: 3510
    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    11/20/2010 10:18:48 AM
    mbam-log-2010-11-20 (10-18-48).txt

    Scan type: Quick Scan
    Objects scanned: 121421
    Time elapsed: 3 minute(s), 19 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Jay Jay\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
  6. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-11-20 10:20:43
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3500418AS rev.CC38
    Running: lsfsvon1.exe; Driver: C:\DOCUME~1\ADMINI~1.JAY\LOCALS~1\Temp\kgryiaod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----
  7. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    This is the DDS


    DDS (Ver_10-11-10.01) - NTFSx86 NETWORK
    Run by Administrator at 10:21:12.06 on Sat 11/20/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.822 [GMT -5:00]

    AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\explorer.exe
    K:\Secruity&Antivirus Protection\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\windows\7sp_files\styler\tb\StylerTB.dll
    uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    mRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exe
    mRun: [UnlockerAssistant] c:\program files\unlocker\UnlockerAssistant.exe -H
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Nxurava] rundll32.exe "c:\windows\ixewejoguxa.dll",Startup
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    dRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
    dRun: [HJRUDZ5DT2] c:\windows\temp\Sb2.exe
    dRun: [6BTOP2GA8A] c:\windows\temp\Sb1.exe
    dRun: [CIAxxxxxxx.exe] c:\ciaxxxxxxx.exe\CIAxxxxxxx.exe
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288925219531
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1288925214703
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    TCP: {757ACDF3-519A-40D4-A448-B7C20F55602E} = 4.2.2.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    IFEO: taskmgr.exe - c:\program files\cad 2009 edition\cad2009.exe

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1.jay\applic~1\mozilla\firefox\profiles\b6bh7n75.default\
    FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {C694FDAD-794A-4C06-A92B-4D386E40ED5F} - c:\documents and settings\jay jay\local settings\application data\{C694FDAD-794A-4C06-A92B-4D386E40ED5F}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.http.max-connections-per-server - 6
    FF - user.js: network.http.max-persistent-connections-per-server - 3
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.search-clsid", "{CC921910-939B-4272-9120-E66114542115}");

    ============= SERVICES / DRIVERS ===============

    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-11-4 12552]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-11-4 108552]
    R3 MBX2DFU;Digidesign Mbox 2 Firmware Updater;c:\windows\system32\drivers\dgmbx2fu.sys [2010-11-13 21648]
    S0 eixqcdue;eixqcdue;c:\windows\system32\drivers\vewji.sys --> c:\windows\system32\drivers\vewji.sys [?]
    S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-11-4 335240]
    S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-11-4 27784]
    S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2010-11-4 297752]
    S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2010-11-9 16400]
    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-4 236368]
    S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2010-11-4 99328]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-4-19 1050440]
    S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2010-11-9 85008]
    S3 DGUSBAP;Service for Digidesign Mbox2 (WDM);c:\windows\system32\drivers\dgmbx2.sys [2010-11-13 129040]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-4 19160]
    S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2010-11-9 21904]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2010-2-25 10064]

