PDA

View Full Version : Virtumonde-New Thread-As Per request



TomZT
2009-11-17, 23:31
As requested by TASHI I am starting a new thread for my problem. (THANK YOU TASHI!)

For background information see my original post (11-10-09) at the following...

http://forums.spybot.info/showthread.php?t=53294

I've successfully restarted the problem computer in NORMAL MODE with no obvious sign of the previous infections and fake Anti Virus System Pro popups and warnings, porno sites, etc., but I do see a Yellow Triangle with an Exclamation Point (!) on top of my AVG Tray Icon

I have backed up my Registry with ERUNT

I did not disable SpyBot resident shield (teatimer?)
I should note IE seemed to hang (not responding) and then recovered while typing this post.
My HTJ scan log is copied below...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:15 PM, on 11/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [kfqcaekj] C:\Documents and Settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [kfqcaekj] C:\Documents and Settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E}: NameServer = 77.74.48.113
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {55f665dc-4099-4d0f-8b1c-7938ee0d4932} - C:\WINDOWS\batmeter16.dll
O20 - AppInit_DLLs: yosezezu.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: vuzuwuhif - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9e522adc4ffec) (gupdate1c9e522adc4ffec) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

--
End of file - 8491 bytes

Blade81
2009-11-20, 18:32
Hi there,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

TomZT
2009-11-20, 19:25
Hi Blade81,

Thank you for your reply and your assistance. Please also pardon my questions as I have little inexperience in these matters.

I have downloaded DDS to a healthy computer and will bring it over to the infected machine on a CD, copy DDS to the desktop, and run the DDS scan. I will then post the results directly from the infected machine. Is this all OK?

I am not sure what a script blocker is... Would this include SpyBot 1.6.2 and AVG 8.5 and the Resident Shield features of these two programs?

Should SpyBot and AVG be DISABLED when running the DDS tool?

And should SpyBot and AVG be ENABLED before reconnecting the infected machine to the internet to post my DDS results?

I look forward to your reply!
ZT

Blade81
2009-11-20, 19:44
I have downloaded DDS to a healthy computer and will bring it over to the infected machine on a CD, copy DDS to the desktop, and run the DDS scan. I will then post the results directly from the infected machine. Is this all OK?
Yes, that's ok :)


I am not sure what a script blocker is... Would this include SpyBot 1.6.2 and AVG 8.5 and the Resident Shield features of these two programs?

Should SpyBot and AVG be DISABLED when running the DDS tool?

Antivirus programs may contain script blocking component. It's better to run DDS with protection software disabled (Spybot shouldn't cause any trouble even if it was enabled).


And should SpyBot and AVG be ENABLED before reconnecting the infected machine to the internet to post my DDS results?
Not necessarily but have firewall enabled.

TomZT
2009-11-20, 20:10
Hi Blade81,

Here are my DDS results

DDS (Ver_09-10-26.01) - NTFSx86
Run by Tom McNeal at 11:50:25.63 on Fri 11/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.232 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
svchost
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Tom McNeal\Desktop\dds.scr
C:\WINDOWS\system32\taskkill.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://smbusiness.dellnet.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
mRun: [11220814] c:\documents and settings\all users\application data\11220814\11220814.exe
mRun: [jepedonug] Rundll32.exe "c:\windows\system32\diyahema.dll",a
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
Filter: text/html - {55f665dc-4099-4d0f-8b1c-7938ee0d4932} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\diyahema.dll,lofiketo.dll
SSODL: vuzuwuhif - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
SSODL: jumikuwif - {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
STS: kupuhivus: {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
STS: kupuhivus: {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
LSA: Notification Packages = scecli cPRASO.dll kodatewe.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]

=============== Created Last 30 ================

2009-11-20 03:27:03 2713 --sh--w- c:\windows\system32\yajigozo.exe
2009-11-19 09:26:41 2713 --sh--w- c:\windows\system32\mubaruve.exe
2009-11-18 15:25:41 2713 --sh--w- c:\windows\system32\lokimoli.exe
2009-11-17 21:29:42 0 d-----w- c:\docume~1\alluse~1\applic~1\11220814
2009-11-17 21:29:33 1209915 --sh--w- c:\windows\system32\savohofu.exe
2009-11-17 21:29:27 92672 --sh--w- c:\windows\system32\diyahema.dll
2009-11-17 21:29:21 53248 --sh--w- c:\windows\system32\gobewowi.dll
2009-11-17 21:18:48 39424 ----a-w- c:\windows\system32\fonemike.dll
2009-11-17 21:13:06 53248 ----a-w- c:\windows\system32\zayezeru.dll
2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
2009-11-11 18:21:00 12032 ----a-w- c:\windows\system32\iehelper.dll
2009-11-10 19:27:54 6456 ---ha-w- c:\windows\system32\virasuza
2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
2009-11-10 02:58:33 52736 ----a-w- C:\luobk.exe
2009-11-10 02:58:31 52736 ----a-w- C:\ydlcgx.exe
2009-11-10 02:58:20 0 --sha-w- C:\15226409
2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2003-03-19 05:59:12 207759 ----a-w- c:\program files\INSTALL.LOG
2009-08-10 03:04:27 115200 --sha-w- c:\windows\system32\hasijale.exe
2009-08-10 03:04:27 39424 --sha-w- c:\windows\system32\keneruwo.dll
2009-08-17 21:32:01 53248 --sha-w- c:\windows\system32\kodatewe.dll
2009-08-17 21:32:01 53248 --sha-w- c:\windows\system32\lofiketo.dll
2009-08-10 03:04:27 45056 --sha-w- c:\windows\system32\sutatuzu.dll
2009-08-17 21:32:01 53248 --sha-w- c:\windows\system32\tevaziva.dll
2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat

============= FINISH: 11:53:25.52 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/24/2003 10:10:41 AM
System Uptime: 11/17/2009 2:21:20 PM (69 hours ago)

Motherboard: Dell Computer Corporation | | 07W080
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | Socket 478 | 1993/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 56 GiB total, 18.55 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2017: 9/9/2009 3:00:29 AM - Software Distribution Service 3.0
RP2018: 9/10/2009 3:07:07 AM - System Checkpoint
RP2019: 9/11/2009 4:09:27 AM - System Checkpoint
RP2020: 9/12/2009 5:07:09 AM - System Checkpoint
RP2021: 9/13/2009 6:07:31 AM - System Checkpoint
RP2022: 9/14/2009 7:07:01 AM - System Checkpoint
RP2023: 9/15/2009 8:07:01 AM - System Checkpoint
RP2024: 9/16/2009 9:07:01 AM - System Checkpoint
RP2025: 9/17/2009 10:07:01 AM - System Checkpoint
RP2026: 9/18/2009 11:08:06 AM - System Checkpoint
RP2027: 9/19/2009 12:07:01 PM - System Checkpoint
RP2028: 9/20/2009 1:07:01 PM - System Checkpoint
RP2029: 9/21/2009 2:07:01 PM - System Checkpoint
RP2030: 9/22/2009 3:08:06 PM - System Checkpoint
RP2031: 9/23/2009 4:07:01 PM - System Checkpoint
RP2032: 9/24/2009 5:07:01 PM - System Checkpoint
RP2033: 9/25/2009 6:08:06 PM - System Checkpoint
RP2034: 9/26/2009 7:07:02 PM - System Checkpoint
RP2035: 9/27/2009 8:07:02 PM - System Checkpoint
RP2036: 9/28/2009 8:08:17 PM - System Checkpoint
RP2037: 9/29/2009 8:13:32 PM - System Checkpoint
RP2038: 9/30/2009 9:06:41 PM - System Checkpoint
RP2039: 10/1/2009 10:06:42 PM - System Checkpoint
RP2040: 10/2/2009 11:06:42 PM - System Checkpoint
RP2041: 10/3/2009 11:37:55 PM - System Checkpoint
RP2042: 10/4/2009 11:42:09 PM - System Checkpoint
RP2043: 10/6/2009 12:06:44 AM - System Checkpoint
RP2044: 10/7/2009 1:06:49 AM - System Checkpoint
RP2045: 10/8/2009 2:06:36 AM - System Checkpoint
RP2046: 10/9/2009 3:06:40 AM - System Checkpoint
RP2047: 10/10/2009 4:06:37 AM - System Checkpoint
RP2048: 10/11/2009 5:03:59 AM - System Checkpoint
RP2049: 10/12/2009 5:48:37 AM - System Checkpoint
RP2050: 10/13/2009 3:00:22 AM - Software Distribution Service 3.0
RP2051: 10/14/2009 3:14:41 AM - System Checkpoint
RP2052: 10/15/2009 4:11:53 AM - System Checkpoint
RP2053: 10/16/2009 3:01:05 AM - Software Distribution Service 3.0
RP2054: 10/17/2009 3:48:50 AM - System Checkpoint
RP2055: 10/18/2009 4:02:19 AM - System Checkpoint
RP2056: 10/19/2009 5:02:24 AM - System Checkpoint
RP2057: 10/20/2009 6:02:18 AM - System Checkpoint
RP2058: 10/21/2009 7:02:15 AM - System Checkpoint
RP2059: 10/22/2009 8:02:15 AM - System Checkpoint
RP2060: 10/23/2009 9:02:08 AM - System Checkpoint
RP2061: 10/24/2009 10:27:31 AM - System Checkpoint
RP2062: 10/25/2009 11:03:14 AM - System Checkpoint
RP2063: 10/26/2009 12:02:10 PM - System Checkpoint
RP2064: 10/26/2009 11:02:41 PM - Spybot-S&D Spyware removal
RP2065: 10/26/2009 11:34:30 PM - Software Distribution Service 3.0
RP2066: 10/28/2009 12:13:08 AM - System Checkpoint
RP2067: 10/29/2009 12:17:39 AM - System Checkpoint
RP2068: 10/30/2009 1:18:33 AM - System Checkpoint
RP2069: 10/31/2009 2:17:34 AM - System Checkpoint
RP2070: 11/1/2009 3:17:35 AM - System Checkpoint
RP2071: 11/2/2009 4:17:48 AM - System Checkpoint
RP2072: 11/3/2009 5:17:47 AM - System Checkpoint
RP2073: 11/4/2009 4:00:22 AM - Software Distribution Service 3.0
RP2074: 11/5/2009 4:24:12 AM - System Checkpoint
RP2075: 11/6/2009 5:25:24 AM - System Checkpoint
RP2076: 11/7/2009 6:24:13 AM - System Checkpoint
RP2077: 11/8/2009 6:24:10 AM - System Checkpoint
RP2078: 11/9/2009 7:24:07 AM - System Checkpoint
RP2079: 11/10/2009 12:05:27 AM - Spybot-S&D Spyware removal
RP2080: 11/10/2009 12:10:07 AM - Spybot-S&D Spyware removal
RP2081: 11/10/2009 12:16:22 AM - Spybot-S&D Spyware removal
RP2082: 11/10/2009 12:45:00 AM - Spybot-S&D Spyware removal
RP2083: 11/10/2009 1:01:19 AM - Spybot-S&D Spyware removal
RP2084: 11/10/2009 9:17:55 AM - Spybot-S&D Spyware removal
RP2085: 11/10/2009 9:37:35 AM - Spybot-S&D Spyware removal
RP2086: 11/10/2009 10:10:16 AM - Spybot-S&D Spyware removal
RP2087: 11/10/2009 1:00:40 PM - Spybot-S&D Spyware removal
RP2088: 11/10/2009 1:27:04 PM - Spybot-S&D Spyware removal
RP2089: 11/10/2009 1:28:05 PM - Spybot-S&D Spyware removal

==== Installed Programs ======================


Ad-Aware
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.0
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
ArcSoft PhotoStudio 5.5
AVG Free 8.5
BACS
BCM V.92 56K Modem
Bonfire Studio
Britannica Ready Reference
Broadcom Advanced Control Suite
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 1.6
Canon Utilities EOS Capture 1.3
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
Core FTP LE 2.1
Deer Hunter 2004 - Legendary Hunting
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support 5.0.0 (766)
Digital Line Detect
Easy CD Creator 5 Basic
EOS Capture 1.3
ERUNT 1.1j
Garmin Communicator Plugin
Garmin USB Drivers
Garmin WebUpdater
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Help and Support Customization
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
hp deskjet 5550 series (Remove only)
hp deskjet 5600
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
Intel(R) Extreme Graphics Driver
Jeppesen Services
LTspice IV
LUMIX Simple Viewer
MapSource
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access Developer Extensions (English) 2007
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Runtime (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Modem Helper
MUSICMATCH Jukebox
Paint Shop Pro 7
PhotoStitch
Quicken 2002 New User Edition
QuickTime
RAW Image Task 2.0
RemoteCapture Task 1.1
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
TeLL me More
TurboTax 2008
TurboTax 2008 wiliper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Home & Business 2006
TurboTax Home & Business 2007
TurboTax ItsDeductible 2006
upapp
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (KB974810)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
WexTech AnswerWorks
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
WordPerfect Office 2002

==== Event Viewer Messages From Past Week ========

11/17/2009 2:40:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/17/2009 2:25:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/17/2009 2:25:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Intuit Update Service service to connect.
11/17/2009 2:25:35 PM, error: Service Control Manager [7000] - The Smart Modular JeppDrive USB Driver service failed to start due to the following error: The system cannot find the file specified.
11/17/2009 2:25:35 PM, error: Service Control Manager [7000] - The Intuit Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/17/2009 2:22:27 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/17/2009 2:22:27 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================

Blade81
2009-11-20, 20:34
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

TomZT
2009-11-20, 21:26
Hi Blade81,

Thanks again for your assistance and your quick replies!

