Personal Guard 2009 infection

**ICE-2K** · 2009-10-31, 06:39

Posted earlier but forgot to turn off teatimer.

Here is the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:32 PM, on 10/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\Fode Enterprise\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Personal Guard 2009\personalguard.exe
C:\WINDOWS\system32\winsc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fode Enterprise\Desktop\HijackThis.exe
c:\dell\E-center\gtb2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: MS extension - {C3221010-0AD7-4c09-B17B-EDCFFDA4B7F9} - fow64.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [perapopif] Rundll32.exe "c:\windows\system32\tutemepi.dll",a
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [personalguard] C:\Program Files\Personal Guard 2009\personalguard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Fode Enterprise\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Fode Enterprise\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://playgames.comcast.net/online2...meLauncher.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\tutemepi.dll,dakimuyu.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: reset5c - reset5c.dll (file missing)
O21 - SSODL: SysNet - {6BC7B10F-ED61-427A-B5DA-B12EE4403859} - C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll
O21 - SSODL: fibimehas - {071589eb-95d1-41de-ba26-f1e1eadb2b15} - c:\windows\system32\tutemepi.dll
O22 - SharedTaskScheduler: gahurihor - {071589eb-95d1-41de-ba26-f1e1eadb2b15} - c:\windows\system32\tutemepi.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

--
End of file - 9632 bytes

**shelf life** · 2009-11-01, 15:35

hi ICE-2K,

Log is a few days old. If you still need help, reply to my post and we will begin.

**ICE-2K** · 2009-11-01, 22:26

Thanks for replying. I am currently at work, but will be off in about 3 hours. Can we start then?

Thanks

**shelf life** · 2009-11-02, 00:13

ok no problem. We will start with Malwarebytes:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer most likely will be required to remove some items.If prompted select yes to restart.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

**ICE-2K** · 2009-11-02, 02:04

Hi shelf life,

I've downloaded Malwarebytes, but I cannot run the program.

**ICE-2K** · 2009-11-02, 02:05

here is the newest log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:49 PM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\Fode Enterprise\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\Fode Enterprise\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Fode Enterprise\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Fode Enterprise\Desktop\HijackThis.exe
c:\dell\E-center\gtb2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: MS extension - {C3221010-0AD7-4c09-B17B-EDCFFDA4B7F9} - fow64.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [personalguard] C:\Program Files\Personal Guard 2009\personalguard.exe
O4 - HKLM\..\Run: [perapopif] Rundll32.exe "c:\windows\system32\hiboyihe.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Fode Enterprise\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Fode Enterprise\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://playgames.comcast.net/online2...meLauncher.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: dakimuyu.dll c:\windows\system32\hiboyihe.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: reset5c - reset5c.dll (file missing)
O21 - SSODL: SysNet - {6BC7B10F-ED61-427A-B5DA-B12EE4403859} - C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll
O21 - SSODL: wetadegeh - {7947aa98-b5a9-432b-8129-6ddce14d1a28} - c:\windows\system32\hiboyihe.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {7947aa98-b5a9-432b-8129-6ddce14d1a28} - c:\windows\system32\hiboyihe.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

--
End of file - 9834 bytes

**shelf life** · 2009-11-02, 03:11

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKLM\..\Run: [personalguard] C:\Program Files\Personal Guard 2009\personalguard.exe
O4 - HKLM\..\Run: [perapopif] Rundll32.exe "c:\windows\system32\hiboyihe.dll",a
O20 - AppInit_DLLs: dakimuyu.dll c:\windows\system32\hiboyihe.dll
O20 - Winlogon Notify: reset5c - reset5c.dll (file missing)

Ok we will come back to malwarebytes. You can get another download to use. Its called combofix. There is a guide to read first which will explain a few things.
Read through the guide, download combofix to your desktop but before you save it: rename it to combofix1.exe then save it. Disable any AV as explained in the guide, double click the icon on your desktop and follow the prompts.

Guide to using Combofix

If combofix is successful in running, once its all finished try running Malwarebytes. Post the log also if successful. I wont be back on line for 15-18 hrs.