    =============== Created Last 30 ================

    2010-11-20 15:19:02 54016 ----a-w- c:\windows\system32\drivers\fbqdhsj.sys
    2010-11-20 13:52:30 -------- d-----w- c:\docume~1\admini~1.jay\applic~1\TuneUp Software
    2010-11-20 13:34:31 -------- d-sh--w- c:\documents and settings\administrator.jay-bb4d1ef4b91\PrivacIE
    2010-11-20 03:01:12 -------- d-----w- c:\docume~1\admini~1.jay\locals~1\applic~1\Mozilla
    2010-11-20 02:43:29 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-11-20 02:43:29 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-11-20 02:07:08 0 ----a-w- c:\windows\Xqocujiti.bin
    2010-11-20 02:04:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB
    2010-11-20 00:51:27 57344 ----a-w- c:\windows\system32\Wnaspint.dll
    2010-11-20 00:51:04 -------- d-----w- c:\program files\Acoustica Shared Effects
    2010-11-20 00:50:21 -------- d-----w- c:\program files\Acoustica Mixcraft 5
    2010-11-17 04:11:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\Acoustica
    2010-11-16 21:05:55 -------- d-----w- c:\program files\iPod
    2010-11-16 20:40:12 1777664 ----a-w- c:\windows\system32\gdiplus.dll
    2010-11-15 21:07:45 -------- d-----w- c:\program files\MixMeister BPM Analyzer
    2010-11-13 15:31:27 -------- d-----w- C:\Just The Way You Are (Remix)
    2010-11-13 15:15:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\DigiDriver
    2010-11-13 15:14:45 21648 ----a-w- c:\windows\system32\drivers\dgmbx2fu.sys
    2010-11-13 15:14:18 8704 ----a-w- c:\windows\system32\dgmbx2co80.dll
    2010-11-13 15:14:18 129040 ----a-w- c:\windows\system32\drivers\dgmbx2.sys
    2010-11-12 04:51:06 73 ----a-w- c:\windows\system32\ssprs.dll
    2010-11-12 04:51:06 1025 ----a-w- c:\windows\system32\sysprs7.dll
    2010-11-12 04:51:06 1025 ----a-w- c:\windows\system32\clauth2.dll
    2010-11-12 04:51:06 1025 ----a-w- c:\windows\system32\clauth1.dll
    2010-11-12 04:51:06 0 ----a-w- c:\windows\system32\lsprst7.dll
    2010-11-12 02:55:25 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2010-11-12 02:55:25 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2010-11-12 00:24:00 -------- d-----w- c:\program files\common files\VST3
    2010-11-12 00:23:36 -------- d-----w- c:\program files\common files\Celemony
    2010-11-10 02:44:12 33792 ----a-w- c:\windows\system32\drivers\cledx.sys
    2010-11-10 02:43:02 16896 ----a-w- c:\windows\system32\drivers\synasUSB.sys
    2010-11-10 02:42:23 -------- d-----w- c:\program files\Steinberg
    2010-11-10 02:37:08 -------- d-----w- c:\program files\Antares Audio Technologies
    2010-11-10 02:33:48 -------- d-----w- c:\program files\common files\KORG
    2010-11-10 02:33:30 -------- d-----w- c:\program files\KORG
    2010-11-10 02:32:54 -------- d-----w- c:\program files\EDIROL
    2010-11-10 02:31:41 -------- d-----w- c:\program files\iZotope
    2010-11-10 02:27:32 -------- d-----w- c:\program files\Waves
    2010-11-10 02:18:32 -------- d-----w- c:\program files\ASIO4ALL v2
    2010-11-10 02:18:05 1554944 ----a-w- c:\windows\system32\vorbis.acm
    2010-11-10 02:17:47 -------- d-----w- c:\program files\VstPlugins
    2010-11-10 02:17:45 -------- d-----w- c:\program files\Outsim
    2010-11-10 02:16:10 -------- d-----w- c:\program files\Image-Line
    2010-11-10 02:01:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Celemony Software GmbH
    2010-11-10 01:52:49 -------- d-----w- c:\program files\FXpansion
    2010-11-10 01:47:56 -------- d-----w- c:\program files\Celemony
    2010-11-10 01:47:26 368640 ----a-w- c:\windows\system32\ReWire.dll
    2010-11-10 01:47:25 -------- d-----w- c:\program files\M-Audio
    2010-11-10 01:05:40 -------- d-----w- c:\program files\Rail Jon Rogut Software
    2010-11-10 00:45:56 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-11-10 00:45:56 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2010-11-10 00:45:13 -------- d-----w- c:\program files\iTunes
    2010-11-10 00:45:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-11-10 00:43:50 -------- d-----w- c:\program files\Bonjour
    2010-11-10 00:40:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Digidesign
    2010-11-10 00:36:42 -------- d-----w- c:\program files\InterLok
    2010-11-10 00:33:00 630784 ------w- c:\windows\system32\ilinet.dll
    2010-11-10 00:32:59 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-11-10 00:32:58 85008 ----a-w- c:\windows\system32\drivers\Dalwdm.sys
    2010-11-10 00:32:58 45568 ----a-w- c:\windows\system32\mbx2midu.dll
    2010-11-10 00:32:58 21904 ----a-w- c:\windows\system32\drivers\mbx2midk.sys
    2010-11-10 00:32:58 217088 ----a-w- c:\windows\system32\qtmlClient.dll
    2010-11-10 00:32:58 21648 ----a-w- c:\windows\system32\drivers\mbx2dfu.sys
    2010-11-10 00:32:58 16400 ----a-w- c:\windows\system32\drivers\diginet.sys
    2010-11-10 00:32:37 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
    2010-11-10 00:32:16 -------- d-----w- c:\program files\Digidesign
    2010-11-10 00:32:15 -------- d-----w- c:\program files\common files\Digidesign
    2010-11-09 20:33:39 -------- d-----w- c:\windows\VistaDrive
    2010-11-08 11:04:09 -------- d-----w- c:\program files\common files\PACE Anti-Piracy
    2010-11-08 11:04:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\PACE Anti-Piracy
    2010-11-08 02:15:37 21504 ----a-w- c:\windows\system32\hidserv.dll
    2010-11-08 02:15:27 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
    2010-11-08 02:14:26 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2010-11-06 16:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2010-11-06 16:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2010-11-06 04:02:36 172032 ----a-w- c:\windows\system32\igfxres.dll
    2010-11-06 03:50:18 -------- d-----w- c:\windows\system32\Lang
    2010-11-06 03:48:07 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
    2010-11-06 03:48:06 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
    2010-11-06 03:48:05 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
    2010-11-06 03:48:04 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
    2010-11-06 03:48:02 142592 ----a-w- c:\windows\system32\drivers\aec.sys
    2010-11-06 03:48:01 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
    2010-11-05 21:19:32 -------- d-----w- c:\windows\system32\appmgmt
    2010-11-05 20:10:29 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
    2010-11-05 20:10:29 35328 ------w- c:\windows\system32\dllcache\sc.exe
    2010-11-05 20:10:29 284160 ------w- c:\windows\system32\dllcache\pdh.dll
    2010-11-05 20:10:28 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
    2010-11-05 20:10:28 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
    2010-11-05 20:10:28 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
    2010-11-05 20:10:28 110592 ------w- c:\windows\system32\dllcache\services.exe
    2010-11-05 20:10:27 715264 ------w- c:\windows\system32\dllcache\ntdll.dll
    2010-11-05 20:05:03 69120 ----a-w- c:\windows\system32\dllcache\NOTEPAD.EXE
    2010-11-05 19:46:10 66048 ----a-w- c:\windows\NOTEPAD.backup
    2010-11-05 19:46:09 1211904 ----a-w- c:\windows\system32\urlmon.backup
    2010-11-05 19:46:08 67584 ----a-w- c:\windows\system32\url.backup
    2010-11-05 19:46:07 2262016 ----a-w- c:\windows\system32\shdocvw.backup
    2010-11-05 19:46:05 5958656 ----a-w- c:\windows\system32\mshtml.backup
    2010-11-05 19:46:04 1090048 ----a-w- c:\windows\system32\browseui.backup
    2010-11-05 19:46:03 1469440 ----a-w- c:\windows\system32\inetcpl.backup
    2010-11-05 19:46:00 200704 ----a-w- c:\windows\system32\wscript.backup
    2010-11-05 19:46:00 118784 ----a-w- c:\windows\system32\winmine.backup
    2010-11-05 19:44:59 514560 ----a-w- c:\windows\system32\cmdial32.backup
    2010-11-05 19:43:59 528384 ----a-w- c:\windows\system32\dmdlgs.backup
    2010-11-05 19:38:10 -------- d-----w- c:\windows\7SP_Files
    2010-11-05 19:20:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-05 19:20:25 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2010-11-05 19:15:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2010-11-05 08:06:47 -------- d--h--w- C:\$AVG8.VAULT$
    2010-11-05 07:45:08 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
    2010-11-05 07:44:56 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
    2010-11-05 07:44:56 265728 ------w- c:\windows\system32\dllcache\http.sys
    2010-11-05 07:44:56 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
    2010-11-05 07:44:43 354816 ------w- c:\windows\system32\dllcache\winhttp.dll
    2010-11-05 03:33:22 -------- d-----w- c:\program files\ViStart
    2010-11-05 03:33:04 -------- d-----w- c:\program files\ViGlance
    2010-11-05 03:28:33 -------- d-----w- C:\extensions
    2010-11-05 03:21:26 30536 ----a-w- c:\windows\system32\TURegOpt.exe
    2010-11-05 03:21:24 30024 ----a-w- c:\windows\system32\uxtuneup.dll
    2010-11-05 03:21:08 -------- d-----w- c:\program files\TuneUp Utilities 2010
    2010-11-05 03:21:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
    2010-11-05 03:20:51 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
    2010-11-05 03:18:37 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
    2010-11-05 03:18:37 32656 ----a-w- c:\windows\system32\msonpmon.dll
    2010-11-05 03:18:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-05 03:18:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-05 03:18:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-05 03:18:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-11-05 03:13:37 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-11-05 03:12:55 -------- d-----w- c:\windows\SHELLNEW
    2010-11-05 03:10:31 -------- d-----w- C:\Intel
    2010-11-05 03:07:16 20328 ----a-w- c:\windows\system32\drivers\cpuz134_x32.sys
    2010-11-05 03:07:16 -------- d-----w- c:\program files\CPUID