I have downloaded ComboFix and will copy it over to the infected machine as I did before with DDS.

I have also printed out the ComboFix Instructions and will carefully read them before running the ComboFix program. I don't know how long it will take me to absorb and understand the ComboFix Instructions and Cautions but I will post the results ASAP.

Being in Finland, and thus 6 or 7 hours ahead of me, you are probably nearing the end of your "Work Day!" :-) so I understand if you do not reply again as quickly as you have so far.

If this is the case, please enjoy your "off time" and I will look forward to your next reply!

TomZT
2009-11-21, 02:14
Well Blade, I have some good news and then some bad news.

I downloaded and copied ComboFix to the desktop of the infected machine. I then read and re-read the ComboFix Instructions to be sure of what I could expect. As per the instructions, before running ComboFix, I disabled my Anti/Virus/Malware and Firewall programs (SpyBot and AVG Resident Shields... and the Windows Firewall). The machine was not connected to the internet.

After reading how ComboFix would check and install the Windows Restore Console if not already installed, I also checked my Win XP Help and Support Screen to verify that the Restore Console was present there. I also remembered seeing in the DDS report log a number of system restore points going back to at least October. So I was pretty sure that ComboFix would not need to install the Restore Console.

I then ran ComboFix. The program ran as expected and outlined in the instructions, backed up the registry, created a restore point, and then surprisingly announced "This machine does not have the Windows Recovery Console installed...Without it ComboFix will not attempt to fix some serious infections... Click Yes to have ComboFix download/install it... an internet connection is required.)" This was unexpected but I then reconnected the machine to the internet and clicked Yes. The install reported that it was successful. (BUT I did notice this successful install message mentioned Windows XP SP2 and this machine does have SP3 installed.) Oh well, I thought, and clicked YES again to continue with Scanning.

Scanning completed all the numbered scan stages and then reported...
"C:\Windows\system32\ws2_32.dll INFECTED" and then...
"Successfully Restored" Then deleting files... and deleting folders... (quite a few of each)

I then saw the message saying "Preparing Log Report" but before ComboFix closed and succesfully displayed the log report the machine rebooted. After a long Welcome screen, a BLUE SCREEN opened saying... "A problem has been detected and Windows has been shut down to prevent damage... Check newly installed H/W and S/W... If this is the first time you've seen this screen RESTART the machine...." and...
TECHNICAL INFO
STOP: 0x0000000A (0x00000000, 0x00000002, 0x00000000, 0x804DC25D)

I could not shut down normally so I powered off the machine and turned it back on. SAME BLUE SCREEN, slightly different message about checking for Viruses and Hard Drive & HD Controllers.. and..
TECHNICAL INFO
STOP: 0x0000007B (0xF79FA528, 0xC0000034, 0x00000000, 0x00000000)

Subsequent attempts to restart in NORMAL or SAFE MODE resulted in the same second blue screen described above. I did not try starting at a SYSTEM RESTORE POINT. Before trying a SYSTEM RESTORE point I thought I'd ask you what RESTORE POINT I should select if I can get to that point and if you think any restore point might be successful.

TRY SYSTEM RESTORE...
TO A DATE BEFORE THE INFECTION?
TO A DATE BEFORE OR AFTER my initial HJT scan or DDS scan?
TO A DATE AND TIME BEFORE the ComboFix Scan
OR WHAT?

Having not yet been able to restart in safe or normal mode, I am not sure if ComboFix successfully created & saved a report as C:\ComboFix.txt.

I sure hope you know what's happening and you can still help!

TomZT

PS: Also in case it might help you... while checking that all my anti/virus/spyware was disabled and before running ComboFix, I opened TASK MANAGER and noticed 20-30% of CPU was being used (Off and On) by the process "taskill.exe or taskkill.exe". I didn't like the looks of that but proceeded with the ComboFix as described above.

Blade81
2009-11-21, 02:23
Hi,

Have you tried to reboot using last known good configuration -option?

TomZT
2009-11-21, 02:26
Hi Blade,
Do you mean... try a sytem restore to a point before the infection happened?

Blade81
2009-11-21, 02:27
I mean this (http://www.computerhope.com/issues/ch000626.htm).

Also, system restore and recovery console are not the same thing.

TomZT
2009-11-21, 02:33
Thanks Blade,

I will look at the link you provided and also try rebooting to last known good config. I can't do this right now as today is my wife's birthday and we're heading out to eat. I will get back on this again in a couple of hours and post what happens. I do appreciate your assistance.

TomZT
2009-11-21, 08:19
Hi Blade81,

I do not have any good news.

I cannot restart in NORMAL or SAFE MODE or to LAST KNOWN GOOD CONFIGURATION. RESULT = Same Blue screen

If I restart with the F8 key, the select START NORMALLY, SAFE MODE or LAST GOOD CONFIG, and then select Microsoft Windows Recovery Mode, I come to a selection screen labeled Microsoft Windows XP Recovery Console which asks me "Which Windows installation would you like to log on to?"

There is only one choice...
1: C:\Windows

Pressing #1 and then Enter I come to a black screen with a Dos Prompt...
C:\WINDOWS>_

Once there, I ran...
1. chkdsk c: with no switch - RESULT= Volume appears good and was not checked
2. chkdsk c: /p - RESULT = Chkdsk ran to 25% then slowly to about 50% the a bit faster to 75% and then quit and reported results. (The Drive is about 75% full)
3 Then ran chkdsk c: /r - RESULT CHkdsk ran OK to about 50% then slowly to 75% and returned to 50% and again slowly to 75% and back to 50%. I then powered off.

Still can not boot to any Windows XP mode except the Black Screen DOS Prompt when pressing F8 while restarting then selecting NORMAL, SAFE, or LAST KNOWN GOOD CONFIG, and then choosing Windows Recovery Console.

Do you think I will ever be able to restart Windows XP again?
Perhaps with...
...the ERUNT Registry Backup?
...the ComboFix Registry Backup?
...any other means?

Or am I doomed to reformatting this hard drive and reinstalling everything?

I look forward to your guidance and suggestions.
TomZT

Blade81
2009-11-21, 11:37
Hi,

We'll try to restore things back. First I'd like to know if you have a flash memory to transfer c:\ComboFix.txt file (if it's present) from infected system?

This can be done from by entering recovery console (like you did earlier) and entering following commands (press enter after each one), f: drive is usb drive letter here (it may be different in your system):
set allowallpaths = true
set allowallremovablemedia = true
copy c:\combofix.txt f:\combofix.txt

TomZT
2009-11-21, 16:47
Hi Blade,

I will try your suggestion... But first I have a couple of questions...

What method should I use to get to the Recovery Console...
F8 when Booting, then SAFE MODE, Then Recovery Console?
F8 when Booting, then NORMAL MODE, Then Recovery Console?
or, F8 when Booting, then LAST GOOD CONFIG MODE, Then Recover Console?

I have several mapped network drives on this computer but I'm not sure what drive letters have been assigned to them. Is there any way I can, from the Recovery Console, determine the correct letter for the Flash Drive?

I await your reply.
Tom

Blade81
2009-11-21, 16:58
When system reboots you should have two options to choose from (those will appear a couple of seconds):
Microsoft Windows XP Recovery Console
Windows XP Professional

Choose recovery console. You could copy some dummy test file to your flash drive (create empty test.txt file with notepad for example) and then in recovery console, after entering those two set commands instructed in my previous post, use command dir <drive letter> e.g. dir f: and see what will list test.txt file.

TomZT
2009-11-21, 18:41
I created a test.txt file on another machine and saved it to a flash drive. Then plugged the flash drive into the infected machine.

Then entered the Recovery Console...
C:\WINDOWS>_

The first command: set allowallpaths = true (this worked fine)

The second command: set allowallremoveablemedia = true (this did not - bad parameter). After using the DOS command (HELP - /?) feature, I modified your parameter slightly, and tried: set allowremovablemedia = true (this seemed to work fine).

The ONLY GOOD NEWS SO FAR is, after the above commands, I discovered that Combofix did create a ComboFix.txt file; however the file was actually located in C:\ComboFix\combofix.txt (361 bytes) rather than in the C:\ (root directory).

So then I entered your third command (modified slightly):
copy c:\combofix\combofix.txt f:\combofix.txt (this did not work - NO floppy or CD in drive).

Trying to find the correct drive letter for the Flash Drive, I tried...
dir f: - (this did not work - No floppy or CD in drive) Then...
dir g: - dir h: - dir h: - etc. - on through: dir z: (this did not work - All reported invalid path or file)

So the ComboFix.txt file is in there, I just need to find out how to get it out! Any more suggestions?

TomZT
2009-11-21, 19:15
I remembered from my old DOS days the commands Print or LPrint.... Couldn't find any help on those commands but searching further in the DOS command help feature, I re-discovered that I could use the type command to display a text file on-screen. So I entered...

type c:\combofix\combofix.txt

Here (re-typed by hand) is the contents of the ComboFix.txt file...
-------------------------------------------------------------------------
ComboFix 09-11-20.01 - Tom McNeal 11-20-2009 16:06:51.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.360 [GMT -6:00]

Running from: C:\Documnets and Settings\Tom McNeal\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
-------------------------------------------------------------------------
I sure hope this helps Blade!

Blade81
2009-11-22, 00:09
Hi Tom,

Seems that ComboFix didn't get far there. Let's see if we can get your system bootable now.


1. Restart your computer
2. Enter to recovery console like earlier.
3. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

4. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

5. The erunt backups will begin copying.
6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. See if you're able to create a fresh DDS log now :)

TomZT
2009-11-22, 02:39
Hi Blade,

I ran the ERUNT Registry Restore as described above...
from c:\WINDOWS>_

cd erdnt\subs
batch erdnt.con
(appeared to complete successfully - 9 files copied - returned to prompt)
Then... exit

Windows began loading and then displayed the same blue screen described in my previous posts.

Tom

Blade81
2009-11-22, 12:30
Hi,

Do you get any better results if you run these commands in recovery console:
cd erdnt\hiv-backup
batch erdnt.con
exit

TomZT
2009-11-22, 16:54
Hi Blade,
Thank you for your continuing assistance! Not only does my computer appear to be highly infected, but you must feel like you're leading a blind man!

From recovery console, I ran

cd erdnt\hiv-backup
batch erdnt.con
exit
SAME BLUE SCREEN


I don't know if this will help you but...
After the "exit", I'm automatically returned to the recovery console for the restart...