**ICE-2K** · 2009-11-02, 06:40

Combo fix deleted some files.
Here is the log:
ComboFix 09-11-01.02 - Fode Enterprise 11/01/2009 21:22.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.263.1033.18.2046.1521 [GMT -8:00]
Running from: c:\documents and settings\Fode Enterprise\Desktop\Combofix1.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Microsoft AData
c:\documents and settings\All Users\Microsoft AData\sysnet.dll
c:\documents and settings\All Users\Microsoft AData\t.sid
c:\documents and settings\Fode Enterprise\Desktop\Personal Guard 2009.lnk
c:\documents and settings\Fode Enterprise\Start Menu\Programs\Personal Guard 2009
c:\documents and settings\Fode Enterprise\Start Menu\Programs\Personal Guard 2009\Personal Guard 2009.lnk
c:\documents and settings\Fode Enterprise\Start Menu\Programs\Personal Guard 2009\Uninstall.lnk
c:\program files\Personal Guard 2009
c:\program files\Personal Guard 2009\config.scf
c:\program files\Personal Guard 2009\mmbase.sdb
c:\program files\Personal Guard 2009\personalguard.exe
c:\program files\Personal Guard 2009\q.sdb
c:\program files\Personal Guard 2009\queue.sdb
c:\program files\Personal Guard 2009\uninstalls.exe
c:\program files\Personal Guard 2009\vvbase.sdb
c:\windows\microsoftdef.dll
c:\windows\system32\dz1.txt
c:\windows\system32\fonopeja.dll
c:\windows\system32\fow64.dll
c:\windows\system32\gubitahu.dll
c:\windows\system32\hiboyihe.dll
c:\windows\system32\kehitulo.dll
c:\windows\system32\kjs
c:\windows\system32\mudagaho.dll
c:\windows\system32\nk.dat
c:\windows\system32\o6.dat
c:\windows\system32\p1.txt
c:\windows\system32\piyiliwa.dll
c:\windows\system32\r24.txt
c:\windows\system32\raduzuye.dll
c:\windows\system32\sakabuji.dll
c:\windows\system32\sorusodi.dll
c:\windows\system32\vegibeya.dll
c:\windows\system32\viduhepi.dll
c:\windows\system32\vigowowu.dll
c:\windows\system32\yetoravu.dll
c:\windows\system32\zarebeba.dll