    ==================== Find3M ====================

    2010-11-05 03:22:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-11-05 02:54:06 319488 ----a-w- c:\windows\HideWin.exe
    2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 06:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-10 05:57:25 919552 ----a-w- c:\windows\system32\wininet.backup
    2010-09-10 05:57:25 1016320 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:57:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:57:23 184320 ----a-w- c:\windows\system32\iepeers.backup
    2010-09-10 05:57:23 1598464 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 724992 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.backup

    ============= FINISH: 10:21:34.60 ===============
  8. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    And the attach.


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-10.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/4/2010 10:20:09 PM
    System Uptime: 11/20/2010 10:01:25 AM (0 hours ago)

    Motherboard: Dell Inc. | | 0RY007
    Processor: Intel(R) Celeron(R) CPU 420 @ 1.60GHz | Socket 775 | 1596/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 466 GiB total, 441.708 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    J: is CDROM (CDFS)
    K: is FIXED (FAT32) - 297 GiB total, 219.185 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 11/19/2010 9:31:19 PM - System Checkpoint
    RP2: 11/19/2010 9:42:41 PM - Restore Operation

    ==== Installed Programs ======================

    Acoustica Effects Pack
    Acoustica Mixcraft 5
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.1
    Alky for Applications (Windows XP)
    Antares Auto-Tune Evo RTAS
    Antares Autotune VST RTAS TDM v5.08
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ASIO4ALL
    AVG 8.5
    Avid Audio Drivers (x86)
    Avid Pro Tools Creative Collection 8.0.4
    Avid Pro Tools LE 8.0.4
    Bonjour
    C.A.D [ctrl+alt+del]
    CCleaner
    CPUID CPU-Z 1.56
    DAMN NFO Viewer v2.10.0032.RC3 (Remove Only)
    Digi MME Helper
    Digidesign ElevenRack Driver 1.0.8 (x86)
    Digidesign MP3 Option 8.0
    Edirol HQ Orchestral VSTi v1.03
    FL Studio 9
    Free DigiRack Plug-Ins 8.0.3
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB954550-v5)
    IL Download Manager
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections 12.1.12.0
    Interlok driver setup x32
    iTunes
    iZotope Ozone 4
    Java Auto Updater
    Java(TM) 6 Update 22
    Malwarebytes' Anti-Malware
    Melodyne Runtime 4.0 (x86)
    Melodyne singletrack
    Microsoft .NET Framework (English) v1.0.3705
    Microsoft .NET Framework 1.0 Hotfix (KB928367)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 SP1
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 SP1 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30304
    MixMeister BPM Analyzer 1.0
    Mozilla Firefox (3.6.12)
    MSXML 4.0 SP3 Parser (KB973685)
    PoiZone
    QuickTime
    Realtek High Definition Audio Driver
    reFX Nexus 1.0.0
    reFX Nexus 1.0.9
    Right Click Image Converter
    RocketDock 1.3.5
    Sawer
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB2288953)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Torq LE 1.0.7 (Build 017 - 03 Oct 2008)
    Toxic Biohazard
    TuneUp Utilities
    TuneUp Utilities Language Pack (en-US)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (KB2443839)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973815)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    ViGlance
    Vista Drive Indicator!
    ViStart
    Vst To Rtas Adapter V2.11
    Waves SSL Collection v1.2
    WebFldrs XP
    Windows XP Media Center Edition 2005 KB925766
    Windows XP Media Center Edition 2005 KB973768
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    11/20/2010 8:54:53 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service TuneUp.UtilitiesSvc with arguments "" in order to run the server: {2509ABBC-871E-42E5-A27B-F7DA394B1897}
    11/20/2010 8:52:37 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service TuneUp.UtilitiesSvc with arguments "" in order to run the server: {FCA02D56-BF9D-4591-AD41-E59AF763C64A}
    11/20/2010 8:17:29 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    11/19/2010 9:51:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    11/19/2010 9:42:03 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    11/19/2010 9:42:03 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    11/19/2010 9:42:03 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/19/2010 9:42:03 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/19/2010 9:42:03 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    11/19/2010 9:42:03 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/19/2010 9:42:03 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/19/2010 9:41:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    11/19/2010 9:41:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/19/2010 10:01:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
    11/16/2010 3:12:06 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
    11/16/2010 3:12:06 PM, error: SideBySide [59] - Generate Activation Context failed for c:\Program Files\Common Files\Digidesign\DAE\Controllers\C24_Resource804.dll. Reference error message: The operation completed successfully. .
    11/16/2010 3:12:06 PM, error: SideBySide [59] - Generate Activation Context failed for c:\Program Files\Common Files\Digidesign\DAE\Controllers\C24_Resource412.dll. Reference error message: The operation completed successfully. .
    11/16/2010 3:12:06 PM, error: SideBySide [59] - Generate Activation Context failed for c:\Program Files\Common Files\Digidesign\DAE\Controllers\C24_Resource411.dll. Reference error message: The operation completed successfully. .
    11/16/2010 3:12:06 PM, error: SideBySide [59] - Generate Activation Context failed for c:\Program Files\Common Files\Digidesign\DAE\Controllers\C24_Resource404.dll. Reference error message: The operation completed successfully. .
    11/16/2010 3:12:06 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
    11/16/2010 3:12:04 PM, error: SideBySide [59] - Generate Activation Context failed for c:\Program Files\Common Files\Digidesign\DAE\Controllers\003_Resource804.dll. Reference error message: The operation completed successfully. .
    11/16/2010 3:12:04 PM, error: SideBySide [59] - Generate Activation Context failed for c:\Program Files\Common Files\Digidesign\DAE\Controllers\003_Resource412.dll. Reference error message: The operation completed successfully. .
    11/16/2010 3:12:04 PM, error: SideBySide [59] - Generate Activation Context failed for c:\Program Files\Common Files\Digidesign\DAE\Controllers\003_Resource404.dll. Reference error message: The operation completed successfully. .
    11/13/2010 9:31:47 AM, error: Service Control Manager [7000] - The Digidesign MME Refresh Service service failed to start due to the following error: The system cannot find the file specified.