If I wait for the 30 sec countdown timer, or choose Start Windows Normally, I immediately get the same blue screen which consistently displays the following... TECHNICAL INFO
STOP: 0x0000007B (0xF79FA528, 0xC0000034, 0x00000000, 0x00000000)

If I choose Start in Safe Mode, it first starts loading a bunch of drivers before the Blue Screen... I've watched this carefully many times now and the Blue Screen appears just after loading ".... C\Windows\system32\Mup.sys

Is this info any help to you?

Blade81
2009-11-22, 18:10
Hi,

Error code indicates problem with hard drive controller loading. Please enter recovery console mode again and run following commands:
cd\
cd c:\qoobox\quarantine\c\windows\system32\drivers
dir

You should see a list of items there. Check if pciide.sys.vir file (or any with ide in its name) is listed there and let me know about the results.

TomZT
2009-11-22, 18:29
Now In trying to enter the Recovery Console... as I did before...

After entering the #1 to select the only recovery console option...
1: c\WINDOWS

Instead of going to the C|WINDOWS>_ prompt

I get "Type the administrator Password:__"
Simply pressing enter displays...
"The Password is Not Valid. Please retype the Password."

I've never setup an administrator password on this computer and this is the first time I've been asked for a password to get to the recovery console command prompt.

I still hope you can help!

Blade81
2009-11-22, 19:28
I've never seen similar case with recovery console first not asking and then on other attempt asking for admin password. See if administrator or admin (with first letter capitalized or not) works.

Do you have Windows XP Professional installation media around?

TomZT
2009-11-22, 23:51
Hi Blade,
Sorry for the delay in getting back to you. I had Sunday morning activities to attend. I did include you and my infected computer in my prayers.

I tried the passwords.. "Administrator, administrator, Admin, & admin"
All invalid!

Do you think the second set of ERDNT commands...
cd erdnt\hiv-backup
batch erdnt.con
exit
...might have set an administrator password? The password request appeared just after running these commands???

Or perhaps, the infection (after a set period of time or actions) took admin control? I'm just guessing here.

I do remember that way back in this process... before running any of the initial ERUNT OR HJT scans... when I could still boot to Windows XP SAFE mode... I was once asked... while starting up to SAFE MODE... "What user account to log on to": The choices were: ADMINISTRATOR or Tom McNeal (my name). This surprised me back then because I had never setup any Administrator Account or Passwords on this machine. AT that time I did try choosing Administrator and when prompted for a password... I simply pressed enter. This was invalid and so next selected my name as the User account and booted to safe mode.

I'm sure I have the Windows XP CD (that came with this computer from DELL) but i will have to do some digging to find it. Does your question mean we will need to re-format the hard drive and re-install XP??? OR, do you have other ideas to try with the XP CD?

I look forward to your reply.
Tom

Blade81
2009-11-23, 00:04
Hi Tom,


Do you think the second set of ERDNT commands...
cd erdnt\hiv-backup
batch erdnt.con
exit
...might have set an administrator password? The password request appeared just after running these commands???
That's something I was wondering too. But both this and the backup we restored earlier should be similar ones.


I'm sure I have the Windows XP CD (that came with this computer from DELL) but i will have to do some digging to find it. Does your question mean we will need to re-format the hard drive and re-install XP??? OR, do you have other ideas to try with the XP CD?
I was thinking about running recovery console from XP Professional media. It might be possible to run that way without password prompt.

TomZT
2009-11-23, 00:06
I am chatting now with DELL support about getting a WIN XP PRO replacement CD in case I cannot find the one that came with the computer.

TomZT
2009-11-23, 00:18
That's something I was wondering too. But both this and the backup we restored earlier should be similar ones.

The first ERUNT BACK UP Copied 9 Files before returning to the prompt for EXIT.

The second time 10 Files were copied before the prompt for EXIT.

Maybe there was an administartor entry in the 10th file copied.

I was thinking about running recovery console from XP Professional media. It might be possible to run that way without password prompt.

Would this need to be the same XP CD that came with this particular machine? Or will any Win XP Pro CD work for this.

TomZT
2009-11-23, 07:24
Hi Blade,

I have found my original Dell licensed Windows XP Pro Reinstall CD but I am not sure if this will help us if we can't get into the Recovery Console anyway without entering a correct Administrator Password.

Another problem might be that the original Dell XP install CD is XP Pro SP1. SP2 and then SP3 were later installed on the problem machine via Microsoft Updates. I remember reading in the ComboFix Instructions that it would install different versions of the Restore Console depending on whether it found SP1 or SP2 / SP3 on the machine.

I do have another newer Dell machine and also found the XP Pro SP3 install CD for that machine too. But even so, don't you think we'll still have the same problem getting to the Recovery Console Command Prompt without the correct Administrator password. I should also note that this newer Dell machine uses the NTFS file system whereas I think the problem machine uses the FAT32 file system. I don't know if this would cause a problem?

I do have another theory but cannot check it out until I can get into the Recovery Console or get to a command prompt some other way. Perhaps a Bootable CD? I'm thinking I may have specified a folder other than C:\Windows\erdnt for my ERUNT Registry backup. I think I may have specified c:\Windows\erdnt_A instead; thinking I may wish to create another backup later in C:\Windows\erdnt_B. But I can't remember for sure if I did this or not and cannot check without getting back in to the Recovery Console. If I did save my backup in C:\Windows\erdnt_A, and ran the restore mistakenly from C:\Windows\erdnt, could this have created the Password problem I'm having now?

I've re-read the ERUNT instructions and emailed Lars Hederer to ask if he might know what's going on. I will let you know what he thinks if and when he replies.

Any ideas or suggestions you may have will be much appreciated.
Tom

Blade81
2009-11-23, 07:46
Hi,


I do have another newer Dell machine and also found the XP Pro SP3 install CD for that machine too.
That cd can be used assuming it's real install cd and not just for recovering.

1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
3. If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.

See if that lets you access command prompt of recovery console. If yes, try these commands here (http://forums.spybot.info/showpost.php?p=348179&postcount=23) to check requested things.

TomZT
2009-11-23, 08:11
Blade said...
That cd can be used assuming it's real install cd and not just for recovering.
1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

This CD is labeled "Reinstallation CD, MS Windows XP Professional, SP3"
"This software id already installed on your computer. Use this media only to reinstall the operating system on a Dell computer."

Blade said...
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

I think I may have to do this first.... I.E. Hit F2 when first starting to enter the Dell System Setup. Then set up boot priority making the CD # 1 instead of floppy. Then restart machine with the CD in the machine. Do you agree?

Tom

Blade81
2009-11-23, 08:17
I think I may have to do this first.... I.E. Hit F2 when first starting to enter the Dell System Setup. Then set up boot priority making the CD # 1 instead of floppy. Then restart machine with the CD in the machine. Do you agree?
Floppy can be with higher priority than CD. Just ensure that CD priority is higher than hard drive's.

TomZT
2009-11-23, 08:26
I changed setup to boot from the CD, then restarted. The cd loaded a bunch of drivers and then asked to press R for Recovery console. That let me choose Recovery Console as before but PASSWORD STILL REQUIRED.

There was another option when booting from the CD... Press F2 for ASR (Dells?) Automatic system recovery. Do you think I should try that?

TomZT
2009-11-23, 08:29
And...

Hi Blade,

I do have another theory but cannot check it out until I can get into the Recovery Console or get to a command prompt some other way. Perhaps a Bootable CD? I'm thinking I may have specified a folder other than C:\Windows\erdnt for my ERUNT Registry backup. I think I may have specified c:\Windows\erdnt_A instead; thinking I may wish to create another backup later in C:\Windows\erdnt_B. But I can't remember for sure if I did this or not and cannot check without getting back in to the Recovery Console. If I did save my backup in C:\Windows\erdnt_A, and ran the restore mistakenly from C:\Windows\erdnt, could this have created the Password problem I'm having now?

Any thoughts on this???

Blade81
2009-11-23, 08:31
Hi,

Don't try automatic system recovery. We can still try to create a boot cd and start system with it. I'm currently at work but will get back with new instructions later. Is that ok?

TomZT
2009-11-23, 08:34
Hi,

Don't try automatic system recovery. We can still try to create a boot cd and start system with it. I'm currently at work but will get back with new instructions later. Is that ok?

That's fine Blade! I've had a long day... 12:30 AM here. I'll get a little sleep and check back in. When you have time, can you give me instructions or a link as to how to create a Bootable CD?

Hopefully one that will get us to a command prompt????
Thanks agin for sticking with me! I appreciate your help.
Tom

Blade81
2009-11-23, 08:49
Hi,

Instructions for creating UBCD can be found here (http://www.ubcd4win.com/howto.htm). We'll use that later then.

TomZT
2009-11-23, 20:06
Hi Blade,

I hope you had a good day! Thanks again for your help!

I have downloaded the UBCD4Win tool and read the instructions. Before creating the UBCD, I have a couple of questions... to make sure I'm doing this right and cause no further problems!

1. The problem computer (Computer 1) is WIN XP PRO SP3 (came with SP1 then updated later with SP2 and SP3) The UBCD instructions require using a WINDOWS XP CD "with at least SP1 (SP2 highly recommended)". The UBCD instructions do not mention SP3 at all. Should I still use the Dell Windows XP PRO SP3 installation CD to build the UBCD?

2. As you know, I am using two other machines (Computer 2 & 3 - which still appear to healthy) to access the internet, post on the forum, and download these tools on. Since I've been on the MalwareForum trying to remove the infection, I have not had the problem machine connected to my home network at the same time as any of my other machines are connected to my network. I did however, immediately after the original infection, reach across the network from one of the other machines (Computer 3) to copy a folder with some important files on the infected computer. Repeated scans on Computers 2 & 3 with AVG 8.5 and SpyBot 1.6.2 reveal "No Threats Detected" except a few "Warnings" (identified as tracking cookies) which were all reported to be succesfully removed or healed.

Early this morning when using Computer 3 to copy my Dell Win XP PRO SP3 Installation CD to my hard drive as recommended in the UBCD instructions... When I removed the Win XP CD from the drive, I got the following warning...

TITLE BAR: DVD-RAM DRIVE (D:)
MESSAGE: M:\ refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location.
OK BUTTON

I saw a similar warning yesterday morning which apparently had popped up over the night before. Drive M: is the C: drive on the infected machine as mapped on Computer 3. I am now suspicious that "something bad" might be happening on Computer 3 because I never asked to access Drive M:. Also when I received the first of these warnings yesterday, I went into Windows Explorer and "Disconnected Network Drive M:. After refreshing the explorer screen, the mapped Drive M: disappeared from the folder tree. After this morning's warning, I looked again and Drive M: has re-appeared in the Explorer folder tree, but DOES NOT appear in the Tools> Disconnect Network Drive Window. Do you think there might be something bad on Computer 3 that is trying to access Drive M: and copy malware files from the infected computer?

Or, am I just getting too paranoid now and there's some other harmless explanation for these warnings?

I look forward to your reply.
Tom

Blade81
2009-11-23, 20:13
Hi :)

1. Yes, you can use Win XP Pro SP3 media.
2. I wouldn't be worried. Especially, if there're not any clear symptoms there.

TomZT
2009-11-23, 20:30
Thanks Blade,

I will prepare the boot CD and let you know when I am ready!

Tom

TomZT
2009-11-24, 07:22
Hi Blade,

I am having some problems creating the UBCD (errors and warnings during the build). Apparently there are a few known snags and fixes needed when using a Dell XP CD as the build source. I'm getting some help over on the UBCD4WIN forum and will post back here when I get these problems straightened out. I hope you're enjoying the time off! <BG>

Tom

Blade81
2009-11-24, 07:40
Ok. Do you have some friend with non-Dell Win XP Pro SP2 (or 3) media to borrow if creating with Dell version fails (better wait what they on UBCD forum say though)?

TomZT
2009-11-24, 07:56
Good morning Blade,

Yep! I can probably get my hands on a MS XP CD if I don't get the Dell CD to work. I thought it was worth fiddling around with a bit since the machine I'm trying to fix is a Dell too. I'll be back!

Have a great day! I'm going to bed!
Tom

TomZT
2009-11-25, 08:16
Hello Blade!