----- BITS: Possible infected sites -----

hxxp://82.98.231.98
.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 05:22 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-02 05:22 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-02 01:15 . 2009-11-02 01:15 382976 ----a-w- c:\windows\system32\winsc.exe
2009-11-02 01:13 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 01:13 . 2009-11-02 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 01:13 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 00:59 . 2009-11-02 00:59 -------- d-----w- c:\documents and settings\Fode Enterprise\Application Data\Malwarebytes
2009-11-02 00:58 . 2009-11-02 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-31 01:09 . 2009-10-31 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-10-31 00:56 . 2009-11-01 07:56 51197 ----a-w- c:\windows\spoov.exe
2009-10-31 00:56 . 2009-11-01 07:56 47872 ----a-w- c:\windows\certsystem.exe
2009-10-31 00:56 . 2009-11-01 07:56 38352 ----a-w- c:\windows\regred.exe
2009-10-31 00:56 . 2009-11-01 07:56 33149 ----a-w- c:\windows\usexplorer.exe
2009-10-31 00:56 . 2009-11-01 07:56 28320 ----a-w- c:\windows\securits.com
2009-10-31 00:55 . 2009-10-31 00:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 05:28 . 2009-03-31 03:29 -------- d-----w- c:\program files\DNA
2009-11-02 05:28 . 2009-03-31 03:29 -------- d-----w- c:\documents and settings\Fode Enterprise\Application Data\DNA
2009-10-31 05:18 . 2009-04-08 18:37 -------- d-----w- c:\program files\9Dragons
2009-10-31 03:36 . 2009-09-17 00:15 -------- d-----w- c:\program files\AVG
2009-10-10 04:01 . 2009-03-31 03:29 -------- d-----w- c:\documents and settings\Fode Enterprise\Application Data\BitTorrent
2009-09-11 14:18 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-10 17:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-10 17:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:24 . 2004-08-10 18:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-08-10 18:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-08-10 18:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-08-10 18:02 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-10 17:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-08-10 18:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2004-08-10 18:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-10 17:51 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-08-21 23:23 . 2006-08-21 23:23 8 --sh--r- c:\windows\system32\6F8D7B9A74.sys
2006-08-22 00:32 . 2006-08-19 18:04 56 --sh--r- c:\windows\system32\749A7B8D6F.sys
2006-08-22 00:32 . 2006-08-19 18:04 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-31 321344]
"Google Update"="c:\documents and settings\Fode Enterprise\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-08 133104]
"SansaDispatch"="c:\documents and settings\Fode Enterprise\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-09-01 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ECenter"="c:\dell\E-Center\gtb.exe" [2006-06-14 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-02 98304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-07 196608]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2007-04-09 19968]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"personalguard"=c:\program files\Personal Guard 2009\personalguard.exe
"MSKDetectorExe"=c:\program files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\lsass.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 7:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 7:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 7:21 PM 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 7:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 7:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 7:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 7:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 7:21 PM 566296]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-561023989-4056816111-3634642552-1006Core.job
- c:\documents and settings\Fode Enterprise\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-08 22:25]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-561023989-4056816111-3634642552-1006UA.job
- c:\documents and settings\Fode Enterprise\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-08 22:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: yahoo.com\login
FF - ProfilePath - c:\documents and settings\Fode Enterprise\Application Data\Mozilla\Firefox\Profiles\2my210zd.default\
FF - plugin: c:\documents and settings\Fode Enterprise\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Fode Enterprise\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{300cdf48-ed38-45e6-bd7f-fb55d113e3fe} - pekiboba.dll
HKLM-Run-perapopif - c:\windows\system32\hiboyihe.dll
HKLM-Run-bejesekobo - sorusodi.dll
SharedTaskScheduler-{7947aa98-b5a9-432b-8129-6ddce14d1a28} - c:\windows\system32\hiboyihe.dll
SSODL-SysNet-{6BC7B10F-ED61-427A-B5DA-B12EE4403859} - c:\documents and settings\All Users\Microsoft AData\sysnet.dll
SSODL-wetadegeh-{7947aa98-b5a9-432b-8129-6ddce14d1a28} - c:\windows\system32\hiboyihe.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 21:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x8A9B1940]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x8a9b1940
\Driver\iaStor -> 0x8a9b1bf8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2432)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2009-11-02 21:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-02 05:36

Pre-Run: 13,896,052,736 bytes free
Post-Run: 13,398,224,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 52B8B91A73490046C537183DAD51FF45

**ICE-2K** · 2009-11-02, 07:15

Finished Malware
Here is the log:

Malwarebytes' Anti-Malware 1.41
Database version: 3081
Windows 5.1.2600 Service Pack 3

11/1/2009 10:15:07 PM
mbam-log-2009-11-01 (22-15-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160449
Time elapsed: 27 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Microsoft AData\sysnet.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Personal Guard 2009\personalguard.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Personal Guard 2009\uninstalls.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP764\A0039907.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP764\A0039914.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP765\A0040066.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP765\A0040068.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP765\A0040070.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP765\A0040098.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP765\A0040108.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP765\A0040200.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP765\A0040201.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP765\A0040208.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP766\A0040235.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP766\A0040242.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP769\A0040570.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP769\A0040575.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP769\A0040578.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0GDB5L4A\load-full2[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\certSystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\regred.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\securits.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\spoov.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\usExplorer.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

**shelf life** · 2009-11-03, 00:17

ok good. We will get one more download to run:

download Gmer to your desktop:

http://gmer.net/download.php

close any running programs.

doubleclick the gmer icon to start Gmer:
if you get a message box that says:

warning!!
Gmer has found system modification or Rootkit Activity.......

It will ask you:
Do you want to fully scan your system?

select NO

In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.

Now click the Scan button.

gmer will scan computer.
If you get a Rootkit warning window during the scan: click OK

When finished click "Save" to save log to your desktop

Copy/Paste the saved Gmer log in your reply.

Thread: Personal Guard 2009 infection

Thread Tools

Display

Personal Guard 2009 infection

At work

Posting Permissions