    ==== End Of File ===========================
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    A cursory check of these logs show the system to be badly infected. Whether it's all due to one malware program, I can't tell at this time and will see more once you have paste the logs in.

    I would like you to include this scan and leave the log:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  10. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    I have the results and here they are.

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-20 04:43:19
    # local_time=2010-11-20 11:43:19 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777175 100 0 423077 423077 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=57012
    # found=3
    # cleaned=0
    # scan_time=1525
    C:\Documents and Settings\Jay Jay\Application Data\hotfix.exe a variant of Win32/Adware.FakeAntiSpy.S application 00000000000000000000000000000000 I
    C:\Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan 00000000000000000000000000000000 I
    C:\WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.EE trojan 00000000000000000000000000000000 I
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    The Eset log was posted 4 times. I am going to delete 3 of them!

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files 
      C:\Documents and Settings\Jay Jay\Application Data\hotfix.exe 
      C:\Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe 
      C:\WINDOWS\ixewejoguxa.dll 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==========================================
    Please go ahead and run Combofix. Paste report in next reply.
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I really hope you get the logs straight! It's taking mote of my time to straighten them out then it would take to clean the system! Please> leave one copy of the OTMoveIt log when finished and once copy of the Combofix log- I think I put Combofix in your PM. Here are the directions- run one, leave one log!!

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
  13. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    This is the OTMovit Log


    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Documents and Settings\Jay Jay\Application Data\hotfix.exe moved successfully.
    C:\Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\ixewejoguxa.dll
    C:\WINDOWS\ixewejoguxa.dll moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Administrator.JAY-BB4D1EF4B91
    ->Temp folder emptied: 34286 bytes
    ->Temporary Internet Files folder emptied: 1016210 bytes
    ->FireFox cache emptied: 6512054 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Jay Jay
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 7.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 11212010_011316
  14. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Also my computer won't let me run Combofix because of my AVG 8.5 and I can't uninstall AVG
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Try this: AVG
    Please open the AVG Control Center
    • Double-click on the "AVG Resident Shield" component [​IMG])
    • Uncheck the "Turn on AVG Resident Shield"
    • Save the setting.

    To re-enable the AVG Resident Shield
    • Open the AVG Control Center
    • Double-click on the "AVG Resident Shield" component
    • Check the "Turn on AVG Resident Shield"
    • Save the setting.
    =========================================
    If it doesn't work, run Combofix in Safe Mode.

    Can you give me the exact message you get when you try to run Combofix? Everyone with AVG is having this problem- some even with the Resident Shield disabled
  16. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Well I have to run everything in safe mode because if I run Windows regularly the rogue antivirus will not allow any program to run. The error message I'm getting from ComboFix is "ComboFix cannot run when AVG is installed. This is due to AVG's targeting of ComboFix's files/processes. It would be dangerous to continue. Please uninstall AVG or use another tool." and the error message I get when try to uninstall AVG is 1 error occured. "Local machine: installation failed. Installation: Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key.... Error 0x80070005" those are the two error messages I receive.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    The problem is that when you run in Safe Mode, some processes don't run- so I won't see them!

    Right click on combofix.exe> Rename> change to jaynori.exe then try the scan.
  18. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Unfortunately it still won't allow it to run, is there any other program that is similar to combofix that I can use?
     
  19. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Well by going into program files on my C drive I manually deleted most of AVG (but saved it's files so I can make sure it runs) and ComboFix is running, I will reply with the results once it is done.
  20. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Here is the final piece, ComboFix log. I have not taken my computer off of safe mode and just to let you know I have been doing must of the posting on a laptop not from the infected computer, just to put that out there.


    ComboFix 10-11-20.04 - Administrator 11/21/2010 22:02:55.1.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.820 [GMT -5:00]
    Running from: c:\documents and settings\Administrator.JAY-BB4D1EF4B91\Desktop\jaynori.exe
    AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\CIAxxxxxxx.exe
    c:\ciaxxxxxxx.exe\CIAxxxxxxx.exe
    c:\ciaxxxxxxx.exe\config.bin
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\All Users\Documents\Server\admin.txt
    c:\documents and settings\Jay Jay\Application Data\scgdfgasfbh.bat
    c:\documents and settings\Jay Jay\Local Settings\Application Data\{C694FDAD-794A-4C06-A92B-4D386E40ED5F}
    c:\documents and settings\Jay Jay\Local Settings\Application Data\{C694FDAD-794A-4C06-A92B-4D386E40ED5F}\chrome.manifest
    c:\documents and settings\Jay Jay\Local Settings\Application Data\{C694FDAD-794A-4C06-A92B-4D386E40ED5F}\chrome\content\_cfg.js
    c:\documents and settings\Jay Jay\Local Settings\Application Data\{C694FDAD-794A-4C06-A92B-4D386E40ED5F}\chrome\content\overlay.xul
    c:\documents and settings\Jay Jay\Local Settings\Application Data\{C694FDAD-794A-4C06-A92B-4D386E40ED5F}\install.rdf
    c:\documents and settings\Jay Jay\Local Settings\Application Data\78354931.exe
    c:\documents and settings\Jay Jay\Start Menu\Programs\Security Tool.lnk
    c:\windows\system32\lsprst7.dll
    c:\windows\system32\ssprs.dll
    c:\windows\uqiqotiw.dll

    ----- BITS: Possible infected sites -----

    hxxp://au.download.windoj+|Cv+@J:NGD_DQ{zcxLJS@GsnR)'{AC76BA86-7AD7-1033-7B44-A94000000001}
    c:\windows\system32\winlogon.exe . . . is infected!!

    c:\windows\explorer.exe . . . is infected!!

    c:\windows\system32\midimap.dll . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-22 to 2010-11-22 )))))))))))))))))))))))))))))))
    .