I finally have some good news to report. In fact I have GREAT news to report. I successfully created a UBCD Boot CD. After spending a lot of time and a lot of tries, I eventually gave up on using the DELL XP CD as the build source for the boot CD... too many problems in getting that to work. As you suggested, I borrowed a friend's MS XP CD to use as the source and the CD image file was created successfully on my first attempt. I don't know how familiar you are with the UBCD4WIN program but all I can say is "UBCD4WIN ROCKS!"

I can now start the problem machine from the CD and can access MyComputer, get to all the folders and files on the hard drive, with no passwords, and no more Blue Screens. The boot disk also includes a number of Plugins which make available a number of built in tools and utilities like ERUNT, HJT. etc. For the first time in two weeks now, I really feel like we may get this computer cleaned up and running again without formatting the drive and starting from scratch.

I also verified what I think probably caused the problem we had when we tried the ERUNT restore. As I mentioned in a previous post. I did in fact save my original ERUNT registry backup in a subfolder folder named 11_17_09_A, thinking I may want to try another backup later that day and save it in a folder like 11-17_09_B. So when we restored from C:Windows\erdnt\subs and then on the second try C:\Windows\erdnt\hiv-subs, we probably restored something other than my backup. I'm guessing we may have restored an ERUNT sample registry (with an Administrator Password) which normally would have been overwritten by my own backup had I put it in the right folder. Does this make sense?

I am ready to proceed again with your guidance and do look forward to your next reply!

Also, if you wouldn't mind... Can you explain why, when we first started out, we didn't begin by doing a regular Window System Restore to a point prior to the date of infection? I've been wondering about that all along.

Tom

Blade81
2009-11-25, 08:33
Good to hear that you got the media created :)


I also verified what I think probably caused the problem we had when we tried the ERUNT restore. As I mentioned in a previous post. I did in fact save my original ERUNT registry backup in a subfolder folder named 11_17_09_A, thinking I may want to try another backup later that day and save it in a folder like 11-17_09_B. So when we restored from C:Windows\erdnt\subs and then on the second try C:\Windows\erdnt\hiv-subs, we probably restored something other than my backup. I'm guessing we may have restored an ERUNT sample registry (with an Administrator Password) which normally would have been overwritten by my own backup had I put it in the right folder. Does this make sense?
It's probably correct one. Anyway, we may give one of those another try if needed.


Can you explain why, when we first started out, we didn't begin by doing a regular Window System Restore to a point prior to the date of infection?
We didn't restore to older point cos those seldom work. Usually infection has rendered them useless and symptoms won't disappear.


Now that you have access to hard drive contents could you check c:\qoobox\quarantine\c\windows\system32\drivers folder to see if there's pciide.sys.vir file there?

TomZT
2009-11-25, 09:15
Hi Blade,

Yep! I checked that folder for the file (pciide.sys.vir) and it is there.

There is also another file there too (fad.sys.vir).

TomZT
2009-11-25, 09:21
Blade...

In checking other c:\qooboxquarentine/...subfolders, I see quite a few files with the ."vir" extension.

Tom

Blade81
2009-11-25, 09:21
Hi

Click start->run->type cmd.exe and enter to access command prompt. Then type following command there:

copy /y c:\qoobox\quarantine\c\windows\system32\drivers\pciide.sys.vir c:\windows\system32\drivers\pciide.sys

Verify that output says 1 file(s) copied and if it does, reboot the system and see if it can start normally now.

Blade81
2009-11-25, 09:22
In checking other c:\qooboxquarentine/...subfolders, I see quite a few files with the ."vir" extension.
That's normal. There are real bad items deleted too :)

TomZT
2009-11-25, 09:35
The command line
copy /y c:\qoobox\quarantine\c\windows\system32\drivers\pciide.sys.vir c:\windows\system32\drivers\pciide.sys
did not run.

Message says...
"Windows cannot find 'copy'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click Search.

Should there be a ":" after the "c" between quarantine\ & \windows?

Blade81
2009-11-25, 09:42
No, those paths are correct. Input these commands first to make sure you're in c:\windows\system32:
c:
cd\windows\system32

TomZT
2009-11-25, 10:00
Sorry! My mistake... I did not first enter and run the "cmd.exe" to get to the dos type prompt.

When I tried again, I now come to the Black dos screen prompt...

X:\I386\system32>__ (Is the "X:\" because we're booted from the CD?)

Should I still type...
c:
cd windows\system32
And Then the command line: copy /y...

Blade81
2009-11-25, 10:06
The command should be runnable from that location too.

TomZT
2009-11-25, 10:08
I just ran the command from c:\windows\system32
1 file copied!

Shutting down now to try normal restart...

TomZT
2009-11-25, 10:24
Removed CD and shut down then back on...

Black screen with start mode options... I chose Normal

Windows started ... long welcome screen... then desktop and icons displayed...

Then two popup warnings...
TITLE BAR: RUNDLL
Error loading c:\windows\system32\diahema.dll
The specified module cannot be found.
OK
and...
TITLE BAR: RUNDLL
Error loading kodatewe.dll
The specified module cannot be found.
OK

Normal tray icons appeared but...
AVG Tray Icon has an Exclamation Point (maybe because updates not current?)

plus a Red Shield with balloon that says...
"Your computer might be at risk"
No firewall is turned on
AVG Anti-Virus Free is turned off
Click this balloon to fix this problem

Please Note: The machine is not connected to the network or internet

I have not clicked on either of the PopUps or the Balloon
Tom

Blade81
2009-11-25, 10:27
Hi,

That sounds normal since we're not finished cleaning yet. The main thing is that system booted now :)

Please run dds and post its log.

TomZT
2009-11-25, 10:30
Before running DDS,
Should I first click the OK on the two RUNDLL popups?
And should I click the Red Shield Ballon re the firewall warning?
PLMK
Tom

Blade81
2009-11-25, 10:32
You can close those two popups but ignore firewall related thing for now.

TomZT
2009-11-25, 11:05
Hi Blade,
Here is the new DDS log... DDS.txt
PLMK if you want me to post (or attach) the DDS_Attach.txt ???
Tom


DDS (Ver_09-10-26.01) - NTFSx86
Run by Tom McNeal at 2:41:07.46 on Wed 11/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.305 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Tom McNeal\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {107563d4-6b90-4055-8501-45cbeb7af0a6} - tevaziva.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
mRun: [11220814] c:\documents and settings\all users\application data\11220814\11220814.exe
mRun: [jepedonug] Rundll32.exe "c:\windows\system32\diyahema.dll",a
mRun: [jokimuruha] Rundll32.exe "kodatewe.dll",s
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: vuzuwuhif - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
SSODL: jumikuwif - {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
STS: kupuhivus: {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
STS: kupuhivus: {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
LSA: Notification Packages = scecli cPRASO.dll kodatewe.dll lofiketo.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]

=============== Created Last 30 ================

2009-11-25 02:06:09 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30:16 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-20 22:02:13 0 d-sha-r- C:\cmdcons
2009-11-20 21:54:56 98816 ----a-w- c:\windows\sed.exe
2009-11-20 21:54:56 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 21:54:56 260608 ----a-w- c:\windows\PEV.exe
2009-11-20 21:54:56 161792 ----a-w- c:\windows\SWREG.exe
2009-11-20 21:54:19 0 d-s---w- C:\ComboFix
2009-11-17 21:29:33 1209915 --sh--w- c:\windows\system32\savohofu.exe
2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
2009-11-10 19:27:54 6456 ---ha-w- c:\windows\system32\virasuza
2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
2009-11-10 02:58:33 52736 ----a-w- C:\luobk.exe
2009-11-10 02:58:20 0 --sha-w- C:\15226409
2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat

============= FINISH: 2:43:23.35 ===============

Blade81
2009-11-25, 11:17
Hi,

I believe it's pretty late where you live so following steps may be best to leave till later :)


Before we continue, delete old ComboFix.exe file on your desktop.


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Download a fresh copy of ComboFix from one of these links to your desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


Disable antivirus protection and run ComboFix. Post back the resultant log & fresh dds log.

TomZT
2009-11-25, 18:35
Good Morning and Good Evening Blades!
You were right! I really did need some sleep!

Before I continue on...

As you know, I post most of the time from a good machine,
then when I have to post a log from the infected machine...
I disconnect my good machines from the router...
then reconnect the bad machine to the router with SpyBot/TeaTimer and AVG Resident Shield enabled to post the log...
Then disconnect the bad machine and reconnect the good machines.
(I've been leaving SpyBot/TT and AVG/RS running on the bad machine unless & until you instruct me to disable them before doing fixes.)

After "my nap", the bad machine is now displaying an AVG Window...
TITLE BAR: AVG Resident Shield Alert
Multiple Threat Detection:
FILE: c:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2090\A0051449.dll
INFECTION: Trojan horse BHO.JEW
RESULT: Infected (There are 6 instances - exactly the same)
BUTTONS: REMOVE SELECTED INFECTIONS/REMOVE ALL UNHEALED INFECTIONS/OR CLOSE

What (if anything?) should I do with this AVG Alert before I proceed with downloading and running a fresh ComboFix and a new DDS scan?

Blade81
2009-11-25, 18:51
Hi,

Ignore those AVG alerts for now. System restore will be cleaned a bit later.

TomZT
2009-11-25, 18:58
OK Blade!

I will just X out of the AVG alert window and proceed with your last instructions. I'll post again when done.

BTW When do you sleep?

Blade81
2009-11-25, 19:18
It's just 7.15pm here so I'll stay awake for the next 5 hrs or so :)

TomZT
2009-11-25, 22:50
Hi Blade,
I apologize for all the trouble I'm having and what may seem to be an excessive amount of caution.

Before downloading and running the Fresh ComboFix and the new DDS scan, I I could no longer access the internet from the problem machine. I tried a restart and ControlPanel> Network Connection> Repair but neither one helped. Hopefully we can get this corrected later.

So I downloaded a Fresh ComboFix on a good machine and brought it over to the bad machine via CD. Then I ran both scans which appeared to complete normally.

Unfortunately, I can think of no other choice but to copy the logs to a CD on the bad machine and bring them over to a good machine to post. I understand there is some risk here!

I first viewed the CD making sure I was NOT Hiding Hidden files and folders or Hiding OS files and then scanned the CD with the TWO text files with Spybot and AVG; No threats were detected. I did notice though, that AVG reported scanning THREE OBJECTS instead of just the TWO text files. I'm wondering what the THIRD OBJECT might be.

Please let me know if you think it is safe to copy the text files from the CD to one of the good computers to get the logs posted???

Blade81
2009-11-25, 22:52
It's safe to copy those.

TomZT
2009-11-25, 23:01
Thanks again Blade for your help and your patience with me!

Here's the ComboFix Log:

ComboFix 09-11-25.01 - Tom McNeal 11/25/2009 12:13.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.427 [GMT -6:00]
Running from: c:\documents and settings\Tom McNeal\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\11220814\11220814.bat
c:\documents and settings\All Users\Application Data\11220814\11220814.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Documents\ZbThumbnail.info
c:\documents and settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
c:\program files\INSTALL.LOG
c:\program files\Shared\_lib.sig
c:\program files\Shared\lib.sig
c:\windows\cPRASO.dll
c:\windows\system32\dezojoyi.exe
c:\windows\system32\diyahema.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\pciide.sys
c:\windows\system32\fonemike.dll
c:\windows\system32\gobewowi.dll
c:\windows\system32\hasijale.exe
c:\windows\system32\iehelper.dll
c:\windows\system32\jehezaho.dll.tmp
c:\windows\system32\keneruwo.dll
c:\windows\system32\kodatewe.dll
c:\windows\system32\lofiketo.dll
c:\windows\system32\lokimoli.exe
c:\windows\system32\mubaruve.exe
c:\windows\system32\sutatuzu.dll
c:\windows\system32\tevaziva.dll
c:\windows\system32\vahafeku.dll.tmp
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\yajigozo.exe
c:\windows\system32\yosezezu.dll.tmp
c:\windows\system32\zayezeru.dll
C:\ydlcgx.exe

-- Previous Run --

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

--------

.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-25 02:06 . 2001-08-17 19:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-17 21:29 . 2009-11-17 21:29 1209915 --sh--w- c:\windows\system32\savohofu.exe
2009-11-11 21:00 . 2009-11-11 21:00 -------- d-----w- c:\program files\Trend Micro
2009-11-11 17:36 . 2009-11-11 17:36 -------- d-----w- c:\program files\ERUNT
2009-11-10 02:58 . 2009-11-10 02:58 52736 ----a-w- C:\luobk.exe
2009-11-06 19:00 . 2009-11-06 19:00 -------- d-----w- C:\spoolerlogs
2009-11-05 16:01 . 2009-11-05 16:01 -------- d-----w- c:\program files\NZ Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 04:04 . 2003-03-19 06:02 97424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 16:01 . 2003-03-19 05:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-27 05:06 . 2005-02-04 06:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 04:47 . 2008-12-24 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-27 04:40 . 2008-12-24 18:53 -------- d-----w- c:\program files\Microsoft Works
2009-10-27 03:19 . 2008-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-24 01:32 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-02-25 684032]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-18 282624]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-10 1948440]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-3-18 45056]
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2006-6-26 61440]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-10 06:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [7/9/2009 11:53 PM 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 11:52 PM 298776]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\Google\Update\GoogleUpdate.exe [6/4/2009 8:42 AM 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 4:45 AM 13088]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\Drivers\JeppD.sys --> c:\windows\system32\Drivers\JeppD.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2003-07-25 c:\windows\Tasks\FRU Task 2002-06-04 23:12ewlett-Packardeskjet4E8BF07F6DE51996434C1696D032A924550.job
- c:\program files\Hewlett-Packard\upapp\hpqfruv.exe [2002-06-04 22:12]

2009-11-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 14:40]

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

2009-11-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-15 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.taxidermy.net/forum/index.php?PHPSESSID=7f0b92f066d537238560b422c507423a&board=14.0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{107563d4-6b90-4055-8501-45cbeb7af0a6} - tevaziva.dll
HKCU-Run-kfqcaekj - c:\documents and settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
HKLM-Run-kfqcaekj - c:\documents and settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
HKLM-Run-11220814 - c:\documents and settings\All Users\Application Data\11220814\11220814.exe
HKLM-Run-jepedonug - c:\windows\system32\diyahema.dll
HKLM-Run-jokimuruha - kodatewe.dll
SharedTaskScheduler-{68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
SharedTaskScheduler-{c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
SSODL-vuzuwuhif-{68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
SSODL-jumikuwif-{c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
AddRemove-BCM V.92 56K Modem - c:\windows\BCMSMU.exe quiet



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 12:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83B5A170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf764cf28
\Driver\ACPI -> ACPI.sys @ 0xf75bfcb8
\Driver\atapi -> atapi.sys @ 0xf7551852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf745dbb0
PacketIndicateHandler -> NDIS.sys @ 0xf744ca0d
SendHandler -> NDIS.sys @ 0xf7460b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-25 12:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 18:47

Pre-Run: 19,906,727,936 bytes free
Post-Run: 19,863,654,400 bytes free

- - End Of File - - 75085D53AD29566D718D8ACE5D6146C5

===========================================
AND THE NEW DDS LOG
===========================================


DDS (Ver_09-10-26.01) - NTFSx86
Run by Tom McNeal at 12:55:29.79 on Wed 11/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.361 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tom McNeal\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.taxidermy.net/forum/index.php?PHPSESSID=7f0b92f066d537238560b422c507423a&board=14.0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]

=============== Created Last 30 ================

2009-11-25 18:47:57 54156 ---ha-w- c:\windows\QTFont.qfn
2009-11-25 18:47:57 1409 ----a-w- c:\windows\QTFont.for
2009-11-25 02:06:09 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30:16 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-20 22:02:13 0 d-sha-r- C:\cmdcons
2009-11-20 21:54:56 98816 ----a-w- c:\windows\sed.exe
2009-11-20 21:54:56 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 21:54:56 260608 ----a-w- c:\windows\PEV.exe
2009-11-20 21:54:56 161792 ----a-w- c:\windows\SWREG.exe
2009-11-17 21:29:33 1209915 --sh--w- c:\windows\system32\savohofu.exe
2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
2009-11-10 19:27:54 6456 ---ha-w- c:\windows\system32\virasuza
2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
2009-11-10 02:58:33 52736 ----a-w- C:\luobk.exe
2009-11-10 02:58:20 0 --sha-w- C:\15226409
2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat

============= FINISH: 12:57:06.20 ===============

Blade81
2009-11-25, 23:26
Hi again,


Open notepad and copy/paste the text in the quotebox below into it:



File::
c:\windows\system32\savohofu.exe
C:\luobk.exe
c:\windows\system32\virasuza
C:\15226409
DDS::
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).


Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Tick the box next to YES, I accept the Terms of Use.
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish
Post back the report, a fresh dds.txt log and above mentioned ComboFix resultant log.

TomZT
2009-11-25, 23:34
Thanks Blade,

I will work my way through the above steps. Some of this will be difficult (especially the last one - Online Scanner from EST) without being able to connect with the internet from the problem machine.

Do you have any suggestions how I can restore the internet connection?

Blade81
2009-11-25, 23:42
Hi,

Does device manager (right click "my computer" and select properties, then device manager in opened window) show any exclamation marks on network related devices?

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the quote box into a new file:



@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
ping -n 2 google.com
route print
)
start Log1.txt
del %0



Go to the File menu at the top of the Notepad and select Save as.
Select save in: desktop
Fill in File name: test.bat
Save as type: All file types (*.*)
Click save.
Close the Notepad.
Locate and double-click tast.bat on the desktop.
A notepad opens, copy and paste the content it (log1.txt) to your reply.

TomZT
2009-11-26, 00:53
Does device manager (right click "my computer" and select properties, then device manager in opened window) show any exclamation marks on network related devices?

The only "Network Related Devices" I see are Network Adapters. There is only one such device listed...

Broadcom 440x 10/100 Integrated Controller (Right Click>Properties Reports - "This device is working properly")

I see NO EXCLAMATION MARKS!

RE: TEST.BAT....
A notepad opens, copy and paste the content it (log1.txt) to your reply.

Windows IP Configuration



Host Name . . . . . . . . . . . . : D8TNGL21

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.il.comcast.net.



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : hsd1.il.comcast.net.

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-0B-DB-0E-50-AE

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.32

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 77.74.48.113

Lease Obtained. . . . . . . . . . : Wednesday, November 25, 2009 4:31:39 PM

Lease Expires . . . . . . . . . . : Monday, January 18, 2038 9:14:07 PM

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 77.74.48.113

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Ping request could not find host google.com. Please check the name and try again.

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x20002 ...00 0b db 0e 50 ae ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.32 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.255.0 192.168.2.32 192.168.2.32 20
192.168.2.32 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.2.255 255.255.255.255 192.168.2.32 192.168.2.32 20
224.0.0.0 240.0.0.0 192.168.2.32 192.168.2.32 20
255.255.255.255 255.255.255.255 192.168.2.32 192.168.2.32 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
None

TomZT
2009-11-26, 06:02
Hi Blade,

I still cannot connect to the internet with the problem machine. I hope the info I posted above will help you assist me with getting back on-line.

Meanwhile, I've been working through your last set of instructions and done what I can without the internet connection by using my other good machine and bringing the tools and log reports back and forth via CD.

The CFScript >dragged> onto the Combofix Icon resulted in the log copied below.

I removed the old Adobe Reader programs and a number of other programs that were rarely used. When I can access the internet again, I will download the latest version of Adobe Reader.

I downloaded and ran the Adobe Uninstall Flash Player program. The uninstaller completed successfully but did not remove Adobe Flash Player 10 ActiveX. Maybe this is the latest version? I will check when I can get back on the internet.

I downloaded and ran the ATF Cleaner.

I did NOT run the ESET On-line Scanner but will do so when I can get back on the internet.

I ran a fresh DDS scan and that log is also copied below.
==========================================================
Here is the CFScript ComboFix log (ComboFixCFS_log.txt)

ComboFix 09-11-25.01 - Tom McNeal 11/25/2009 17:47.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.418 [GMT -6:00]
Running from: c:\documents and settings\Tom McNeal\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom McNeal\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"C:\15226409"
"C:\luobk.exe"
"c:\windows\system32\savohofu.exe"
"c:\windows\system32\virasuza"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\15226409
C:\luobk.exe
c:\windows\system32\savohofu.exe
c:\windows\system32\virasuza

.
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-25 02:06 . 2001-08-17 19:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-11 21:00 . 2009-11-11 21:00 -------- d-----w- c:\program files\Trend Micro
2009-11-11 17:36 . 2009-11-11 17:36 -------- d-----w- c:\program files\ERUNT
2009-11-06 19:00 . 2009-11-06 19:00 -------- d-----w- C:\spoolerlogs
2009-11-05 16:01 . 2009-11-05 16:01 -------- d-----w- c:\program files\NZ Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 04:04 . 2003-03-19 06:02 97424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 16:01 . 2003-03-19 05:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-27 05:06 . 2005-02-04 06:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 04:47 . 2008-12-24 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-27 04:40 . 2008-12-24 18:53 -------- d-----w- c:\program files\Microsoft Works
2009-10-27 03:19 . 2008-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-24 01:32 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-25_18.32.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-09-03 19:45 . 2009-11-25 19:26 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2002-09-03 19:45 . 2009-11-25 19:26 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 19:45 . 2009-11-25 19:26 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-02-25 684032]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-18 282624]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-10 1948440]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-3-18 45056]
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2006-6-26 61440]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-10 06:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [7/9/2009 11:53 PM 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 11:52 PM 298776]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\Google\Update\GoogleUpdate.exe [6/4/2009 8:42 AM 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 4:45 AM 13088]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\Drivers\JeppD.sys --> c:\windows\system32\Drivers\JeppD.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - RSVP
.
Contents of the 'Scheduled Tasks' folder

2003-07-25 c:\windows\Tasks\FRU Task 2002-06-04 23:12ewlett-Packardeskjet4E8BF07F6DE51996434C1696D032A924550.job
- c:\program files\Hewlett-Packard\upapp\hpqfruv.exe [2002-06-04 22:12]

2009-11-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 14:40]

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

2009-11-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-15 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.taxidermy.net/forum/index.php?PHPSESSID=7f0b92f066d537238560b422c507423a&board=14.0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 18:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83B5A170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7627f28
\Driver\ACPI -> ACPI.sys @ 0xf759acb8
\Driver\atapi -> atapi.sys @ 0xf752c852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7438bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7427a0d
SendHandler -> NDIS.sys @ 0xf743bb40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-25 18:10
ComboFix-quarantined-files.txt 2009-11-26 00:10
ComboFix2.txt 2009-11-25 18:47

Pre-Run: 19,888,361,472 bytes free
Post-Run: 19,845,648,384 bytes free

- - End Of File - - 73C00CF1B4C6C1D25A34E8B06379C74D
====================================================
Here is the latest DDS log (DDS_4.txt)


DDS (Ver_09-10-26.01) - NTFSx86
Run by Tom McNeal at 21:02:18.01 on Wed 11/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.410 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Tom McNeal\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.taxidermy.net/forum/index.php?PHPSESSID=7f0b92f066d537238560b422c507423a&board=14.0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]

=============== Created Last 30 ================

2009-11-26 00:21:08 0 d-----w- c:\windows\system32\appmgmt
2009-11-25 02:06:09 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30:16 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-20 22:02:13 0 d-sha-r- C:\cmdcons
2009-11-20 21:54:56 98816 ----a-w- c:\windows\sed.exe
2009-11-20 21:54:56 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 21:54:56 260608 ----a-w- c:\windows\PEV.exe
2009-11-20 21:54:56 161792 ----a-w- c:\windows\SWREG.exe
2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat

============= FINISH: 21:03:54.71 ===============

Blade81
2009-11-26, 08:19
Hi,

Two questions. Was the connection working after we had gotten system working after that bsod problem? Trying to narrow down the moment connection was lost. Have you tried to reboot to see if that could make connection work?