    2010-11-22 02:54 . 2010-11-22 02:54 -------- d-----w- C:\$AVG
    2010-11-21 06:13 . 2010-11-21 06:13 -------- d-----w- C:\_OTM
    2010-11-05 03:28 . 2010-11-05 03:28 -------- d-----w- C:\extensions
    2010-11-05 03:12 . 2010-11-05 03:12 -------- d-----r- C:\MSOCache
    2010-11-05 03:10 . 2010-11-05 03:10 -------- d-----w- C:\Intel

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 16:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:57 . 2009-06-13 17:58 1016320 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:57 . 2009-06-13 17:51 1598464 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-10 05:57 . 2009-06-13 17:35 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51 . 2008-04-14 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:38 . 2009-06-13 17:30 1861888 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 06:05 . 2008-04-14 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:37 . 2009-06-13 17:30 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-06-13 17:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    .

    ------- Sigcheck -------

    [-] 2009-06-13 . 038CA45522FE9B756EFB90DBFA9141EA . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

    [-] 2009-06-13 . EC4D66049FCFE818C1D1738DB9A6E5C8 . 568832 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

    [-] 2009-08-06 . F7B2E1B864661A543338AF598F5B9115 . 79072 . . [7.4.7600.226] . . c:\windows\7SP_Files\wuauclt.exe
    [7] 2009-08-06 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\7SP_Files\backup\wuauclt.exe
    [-] 2009-08-06 . F7B2E1B864661A543338AF598F5B9115 . 79072 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe

    [-] 2010-08-23 . 54223CA7190149BE59E1D10413AB88F5 . 724992 . . [5.82] . . c:\windows\7SP_Files\comctl32.dll
    [7] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\7SP_Files\backup\comctl32.dll
    [-] 2010-08-23 . 54223CA7190149BE59E1D10413AB88F5 . 724992 . . [5.82] . . c:\windows\system32\comctl32.dll
    [-] 2010-08-23 . 54223CA7190149BE59E1D10413AB88F5 . 724992 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
    [7] 2010-08-23 . 736B12B725AEB2B07F0241A9F680CB10 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    [-] 2009-05-17 . 45B909FB560A7BED67B3457945999013 . 653312 . . [5.82] . . c:\windows\$NtUninstallKB2296011$\comctl32.dll
    [-] 2009-05-17 . C6CC0229FA60F9E5A2F9E6FD52878665 . 1064448 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
    [-] 2009-05-17 . 303673E56D0524AF50B339BD8618E5AC . 931840 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

    [-] 2010-09-10 . 4FADACE7BA753F74F23F34E0EB275BD0 . 6182400 . . [8.00.6001.23067] . . c:\windows\7SP_Files\mshtml.dll
    [7] 2010-09-10 . 8A03CC037E6B7D1796192815231B0C3F . 5958656 . . [8.00.6001.23067] . . c:\windows\7SP_Files\backup\mshtml.dll
    [-] 2010-09-10 . 4FADACE7BA753F74F23F34E0EB275BD0 . 6182400 . . [8.00.6001.23067] . . c:\windows\system32\mshtml.dll
    [-] 2010-09-10 . 4FADACE7BA753F74F23F34E0EB275BD0 . 6182400 . . [8.00.6001.23067] . . c:\windows\system32\dllcache\mshtml.dll
    [-] 2009-06-13 . C94EE53BB0A926279C4C67522031FB7A . 6077440 . . [8.00.6001.22873] . . c:\windows\ie8updates\KB2360131-IE8\mshtml.dll

    [-] 2009-06-13 . 05F5164AC40A1D5DE2188B58DD82101F . 648704 . . [5.1.2600.5512] . . c:\windows\7SP_Files\user32.dll
    [-] 2009-06-13 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\7SP_Files\backup\user32.dll
    [-] 2009-06-13 . 05F5164AC40A1D5DE2188B58DD82101F . 648704 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

    [-] 2010-09-10 . 9B374EFDAD4930CB67C57869E12FCBBF . 1016320 . . [8.00.6001.23060] . . c:\windows\7SP_Files\wininet.dll
    [7] 2010-09-10 . 0555E190DCD06B8998E6DDCA42DAEB82 . 919552 . . [8.00.6001.23060] . . c:\windows\7SP_Files\backup\wininet.dll
    [-] 2010-09-10 . 9B374EFDAD4930CB67C57869E12FCBBF . 1016320 . . [8.00.6001.23060] . . c:\windows\system32\wininet.dll
    [-] 2010-09-10 . 9B374EFDAD4930CB67C57869E12FCBBF . 1016320 . . [8.00.6001.23060] . . c:\windows\system32\dllcache\wininet.dll
    [-] 2009-06-13 . A09FCA16773A52C6CB0756D84A5509E4 . 971776 . . [8.00.6001.22873] . . c:\windows\ie8updates\KB2360131-IE8\wininet.dll

    [-] 2009-06-13 . C64877ED8A2092D28D5119C8270117EC . 1512448 . . [6.00.2900.5634] . . c:\windows\explorer.exe
    [-] 2009-06-13 . 6B29E8DCF44B1E2434C4F6F903AE41C8 . 1512448 . . [6.00.2900.5634] . . c:\windows\7SP_Files\explorer.exe
    [-] 2009-06-13 . 7C20A150945965CC47E8289636BF4346 . 2117632 . . [6.00.2900.5634] . . c:\windows\7SP_Files\backup\explorer.exe

    [-] 2010-07-16 . 149217B62C933505058C8FC4BBE5FD37 . 1341440 . . [5.1.2600.6010] . . c:\windows\7SP_Files\ole32.dll
    [7] 2010-07-16 . 8D51FB47062F2A1A9EFECCEF338A4C46 . 1289216 . . [5.1.2600.6010] . . c:\windows\7SP_Files\backup\ole32.dll
    [-] 2010-07-16 . 149217B62C933505058C8FC4BBE5FD37 . 1341440 . . [5.1.2600.6010] . . c:\windows\system32\ole32.dll
    [-] 2010-07-16 . 149217B62C933505058C8FC4BBE5FD37 . 1341440 . . [5.1.2600.6010] . . c:\windows\system32\dllcache\ole32.dll
    [7] 2009-06-13 . 0A80305BFB7346ACB49FD5611B675EC5 . 1288192 . . [5.1.2600.5685] . . c:\windows\$NtUninstallKB979687$\ole32.dll