TomZT
2009-11-26, 18:04
Hi,

Two questions. Was the connection working after we had gotten system working after that bsod problem? Trying to narrow down the moment connection was lost. Have you tried to reboot to see if that could make connection work?

Hi Blade,

First allow me to send you my best Thanksgiving Day Wishes! (Today is the day we celebrate and pause to give thanks for our blessings.)

I am not sure what you mean by "...that bsod problem" However, this may help...

The last time I could access the internet from the bad machine was when I posted a DDS scan log... (Post # 60 - from the bad machine)

This was just before you suggested I get some sleep! (Post # 61). I then disconnected the bad machine from the internet (our router) but left it running and went to bed. When I awoke later that morning I posted about the 2 AVG Resident Shield Warnings displayed on the bad machine (Post # 62 - from a good machine).

You said "Ignore those warnings for now..." (Post # 63) and I acknowledged saying I would proceed with your last instructions (Post #64 - from a good machine).

I then re-connected the bad machine to download the Fresh ComboFix file but found I could not access the internet from the bad machine. I have not been able to connect to the internet from the bad machine ever since.

I then posted about the internet problem (Post #66 - from a good machine) and all subsequent downloads, posts, and logs have been from a good machine using CD's to get the files back and forth.

I have rebooted the bad machine a number of times... (No change) I've also checked...
MyComputer>Properties>Hardware>Device Manager>Network Connections (No exclamation marks)... The network adapter Broadcom 440x 10/100 Integrated Controller (reported to be working correctly)... and run the Network Connection Repair from Control Panel but still can't connect to the internet.

Did you see anything wrong in the "Testbat" report log I posted? (post # 72)

I do get the feeling that we're getting close to cleaning up the bad machine (???) except for the internet connection. Hope this helps!

TomZT
2009-11-26, 18:11
I also clicked on Troubleshoot the Network Device.

I did not try "Roll Back" Driver as I've never installed an updated driver...

I also checked the driver name and version and verified it's location...
C:\Windows\System32\Drivers

Do you think something may have corrupted the driver?

Blade81
2009-11-26, 18:19
Hi,


I am not sure what you mean by "...that bsod problem"
Sorry, I'm so used to term bsod of blue screen of death (that error screen with blue background). Should had used more understandable name.

Could you run that test.bat (http://forums.spybot.info/showpost.php?p=348759&postcount=71) in that system with connection working and then post back the log it creates, please?

TomZT
2009-11-26, 18:29
Hi,

Sorry, I'm so used to term bsod of blue screen of death (that error screen with blue background). Should had used more understandable name.

Could you run that test.bat (http://forums.spybot.info/showpost.php?p=348759&postcount=71) in that system with connection working and then post back the log it creates, please?

BSOD eh? That's funny!

Here is the testbat report from the good machine...

Windows IP Configuration



Host Name . . . . . . . . . . . . : jzp9011

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.il.comcast.net.



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : hsd1.il.comcast.net.

Description . . . . . . . . . . . : Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4)

Physical Address. . . . . . . . . : 00-04-5A-50-F1-B6

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.14

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 192.168.2.1

Lease Obtained. . . . . . . . . . : Wednesday, November 25, 2009 8:00:07 PM

Lease Expires . . . . . . . . . . : Monday, January 18, 2038 9:14:07 PM

Server: UnKnown
Address: 192.168.2.1

Name: google.com
Addresses: 74.125.67.100, 74.125.53.100, 74.125.45.100



Pinging google.com [74.125.45.100] with 32 bytes of data:



Reply from 74.125.45.100: bytes=32 time=49ms TTL=49

Reply from 74.125.45.100: bytes=32 time=51ms TTL=49



Ping statistics for 74.125.45.100:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 49ms, Maximum = 51ms, Average = 50ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 04 5a 50 f1 b6 ...... Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4) - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.14 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.255.0 192.168.2.14 192.168.2.14 20
192.168.2.14 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.2.255 255.255.255.255 192.168.2.14 192.168.2.14 20
224.0.0.0 240.0.0.0 192.168.2.14 192.168.2.14 20
255.255.255.255 255.255.255.255 192.168.2.14 192.168.2.14 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
None

Blade81
2009-11-26, 18:55
Ok. Problem is with DNS server settings. Non working one has this bad DNS:

DNS Servers . . . . . . . . . . . : 77.74.48.113

while working one has:


DNS Servers . . . . . . . . . . . : 192.168.2.1


Let's try to get correct one for non-working one too:

In the windows control panel. If you are using Windows XP's Category
View, select the Network and Internet Connections category otherwise
double click on Network Connections. Then right click on your default
connection, usually local area connection for cable and dsl, and left
click on properties. Click the Networking tab. Double-click on the
Internet Protocol (TCP/IP) item and select the radio dial that says
Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available on some systems
Next Go start run type cmd and hit OK
type ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

TomZT
2009-11-26, 18:59
Must the bad machine be re-connected to the network in order to accomplish your last suggestion?

Blade81
2009-11-26, 19:01
Yes to be able to see if fix has any effect.

TomZT
2009-11-26, 19:05
OK I will sign off this machine... disconnect the good machines... and connect the bad machine and post the results.

I am still afraid to connect the bad machine to our network with any of the other good machines connected.

TomZT
2009-11-26, 19:26
That worked great!

The DNS servers radio button was not set to Automatic, It was set to Use the bad 77.74.48.113.

As soon as I flushed the dns, the Windows Automatic Update button appeared so I new I was connected. IE connected fine and I am posting now from the bad machine.

Thanks again! "You da' man Blades!"

What's next? Should I just continue now with the online ESET scan and the Adobe Reader and Flash updates? Or go back for a fresh ComboFix, ATF, and DDS scan first?

Blade81
2009-11-26, 19:52
Good to hear that helped :)


Should I just continue now with the online ESET scan and the Adobe Reader and Flash updates?
Yes, let's carry out these things at this point. Also, let's run GMER after that.

Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard.
Please save log into a file and attach the file to your reply.

TomZT
2009-11-26, 21:33
Hi Blade,

I installed the lastest versions of Adobe Reader and Flash Player.

But I was UNABLE to run the ESET Online Scan. I followed the ESET prompts to setup the scanner but when it downloaded the Virus Signature Database (Step 2 of 4), I got an UNEXPECTED ERROR 2002 message. The configuration seemed to hangup there. When I pressed the BACK button to try to download the Virus DB a second time, a report popped up "Scan Complete" but all 0's. Files scanned = 0, etc.

I used the ESET Uninstall on Exit option and tried again from scratch, but still the same error message at the end of the Virus DB download. I looked over the ESET FAQs and Help page but found no info on the 2002 Error Message.

Have you ever seen this before or have any ideas on what might be causing this?

My Internet Explorer is setup with both an AVG and a Google Toolbar. Could these toolbars prevent the installation, DB download, and successful ESET scan? Or perhaps certain Internet Security Options?

Do you have any suggestions on getting the ESET Scan to work or should I just proceed on to the GMER TOOL?

Blade81
2009-11-26, 22:08
Hi,

It seems either ESET is having issues or something else. Another user I'm helping elsewhere just reported about the same error.

Let's use Malwarebytes' Anti-Malware instead (other instructions remain same).

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

TomZT
2009-11-26, 22:50
Hi Blade,
Here is the MBAM report...
This explains why I couldn't get on the internet!!!
=====================================
Malwarebytes' Anti-Malware 1.41
Database version: 3238
Windows 5.1.2600 Service Pack 3

11/26/2009 2:35:02 PM
mbam-log-2009-11-26 (14-35-02).txt

Scan type: Quick Scan
Objects scanned: 116999
Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{df058c45-cd18-453e-8745-5a77f60722ab} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a33c35-7298-4d15-8753-a2e851e2eab3} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d2b812-752d-4af1-a2fb-968c4d8446db} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e856b973-45fd-4559-8f82-eab539144667} (Adware.Gdown) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{9ca51fd6-a243-4faf-bc05-eee2defc690e}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.

Blade81
2009-11-26, 23:43
Hi,

To make sure you understood this one correctly:

Let's use Malwarebytes' Anti-Malware instead (other instructions remain same).

I still want GMER scan to be done :)

TomZT
2009-11-26, 23:58
Sorry, I was confused...

GMER Scan is running on the bad computer...

Do you still want another DDS scan Log?

Blade81
2009-11-27, 00:02
Do you still want another DDS scan Log?
Not at this point :)

Gonna see that GMER log and make a decision of the next steps after that.

TomZT
2009-11-27, 00:03
OK Blade!
I'll post the GMER scan as soon as it's finished

TomZT
2009-11-27, 02:59
Hi Blade,

Here is the GMER scan results... For such a loooong scan, I was expecting a bigger report. I hope that's because it was looking very closely and there wasn't much left to find!

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-26 18:44:53
Windows 5.1.2600 Service Pack 3
Running: kfps4pjg.exe; Driver: C:\DOCUME~1\TOMMCN~1\LOCALS~1\Temp\fwdoapog.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat B486FD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\00000210 -> \Driver\atapi \Device\Harddisk0\DR0 83B5A170

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Blade81
2009-11-27, 07:33
Hi,

That went fine :). Reboot your system using bootcd created earlier.

When booted with CD, access command prompt. Then write following bolded two commands (each line presents command, have enter pressed after each one):
copy /y C:\windows\system32\drivers\atapi.sys C:\atapi.sys.vir
exit

Reboot back to normal mode.

After that upload following file to http://www.virustotal.com and post back the results:
C:\atapi.sys.vir

TomZT
2009-11-27, 08:32
Hi,

That went fine :). Reboot your system using bootcd created earlier.

When booted with CD, access command prompt. Then write following bolded two commands (each line presents command, have enter pressed after each one):
copy /y C:\windows\system32\drivers\atapi.sys C:\atapi.sys.vir
exit

Reboot back to normal mode.

After that upload following file to http://www.virustotal.com and post back the results:
C:\atapi.sys.vir

Good morning Blades,
Accomplished the above... Here are the results...

File atapi.sys.vir received on 2009.11.27 06:20:22 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 12/41 (29.27%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.27 Rootkit.Win32.TDSS!IK
AhnLab-V3 5.0.0.2 2009.11.27 -
AntiVir 7.9.1.79 2009.11.26 -
Antiy-AVL 2.0.3.7 2009.11.27 -
Authentium 5.2.0.5 2009.11.26 -
Avast 4.8.1351.0 2009.11.26 -
AVG 8.5.0.426 2009.11.26 -
BitDefender 7.2 2009.11.27 -
CAT-QuickHeal 10.00 2009.11.27 Rootkit.TDSS.y
ClamAV 0.94.1 2009.11.27 -
Comodo 3051 2009.11.27 -
DrWeb 5.0.0.12182 2009.11.27 BackDoor.Tdss.1133
eSafe 7.0.17.0 2009.11.26 -
eTrust-Vet 35.1.7145 2009.11.27 -
F-Prot 4.5.1.85 2009.11.26 -
F-Secure 9.0.15370.0 2009.11.24 -
Fortinet 4.0.14.0 2009.11.27 -
GData 19 2009.11.27 -
Ikarus T3.1.1.74.0 2009.11.27 Rootkit.Win32.TDSS
Jiangmin 11.0.800 2009.11.27 Rootkit.TDSS.cwf
K7AntiVirus 7.10.905 2009.11.25 -
Kaspersky 7.0.0.125 2009.11.27 Rootkit.Win32.TDSS.y
McAfee 5814 2009.11.26 -
McAfee+Artemis 5814 2009.11.26 -
McAfee-GW-Edition 6.8.5 2009.11.27 -
Microsoft 1.5302 2009.11.26 Virus:Win32/Alureon.C
NOD32 4640 2009.11.26 Win32/Olmarik.PV
Norman 6.03.02 2009.11.25 W32/TDSS.drv.gen2
nProtect 2009.1.8.0 2009.11.26 Trojan/W32.Rootkit.96512.D
Panda 10.0.2.2 2009.11.26 -
PCTools 7.0.3.5 2009.11.27 -
Prevx 3.0 2009.11.27 Medium Risk Malware
Rising 22.23.04.03 2009.11.27 -
Sophos 4.48.0 2009.11.27 -
Sunbelt 3.2.1858.2 2009.11.26 -
Symantec 1.4.4.12 2009.11.27 -
TheHacker 6.5.0.2.079 2009.11.26 -
TrendMicro 9.100.0.1001 2009.11.27 -
VBA32 3.12.12.0 2009.11.27 Rootkit.Win32.TDSL
ViRobot 2009.11.27.2057 2009.11.27 -
VirusBuster 5.0.21.0 2009.11.26 -
Additional information
File size: 96512 bytes
MD5...: 23a5d11a9d87374466748f4eb1b6be82
SHA1..: 17ab6e11b8307e888a11808de45a8e893aab0673
SHA256: bb4b081f5f0b328ce14dd6c308e68c16db0eb9c74d59eb74d8af1319bb6aad82
ssdeep: 1536:twXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb
DD0u9:tQ+N74vkEZIxMohjsimBoDTRMBwFktZ+

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x167a4
timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708
.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3e0 0x400 6.10 252605c67663982c400fac25a6e36150
.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress
> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7EFDCA54002458B979D801FAFEE1BA00EFE7066A' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7EFDCA54002458B979D801FAFEE1BA00EFE7066A</a>
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Blade81
2009-11-27, 08:36
Good :) Time to introduce next tool.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
atapi.sys


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

TomZT
2009-11-27, 08:48
Here is the SystemLook Report...