    [-] 2009-06-13 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

    [-] 2009-06-13 . D440FD3EA29AEB8AC99F22986A87D345 . 727904 . . [8.00.6001.18702] . . c:\windows\7SP_Files\IEXPLORE.EXE
    [-] 2009-06-13 . 56A2008025323B8D2B49184CC6F3FAA1 . 535904 . . [8.00.6001.18702] . . c:\windows\7SP_Files\backup\IEXPLORE.EXE
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-06 280779]
    "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
    "RTHDCPL"="RTHDCPL.EXE" [2008-09-02 16851456]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 138008]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2010-06-16 77824]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-06-13 128512]

    c:\documents and settings\Jay Jay\Start Menu\Programs\Startup\
    Refresh Icon Cache.lnk - c:\windows\7SP_Files\Refresh Icon Cache\Refresh Icon Cache.exe [2010-11-5 203139]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-11-05 03:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/4/2010 9:46 PM 12552]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/4/2010 9:46 PM 108552]
    R3 MBX2DFU;Digidesign Mbox 2 Firmware Updater;c:\windows\system32\drivers\dgmbx2fu.sys [11/13/2010 10:14 AM 21648]
    S0 eixqcdue;eixqcdue;c:\windows\system32\drivers\vewji.sys --> c:\windows\system32\drivers\vewji.sys [?]
    S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/4/2010 9:46 PM 335240]
    S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
    S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [11/9/2010 7:32 PM 16400]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/4/2010 10:18 PM 236368]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [4/19/2010 12:45 PM 1050440]
    S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [11/9/2010 7:32 PM 85008]
    S3 DGUSBAP;Service for Digidesign Mbox2 (WDM);c:\windows\system32\drivers\dgmbx2.sys [11/13/2010 10:14 AM 129040]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/4/2010 10:18 PM 19160]
    S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [11/9/2010 7:32 PM 21904]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 10:18 AM 10064]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

    2010-11-14 c:\windows\Tasks\Automatic maintenance.job
    - c:\program files\TuneUp Utilities 2010\OneClickStarter.exe [2010-04-19 17:51]

    2010-11-19 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Jay Jay.job
    - c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-05 20:07]

    2010-11-19 c:\windows\Tasks\Malwarebytes' Scheduled Update for Jay Jay.job
    - c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-05 20:07]

    2010-11-20 c:\windows\Tasks\VersionCheck.job
    - c:\documents and settings\All Users\Application Data\WSTB\ver64b.exe [2010-11-08 11:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: {757ACDF3-519A-40D4-A448-B7C20F55602E} = 4.2.2.1
    FF - ProfilePath - c:\documents and settings\Administrator.JAY-BB4D1EF4B91\Application Data\Mozilla\Firefox\Profiles\b6bh7n75.default\
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.http.max-connections-per-server - 6
    FF - user.js: network.http.max-persistent-connections-per-server - 3
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.search-clsid", "{CC921910-939B-4272-9120-E66114542115}");
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
    HKLM-Run-Nxurava - c:\windows\uqiqotiw.dll
    HKU-Default-Run-CIAxxxxxxx.exe - c:\ciaxxxxxxx.exe\CIAxxxxxxx.exe
    AddRemove-AVG8Uninstall - c:\program files\AVG\AVG8\setup.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-21 22:06
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1957994488-1500820517-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,17,3f,4b,0f,7b,e6,e2,47,8f,fd,d4,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,17,3f,4b,0f,7b,e6,e2,47,8f,fd,d4,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(732)
    c:\windows\system32\SETUPAPI.dll
    c:\windows\system32\cscui.dll

    - - - - - - - > 'lsass.exe'(836)
    c:\windows\system32\SETUPAPI.dll
    .
    Completion time: 2010-11-21 22:08:26
    ComboFix-quarantined-files.txt 2010-11-22 03:08

    Pre-Run: 473,772,314,624 bytes free
    Post-Run: 473,748,262,912 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - C1FB2D0C706D8B87BF84D43D0B620330
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    It looks like a combination of the Bamital malware, possibly Think Point. Please run this following:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
       winlogon.*
       explorer.*
       midimap.*
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    If we can find good copies of these, I'll replace the infected ones.
    ==============================================
    One other thing I like you to do: If the hotfix.exe file is not there, don't worr- it just means it was removed in OTMoveIt:

    The malware authors try to mimic legitimate programs in looks and what the action will be> that's why so many users get drawn into these programs. The main entry we need to find is hotfix.exe. But only in a particular place, so follow these directions:
    1. Boot into Safe Mode
      • Restart your computer and start pressing the F8 key on your keyboard.
      • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    2. End Task
      Click on Start> Run> type in taskmgr> OK.
      Double click on the frame at the top of the Processes column to sort
      Find hotfix.exe and click to Highlight
      Click on End Task
    3. Unhide
      Click on Start> Search> All Files and Folders
      Go up to Tools> Folder Options
      Click on the View tab
      Check 'Show hidden files and folders'
      Uncheck 'Hide protected operating system files (Recommended)'
      Click on OK> Apply> OK
    4. Search
      Go to Search> 'all or part of the name'
      Type in hotfix.exe
      (It should be found in this folder: C:\Documents and Settings\User\Application Data\hotfix.exe
      Do a right click> Delete on the file
    5. Rehide the files and folders.
    Close
    ===============================================
    Reboot the computer back into Normal Mode is you can.
    Not to worry if you can't- you should be able to do it after I replace the infected files with good ones.
    ==============================================
  22. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Well hotfix.exe was no where to be found in the task manager but I did find it in the OTMovit folder and deleted it from there. Also I did what you said and here are the results

    SystemLook 04.09.10 by jpshortstuff
    Log created at 22:54 on 22/11/2010 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for " winlogon.*"
    No files found.

    Searching for " explorer.*"
    No files found.

    Searching for " midimap.*"
    No files found.

    -= EOF =-
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Run SystemLook again with the cobtents in the Codebox as below:


    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      midimap.*
      
      :process
      winlogon.exe
      explorer.exe
      
      :comment
      Make sure you copy *all*  the text in the codebox.
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  24. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Thank you so much in advance the rogue from what I know of has been completely removed from my computer. And thank you for taking out your time to help me. Here is the next log you asked for.