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 00:41 on 27/11/2009 by Tom McNeal (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\I386\atapi.sys --a--- 87040 bytes [15:16 24/03/2003] [23:31 16/10/2002] 3DF589B9A15FF9EF4AA499F98C1C16D5
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [04:49 25/12/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [18:42 25/11/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys ------ 96512 bytes [07:27 29/08/2002] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

Blade81
2009-11-27, 08:51
Hi,

Time to reboot from bootcd again and use command prompt for these commands:
copy /y C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\windows\system32\drivers\atapi.sys
exit

Then reboot back into normal mode and run GMER. Post back the results.

TomZT
2009-11-27, 11:54
Hi,

Time to reboot from bootcd again and use command prompt for these commands:
copy /y C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\windows\system32\drivers\atapi.sys
exit

Then reboot back into normal mode and run GMER. Post back the results.

Hi Blades,

Accomplished the above.... Here is the results of the fresh GMER Scan...

======================================================

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-27 03:49:49
Windows 5.1.2600 Service Pack 3
Running: kfps4pjg.exe; Driver: C:\DOCUME~1\TOMMCN~1\LOCALS~1\Temp\fwdoapog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Blade81
2009-11-27, 13:48
Good. Now there're two things to do: run ComboFix again and post back its log along with a fresh dds log. Let me know how's the system running.

TomZT
2009-11-27, 18:42
Good. Now there're two things to do: run ComboFix again and post back its log along with a fresh dds log. Let me know how's the system running.

Good morning / Good evening Blades!

Accomplished the above instructions... Logs are copied below...

QUESTION: When I started ComboFix, message box popped up saying "A newer Update is Available. Update Now? YES/NO... I clicked YES and then thought, "I wonder if this is a real update or a fraud modification of ComboFix???" (CF appeared to run normally) Do you believe this was a valid CF Update?

QUESTION: Do you want me to paste (or attach) the DDS_Attach Log?

The system appears to be running pretty good except for Windows Security Alert in Tray... "AVG A/V is out of date!" (I have not run or updated AVG or SpyBot for awhile.) Windows Automatic Updates are also turned off.

Tom
==================================
ComboFix Log
==================================
ComboFix 09-11-26.02 - Tom McNeal 11/27/2009 9:51.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.333 [GMT -6:00]
Running from: c:\documents and settings\Tom McNeal\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-27 00:06 . 2008-04-13 18:40 96512 ----a-w- C:\atapi.sys.vir
2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\documents and settings\Tom McNeal\Application Data\Malwarebytes
2009-11-26 20:25 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 20:25 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 18:07 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Tom McNeal\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-26 18:05 . 2009-11-26 18:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-26 18:03 . 2009-11-26 18:03 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-26 18:03 . 2009-11-26 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-25 02:06 . 2001-08-17 19:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-11 21:00 . 2009-11-11 21:00 -------- d-----w- c:\program files\Trend Micro
2009-11-11 17:36 . 2009-11-11 17:36 -------- d-----w- c:\program files\ERUNT
2009-11-06 19:00 . 2009-11-06 19:00 -------- d-----w- C:\spoolerlogs
2009-11-05 16:01 . 2009-11-05 16:01 -------- d-----w- c:\program files\NZ Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 18:06 . 2005-03-22 02:19 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-26 01:07 . 2005-09-12 16:32 -------- d-----w- c:\program files\Google
2009-11-26 00:59 . 2003-03-19 05:59 -------- d-----w- c:\program files\Corel
2009-11-26 00:51 . 2006-06-26 20:20 -------- d-----w- c:\program files\Panasonic
2009-11-26 00:51 . 2006-06-26 20:29 -------- d-----w- c:\documents and settings\Tom McNeal\Application Data\Panasonic
2009-11-26 00:49 . 2003-03-24 15:59 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-26 00:45 . 2003-03-19 05:57 -------- d-----w- c:\program files\Britannica
2009-11-26 00:45 . 2003-03-19 05:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-26 00:21 . 2009-01-13 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-10 04:04 . 2003-03-19 06:02 97424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 05:06 . 2005-02-04 06:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 04:47 . 2008-12-24 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-27 04:40 . 2008-12-24 18:53 -------- d-----w- c:\program files\Microsoft Works
2009-10-27 03:19 . 2008-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-25_18.32.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-28 18:02 . 2009-08-30 18:27 88589 c:\windows\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
+ 2009-11-26 18:12 . 2009-11-26 18:12 88589 c:\windows\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
+ 2002-09-03 19:45 . 2009-11-27 06:10 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 19:45 . 2009-11-27 06:10 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 19:45 . 2009-11-27 06:10 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-11-26 18:07 . 2009-11-26 18:07 21504 c:\windows\Installer\7f5af5.msi
+ 2009-11-26 18:05 . 2009-11-26 18:05 27648 c:\windows\Installer\7f5aeb.msi
+ 2009-11-26 18:07 . 2009-11-26 18:07 3940352 c:\windows\Installer\7f5af0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-02-25 684032]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-18 282624]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-10 1948440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-3-18 45056]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-10 06:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [7/9/2009 11:53 PM 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 11:52 PM 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 4:45 AM 13088]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\Google\Update\GoogleUpdate.exe [6/4/2009 8:42 AM 133104]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\Drivers\JeppD.sys --> c:\windows\system32\Drivers\JeppD.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - fwdoapog
.
Contents of the 'Scheduled Tasks' folder

2003-07-25 c:\windows\Tasks\FRU Task 2002-06-04 23:12ewlett-Packardeskjet4E8BF07F6DE51996434C1696D032A924550.job
- c:\program files\Hewlett-Packard\upapp\hpqfruv.exe [2002-06-04 22:12]

2009-11-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 14:40]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

2009-11-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-15 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.spybot.info/forumdisplay.php?f=22
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 10:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-27 10:05
ComboFix-quarantined-files.txt 2009-11-27 16:05
ComboFix2.txt 2009-11-26 00:10
ComboFix3.txt 2009-11-25 18:47

Pre-Run: 20,230,172,672 bytes free
Post-Run: 20,207,677,440 bytes free

- - End Of File - - 78F338B5766500ED5A375984C93014CD

=================================
DDS Log
=================================

DDS (Ver_09-10-26.01) - NTFSx86
Run by Tom McNeal at 10:13:22.95 on Fri 11/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.311 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tom McNeal\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://forums.spybot.info/forumdisplay.php?f=22
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]

=============== Created Last 30 ================

2009-11-27 00:06:27 96512 ----a-w- C:\atapi.sys.vir
2009-11-26 20:25:20 0 d-----w- c:\docume~1\tommcn~1\applic~1\Malwarebytes
2009-11-26 20:25:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 20:25:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 20:25:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 20:25:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-26 00:21:08 0 d-----w- c:\windows\system32\appmgmt
2009-11-25 02:06:09 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30:16 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-20 22:02:13 0 d-sha-r- C:\cmdcons
2009-11-20 21:54:56 98816 ----a-w- c:\windows\sed.exe
2009-11-20 21:54:56 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 21:54:56 260608 ----a-w- c:\windows\PEV.exe
2009-11-20 21:54:56 161792 ----a-w- c:\windows\SWREG.exe
2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat

============= FINISH: 10:13:47.87 ===============

Blade81
2009-11-27, 18:52
Do you believe this was a valid CF Update?
Yes, CF checks for available update before it runs.


QUESTION: Do you want me to paste (or attach) the DDS_Attach Log?
Won't need attach.txt anymore :)

C:\atapi.sys.vir can be deleted. How is your system running now?

TomZT
2009-11-27, 19:14
As per my previous post...

"The system appears to be running pretty good except for Windows Security Alert in Tray... "AVG A/V is out of date!" (I have not run or updated AVG or SpyBot for awhile.) Windows Automatic Updates are also turned off."

Did you mean you want me to Delete: C:\atapi.sys.vir ... and then tell you again "how the system is running?" after that???

Also... when we searched for all instances of "atapi.sys" it was found in 5 or 6 locations. Then we replaced the bad one with a good one we copied from the C:\....ServicePackFolder. Is there a possibility that any of the other instances/locations could be copies of the bad "atapi.sys"

Blade81
2009-11-27, 20:13
As per my previous post...

"The system appears to be running pretty good except for Windows Security Alert in Tray... "AVG A/V is out of date!" (I have not run or updated AVG or SpyBot for awhile.) Windows Automatic Updates are also turned off."
Sorry, seems that I paid too much attention to those two bolded questions of yours and missed this.

See if you're able to get AVG and Spybot updated now. Better let Windows Automatic Updates be until we've finished the cleaning process.


Is there a possibility that any of the other instances/locations could be copies of the bad "atapi.sys"
Never should say it's impossible but what is important is that healthy copy is in the location we put the file in. There's nothing to worry about :)

TomZT
2009-11-27, 20:29
I will try to update AVG and SpyBot and reply with results.

Please advise when I should start and enable the SpyBot and AVG Resident Shields?

One thing I noticed in IE7... When logging on to the Malware Removal Forum, after the page loads... the bottom left corner of the IE screen shows... "Done, But with errors on page." I do not see this on other Websites I've tried. Is this a problem with the forum's page? Or a problem with my Computer or IE settings?

Blade81
2009-11-27, 21:10
Hi,

You can enable Spybot and AVG resident shield after we've finished.


One thing I noticed in IE7... When logging on to the Malware Removal Forum, after the page loads... the bottom left corner of the IE screen shows... "Done, But with errors on page." I do not see this on other Websites I've tried. Is this a problem with the forum's page? Or a problem with my Computer or IE settings?
Don't have to worry about that error message. Happens also in one of my machines with IE7.

TomZT
2009-11-27, 21:14
I will try to update AVG and SpyBot and reply with results.

Please advise when I should start and enable the SpyBot and AVG Resident Shields?

One thing I noticed in IE7... When logging on to the Malware Removal Forum, after the page loads... the bottom left corner of the IE screen shows... "Done, But with errors on page." I do not see this on other Websites I've tried. Is this a problem with the forum's page? Or a problem with my Computer or IE settings?

Hi again Blades,

I have updated Spybot succesfully but I have not yet run a Spybot Scan or enabled Spybot's SDhelper or Teatimer.

I was not able to update AVG. I can open the AVG User Interface but when I click UPDATE NOW, the display shows Searching for updates... but nothing happens. Seems to be hanging here. I tried restart, after setting update on restart, but that did not help. Do you think the infection could have disabled or misdirected AVG's Update feature? Any suggestions for this?

I look forward to your reply!