    SystemLook 04.09.10 by jpshortstuff
    Log created at 11:19 on 24/11/2010 by Jay Jay
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "midimap.*"
    C:\WINDOWS\system32\midimap.dll --a---- 32256 bytes [17:53 13/06/2009] [17:53 13/06/2009] 448937CF6D5D4A4009532DF67B205F92

    ========== process ==========

    winlogon.exe - 1 handle(s) returned.
    File path: \??\C:\WINDOWS\system32\winlogon.exe
    MD5: Unable to calculate MD5.
    Modules:
    \??\C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    C:\WINDOWS\system32\ADVAPI32.dll
    C:\WINDOWS\system32\RPCRT4.dll
    C:\WINDOWS\system32\Secur32.dll
    C:\WINDOWS\system32\AUTHZ.dll
    C:\WINDOWS\system32\msvcrt.dll
    C:\WINDOWS\system32\CRYPT32.dll
    C:\WINDOWS\system32\MSASN1.dll
    C:\WINDOWS\system32\USER32.dll
    C:\WINDOWS\system32\GDI32.dll
    C:\WINDOWS\system32\NDdeApi.dll
    C:\WINDOWS\system32\PROFMAP.dll
    C:\WINDOWS\system32\NETAPI32.dll
    C:\WINDOWS\system32\USERENV.dll
    C:\WINDOWS\system32\PSAPI.DLL
    C:\WINDOWS\system32\REGAPI.dll
    C:\WINDOWS\system32\SETUPAPI.dll
    C:\WINDOWS\system32\VERSION.dll
    C:\WINDOWS\system32\WINSTA.dll
    C:\WINDOWS\system32\WINTRUST.dll
    C:\WINDOWS\system32\IMAGEHLP.dll
    C:\WINDOWS\system32\WS2_32.dll
    C:\WINDOWS\system32\WS2HELP.dll
    C:\WINDOWS\system32\IMM32.DLL
    C:\WINDOWS\system32\shell32.dll
    C:\WINDOWS\system32\SHLWAPI.dll
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    C:\WINDOWS\system32\comctl32.dll
    C:\WINDOWS\system32\MSGINA.dll
    C:\WINDOWS\system32\ODBC32.dll
    C:\WINDOWS\system32\comdlg32.dll
    C:\WINDOWS\system32\odbcint.dll
    C:\WINDOWS\system32\SHSVCS.dll
    C:\WINDOWS\system32\sfc.dll
    C:\WINDOWS\system32\sfc_os.dll
    C:\WINDOWS\system32\ole32.dll
    C:\WINDOWS\system32\Apphelp.dll
    C:\WINDOWS\system32\msctfime.ime
    C:\WINDOWS\system32\WINSCARD.DLL
    C:\WINDOWS\system32\WTSAPI32.dll
    C:\WINDOWS\system32\uxtheme.dll
    C:\WINDOWS\system32\WINMM.dll
    C:\WINDOWS\system32\avgrsstx.dll
    C:\WINDOWS\system32\cscdll.dll
    C:\WINDOWS\system32\rsaenh.dll
    C:\WINDOWS\System32\dimsntfy.dll
    C:\WINDOWS\system32\WlNotify.dll
    C:\WINDOWS\system32\MPR.dll
    C:\WINDOWS\system32\WINSPOOL.DRV
    C:\WINDOWS\system32\SAMLIB.dll
    C:\WINDOWS\system32\cscui.dll
    C:\WINDOWS\system32\xpsp2res.dll
    C:\WINDOWS\system32\NTMARTA.DLL
    C:\WINDOWS\system32\WLDAP32.dll
    C:\WINDOWS\system32\msv1_0.dll
    C:\WINDOWS\system32\cryptdll.dll
    C:\WINDOWS\system32\iphlpapi.dll
    C:\WINDOWS\system32\wdmaud.drv
    C:\WINDOWS\system32\msacm32.drv
    C:\WINDOWS\system32\MSACM32.dll
    C:\WINDOWS\system32\midimap.dll
    C:\WINDOWS\system32\COMRes.dll
    C:\WINDOWS\system32\OLEAUT32.dll
    C:\WINDOWS\system32\CLBCATQ.DLL

    explorer.exe - 1 handle(s) returned.
    File path: C:\WINDOWS\explorer.exe
    MD5: C64877ED8A2092D28D5119C8270117EC
    Modules:
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    C:\WINDOWS\system32\ADVAPI32.dll
    C:\WINDOWS\system32\RPCRT4.dll
    C:\WINDOWS\system32\Secur32.dll
    C:\WINDOWS\system32\BROWSEUI.dll
    C:\WINDOWS\system32\GDI32.dll
    C:\WINDOWS\system32\USER32.dll
    C:\WINDOWS\system32\msvcrt.dll
    C:\WINDOWS\system32\ole32.dll
    C:\WINDOWS\system32\SHLWAPI.dll
    C:\WINDOWS\system32\OLEAUT32.dll
    C:\WINDOWS\system32\SHDOCVW.dll
    C:\WINDOWS\system32\CRYPT32.dll
    C:\WINDOWS\system32\MSASN1.dll
    C:\WINDOWS\system32\CRYPTUI.dll
    C:\WINDOWS\system32\NETAPI32.dll
    C:\WINDOWS\system32\VERSION.dll
    C:\WINDOWS\system32\WININET.dll
    C:\WINDOWS\system32\Normaliz.dll
    C:\WINDOWS\system32\urlmon.dll
    C:\WINDOWS\system32\iertutil.dll
    C:\WINDOWS\system32\WINTRUST.dll
    C:\WINDOWS\system32\IMAGEHLP.dll
    C:\WINDOWS\system32\WLDAP32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\UxTheme.dll
    C:\WINDOWS\system32\ShimEng.dll
    C:\WINDOWS\AppPatch\AcGenral.DLL
    C:\WINDOWS\system32\WINMM.dll
    C:\WINDOWS\system32\MSACM32.dll
    C:\WINDOWS\system32\USERENV.dll
    C:\WINDOWS\system32\IMM32.DLL
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    C:\WINDOWS\system32\comctl32.dll
    C:\Program Files\RocketDock\RocketDock.dll
    C:\WINDOWS\system32\PSAPI.DLL
    C:\WINDOWS\system32\MSCTF.dll
    C:\Program Files\Unlocker\UnlockerHook.dll
    C:\WINDOWS\system32\msctfime.ime
    C:\WINDOWS\system32\appHelp.dll
    C:\WINDOWS\system32\CLBCATQ.DLL
    C:\WINDOWS\system32\COMRes.dll
    C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL
    C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL
    C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.DLL
    C:\WINDOWS\system32\rsaenh.dll
    C:\WINDOWS\system32\MSImg32.dll
    C:\WINDOWS\System32\cscui.dll
    C:\WINDOWS\System32\CSCDLL.dll
    C:\WINDOWS\system32\themeui.dll
    C:\WINDOWS\system32\xpsp2res.dll
    C:\WINDOWS\system32\ACTXPRXY.DLL
    C:\WINDOWS\system32\LINKINFO.dll
    C:\WINDOWS\system32\ntshrui.dll
    C:\WINDOWS\system32\ATL.DLL
    C:\WINDOWS\system32\SAMLIB.dll
    C:\WINDOWS\system32\msi.dll
    C:\WINDOWS\system32\SETUPAPI.dll
    C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    C:\WINDOWS\system32\msxml3.dll
    C:\WINDOWS\system32\ieframe.dll
    C:\WINDOWS\system32\NETSHELL.dll
    C:\WINDOWS\system32\credui.dll
    C:\WINDOWS\system32\dot3api.dll
    C:\WINDOWS\system32\rtutils.dll
    C:\WINDOWS\system32\dot3dlg.dll
    C:\WINDOWS\system32\OneX.DLL
    C:\WINDOWS\system32\WTSAPI32.dll
    C:\WINDOWS\system32\WINSTA.dll
    C:\WINDOWS\system32\eappcfg.dll
    C:\WINDOWS\system32\MSVCP60.dll
    C:\WINDOWS\system32\eappprxy.dll
    C:\WINDOWS\system32\iphlpapi.dll
    C:\WINDOWS\system32\WS2_32.dll
    C:\WINDOWS\system32\WS2HELP.dll
    C:\WINDOWS\system32\sfc_os.dll
    C:\WINDOWS\system32\browselc.dll
    C:\WINDOWS\system32\webcheck.dll
    C:\WINDOWS\system32\MLANG.dll
    C:\WINDOWS\system32\stobject.dll
    C:\WINDOWS\system32\BatMeter.dll
    C:\WINDOWS\system32\POWRPROF.dll
    C:\Program Files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
    C:\WINDOWS\system32\MSFTEDIT.DLL
    C:\WINDOWS\system32\WPDShServiceObj.dll
    C:\WINDOWS\system32\WINHTTP.dll
    C:\Program Files\Microsoft Office\Office12\GrooveMisc.dll
    C:\WINDOWS\system32\mydocs.dll
    C:\WINDOWS\system32\MPR.dll
    C:\WINDOWS\System32\drprov.dll
    C:\WINDOWS\System32\ntlanman.dll
    C:\WINDOWS\System32\NETUI0.dll
    C:\WINDOWS\System32\NETUI1.dll
    C:\WINDOWS\System32\NETRAP.dll
    C:\WINDOWS\System32\davclnt.dll
    C:\WINDOWS\system32\DUSER.dll
    C:\WINDOWS\system32\PortableDeviceTypes.dll
    C:\WINDOWS\system32\PortableDeviceApi.dll
    C:\WINDOWS\system32\MSGINA.dll
    C:\WINDOWS\system32\ODBC32.dll
    C:\WINDOWS\system32\comdlg32.dll
    C:\WINDOWS\system32\odbcint.dll
    C:\WINDOWS\m3dbli.dll
    C:\WINDOWS\system32\oleacc.dll
    C:\WINDOWS\system32\oledlg.dll
    C:\WINDOWS\system32\dbghelp.dll
    C:\WINDOWS\system32\security.dll
    C:\WINDOWS\system32\NTMARTA.DLL
    C:\WINDOWS\system32\zipfldr.dll
    C:\Program Files\WinRAR\rarext.dll
    C:\WINDOWS\ihobiper.dll
    C:\WINDOWS\system32\ddraw.dll
    C:\WINDOWS\system32\DCIMAN32.dll
    C:\WINDOWS\system32\SXS.DLL
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\RASAPI32.dll
    C:\WINDOWS\system32\rasman.dll
    C:\WINDOWS\system32\TAPI32.dll
    C:\WINDOWS\system32\hnetcfg.dll
    C:\WINDOWS\System32\wshtcpip.dll
    C:\WINDOWS\system32\sensapi.dll
    C:\WINDOWS\system32\msv1_0.dll
    C:\WINDOWS\system32\cryptdll.dll
    C:\WINDOWS\system32\DNSAPI.dll
    C:\WINDOWS\System32\winrnr.dll
    C:\Program Files\Bonjour\mdnsNSP.dll
    C:\WINDOWS\system32\rasadhlp.dll
    C:\WINDOWS\system32\DHCPCSVC.DLL
    C:\WINDOWS\system32\netman.dll
    C:\WINDOWS\system32\MPRAPI.dll
    C:\WINDOWS\system32\ACTIVEDS.dll
    C:\WINDOWS\system32\adsldpc.dll
    C:\WINDOWS\system32\WZCSAPI.DLL
    C:\WINDOWS\system32\WZCSvc.DLL
    C:\WINDOWS\system32\WMI.dll
    C:\WINDOWS\system32\EapolQec.dll
    C:\WINDOWS\system32\QUtil.dll
    C:\WINDOWS\system32\ESENT.dll

    -= EOF =-
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Sorry about System Look- that was my bad! I had the lines one space over.

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\vewji.sys
    c:\windows\system32\SETUPAPI.dll
    
    DDS::
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    mRun: [Nxurava] rundll32.exe "c:\windows\ixewejoguxa.dll",Startup
    dRun: [HJRUDZ5DT2] c:\windows\temp\Sb2.exe
    dRun: [6BTOP2GA8A] c:\windows\temp\Sb1.exe
    dRun: [CIAxxxxxxx.exe] c:\ciaxxxxxxx.exe\CIAxxxxxxx.exe
    
    RegLock:
    [HKEY_USERS\S-1-5-21-1957994488-1500820517-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
    
    Driver::
    eixqcdue
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ================================
    Run the above and then I'll check the log.
    Do you have the CD for the operating system?

    A question: What happens when you log on to Normal Mode> message? What?
    Do you have any internet access?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.