Blade81
2009-11-27, 21:22
Infection may have harmed AVG installation. Better try to reinstall it.

TomZT
2009-11-27, 23:24
Infection may have harmed AVG installation. Better try to reinstall it.

Just when I think we're getting close... More problems!

I cannot re-install fresh AVG Free 9.0. First I used Windows' Add/Remove Programs to uninstall the current AVG Free 8.5. When completed, message said, "You must Restart to Complete the Removal.) and press DETAIL to view unsuccessful items. Details showed... Action Failed: file avgmfx86.sys. Windows' Search did not find ay file named "avgmfx86.sys"

After restart, AVG Desktop and Start Menu Icons were removed. Add/Remove programs no longer shows AVG 8.5 to remove.

But the START>ALL PROGRAMS>AVG Free Edition program group was still there. Selecting AVG Control Center, Virus Vault, or Test Center, displayed "Bad Shortcut" but Selecting Uninstall AVG from the Program Group, displayed, "Searching for setup.exe" with a Browse Button. If you just wait nothing happens and the window disappears. I didn't press Browse because there are probably many "setup.exe" files on the system and I wouldn't know which to choose.

Windows Explorer still shows (in... C:\Program Files...) the AVG Free Folder & Subfolders (not much in there) and in the Grisoft Folder an older version AVG 7.0 with just an AVG install exe file.

I downloaded AVG 9.0 from the free.avg.com site and was redirected for the download to Cnet. I downloaded and ran the AVG installation but after copying files got a message saying "Some potentially incompatible software is currently installed on this computer. (OLE (Part 1 of 5). Click uninstall s/w button to launch Windows Add/Remove programs to uninstall the incompatible software. The Add/Remove Program screen did not show the OLE program.

Restarted and downloaded a fresh AVG instal exe program and got the same results.

I'm stuck again and apologize for all the trouble I'm having!

Blade81
2009-11-27, 23:47
This (http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe) removal tool from AVG is worth trying.

TomZT
2009-11-27, 23:52
This (http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe) removal tool from AVG is worth trying.

Thank you much Blade!

I will close out of what I'm doing here on this machine and reconnect the infected computer to download the AVG removal tool. I will post my results.

I do appreciate your assistance!
Tom

TomZT
2009-11-28, 01:05
Thank you much Blade!

I will close out of what I'm doing here on this machine and reconnect the infected computer to download the AVG removal tool. I will post my results.

I do appreciate your assistance!
Tom

Hi Blade,

I tried the AVG removal tool. It launched a black dos cmd window with two lines showing...

2009-11-27 22:01:14 WARN AvgDir param empty
2009-11-27 22:01:14 WARN AvgDataDir param empty

...and a message box that said, "This application will remove AVG from your computer. This can require one or more restarts during the cleaning process. Please save all work and close all other applications. Do you want to continue. I clicked Yes. The program ran, created an "avgremoval.log, and then closed.

I then restarted the computer and tried to install the new version again and had the same results...

Installation stopped to warn of "Potentially Incompatible Software (OLE (Part 1 of 5)). Do you want to uninstall this software?... Options...
SKIP (Not recommended!) or UNINSTALL the software.

(Uninstall goes nowhere... Can't find the OLE software.)

I then went into Windows Explorer and manually deleted all AVG folders, restarted, and ran the AVG removal tool again. It ran like before, created a log and closed. I've copied that log (avgremoval.log) below.

Then retarted the computer and tried to install AVG again. Same results. I fear something is preventing the installation of AVG. Do you think I should try the SKIP (Not recommended) option?

The AVG removal log is below... Hope this helps!
====================================
2009-11-27 22:35:21,890 DEBUG Avg9Uninstall\Directories key failed to open (error: e0010013)
2009-11-27 22:35:21,921 DEBUG Avg8Uninstall\Directories key failed to open (error: e0010013)
2009-11-27 22:35:21,921 DEBUG Reading HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir (x86) value failed (error: e001003d)
2009-11-27 22:35:21,921 WARN AvgDir param empty.
2009-11-27 22:35:21,921 WARN AvgDataDir param empty.
2009-11-27 22:35:34,703 INFO AvgRemover runs in attempt number 1
2009-11-27 22:35:34,703 INFO ***** Services *****
2009-11-27 22:35:34,703 INFO Processing service avg8emc
2009-11-27 22:35:34,718 INFO Service avg8emc is not installed
2009-11-27 22:35:34,718 DEBUG Service avg8emc RegCleanup
2009-11-27 22:35:34,734 DEBUG Registry keys for service avg8emc are not present
2009-11-27 22:35:34,734 INFO Processing service avgfws8
2009-11-27 22:35:34,734 INFO Service avgfws8 is not installed
2009-11-27 22:35:34,734 DEBUG Service avgfws8 RegCleanup
2009-11-27 22:35:34,734 DEBUG Registry keys for service avgfws8 are not present
2009-11-27 22:35:34,734 INFO Processing service avg8wd
2009-11-27 22:35:34,734 INFO Service avg8wd is not installed
2009-11-27 22:35:34,734 DEBUG Service avg8wd RegCleanup
2009-11-27 22:35:34,734 DEBUG Registry keys for service avg8wd are not present
2009-11-27 22:35:34,734 INFO Processing service AvgWFPx
2009-11-27 22:35:34,734 INFO Service AvgWFPx is not installed
2009-11-27 22:35:34,734 DEBUG Service AvgWFPx RegCleanup
2009-11-27 22:35:34,734 DEBUG Registry keys for service AvgWFPx are not present
2009-11-27 22:35:34,734 INFO Processing service AvgWFPa
2009-11-27 22:35:34,734 INFO Service AvgWFPa is not installed
2009-11-27 22:35:34,734 DEBUG Service AvgWFPa RegCleanup
2009-11-27 22:35:34,734 DEBUG Registry keys for service AvgWFPa are not present
2009-11-27 22:35:34,734 INFO Processing service AvgMfx86
2009-11-27 22:35:34,734 INFO Service AvgMfx86 is not installed
2009-11-27 22:35:34,734 DEBUG Service AvgMfx86 RegCleanup
2009-11-27 22:35:34,734 DEBUG Registry keys for service AvgMfx86 are not present
2009-11-27 22:35:34,734 INFO Processing service AvgMfx64
2009-11-27 22:35:34,734 INFO Service AvgMfx64 is not installed
2009-11-27 22:35:34,734 DEBUG Service AvgMfx64 RegCleanup
2009-11-27 22:35:34,734 DEBUG Registry keys for service AvgMfx64 are not present
2009-11-27 22:35:34,734 INFO Processing service AvgLdx86
2009-11-27 22:35:34,734 INFO Service AvgLdx86 is not installed
2009-11-27 22:35:34,734 DEBUG Service AvgLdx86 RegCleanup
2009-11-27 22:35:34,734 DEBUG Registry keys for service AvgLdx86 are not present
2009-11-27 22:35:34,734 INFO Processing service AvgLdx64
2009-11-27 22:35:34,734 INFO Service AvgLdx64 is not installed
2009-11-27 22:35:34,734 DEBUG Service AvgLdx64 RegCleanup
2009-11-27 22:35:34,734 DEBUG Registry keys for service AvgLdx64 are not present
2009-11-27 22:35:34,734 INFO Processing service AvgTdiX
2009-11-27 22:35:34,734 INFO Service AvgTdiX is not installed
2009-11-27 22:35:34,734 DEBUG Service AvgTdiX RegCleanup
2009-11-27 22:35:34,734 DEBUG Registry keys for service AvgTdiX are not present
2009-11-27 22:35:34,734 INFO Processing service AvgTdiA
2009-11-27 22:35:34,750 INFO Service AvgTdiA is not installed
2009-11-27 22:35:34,750 DEBUG Service AvgTdiA RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service AvgTdiA are not present
2009-11-27 22:35:34,750 INFO Processing service AvgRkx86
2009-11-27 22:35:34,750 INFO Service AvgRkx86 is not installed
2009-11-27 22:35:34,750 DEBUG Service AvgRkx86 RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service AvgRkx86 are not present
2009-11-27 22:35:34,750 INFO Processing service AvgRkx64
2009-11-27 22:35:34,750 INFO Service AvgRkx64 is not installed
2009-11-27 22:35:34,750 DEBUG Service AvgRkx64 RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service AvgRkx64 are not present
2009-11-27 22:35:34,750 INFO Processing service avg9emc
2009-11-27 22:35:34,750 INFO Service avg9emc is not installed
2009-11-27 22:35:34,750 DEBUG Service avg9emc RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service avg9emc are not present
2009-11-27 22:35:34,750 INFO Processing service avgfws9
2009-11-27 22:35:34,750 INFO Service avgfws9 is not installed
2009-11-27 22:35:34,750 DEBUG Service avgfws9 RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service avgfws9 are not present
2009-11-27 22:35:34,750 INFO Processing service avg9wd
2009-11-27 22:35:34,750 INFO Service avg9wd is not installed
2009-11-27 22:35:34,750 DEBUG Service avg9wd RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service avg9wd are not present
2009-11-27 22:35:34,750 INFO Processing service AVGIDSAgent
2009-11-27 22:35:34,750 INFO Service AVGIDSAgent is not installed
2009-11-27 22:35:34,750 DEBUG Service AVGIDSAgent RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service AVGIDSAgent are not present
2009-11-27 22:35:34,750 INFO Processing service AVGIDSShimxpx
2009-11-27 22:35:34,750 INFO Service AVGIDSShimxpx is not installed
2009-11-27 22:35:34,750 DEBUG Service AVGIDSShimxpx RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service AVGIDSShimxpx are not present
2009-11-27 22:35:34,750 INFO Processing service AVGIDSFilterxpx
2009-11-27 22:35:34,750 INFO Service AVGIDSFilterxpx is not installed
2009-11-27 22:35:34,750 DEBUG Service AVGIDSFilterxpx RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service AVGIDSFilterxpx are not present
2009-11-27 22:35:34,750 INFO Processing service AVGIDSDriverxpx
2009-11-27 22:35:34,750 INFO Service AVGIDSDriverxpx is not installed
2009-11-27 22:35:34,750 DEBUG Service AVGIDSDriverxpx RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service AVGIDSDriverxpx are not present
2009-11-27 22:35:34,750 INFO Processing service AVGIDSShimvtx
2009-11-27 22:35:34,750 INFO Service AVGIDSShimvtx is not installed
2009-11-27 22:35:34,750 DEBUG Service AVGIDSShimvtx RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service AVGIDSShimvtx are not present
2009-11-27 22:35:34,750 INFO Processing service AVGIDSFiltervtx
2009-11-27 22:35:34,750 INFO Service AVGIDSFiltervtx is not installed
2009-11-27 22:35:34,750 DEBUG Service AVGIDSFiltervtx RegCleanup
2009-11-27 22:35:34,750 DEBUG Registry keys for service AVGIDSFiltervtx are not present
2009-11-27 22:35:34,750 INFO Processing service AVGIDSDrivervtx
2009-11-27 22:35:34,765 INFO Service AVGIDSDrivervtx is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSDrivervtx RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSDrivervtx are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSFiltervta
2009-11-27 22:35:34,765 INFO Service AVGIDSFiltervta is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSFiltervta RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSFiltervta are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSDrivervta
2009-11-27 22:35:34,765 INFO Service AVGIDSDrivervta is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSDrivervta RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSDrivervta are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSShimw7x
2009-11-27 22:35:34,765 INFO Service AVGIDSShimw7x is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSShimw7x RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSShimw7x are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSFilterw7x
2009-11-27 22:35:34,765 INFO Service AVGIDSFilterw7x is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSFilterw7x RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSFilterw7x are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSDriverw7x
2009-11-27 22:35:34,765 INFO Service AVGIDSDriverw7x is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSDriverw7x RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSDriverw7x are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSFilterw7a
2009-11-27 22:35:34,765 INFO Service AVGIDSFilterw7a is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSFilterw7a RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSFilterw7a are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSDriverw7a
2009-11-27 22:35:34,765 INFO Service AVGIDSDriverw7a is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSDriverw7a RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSDriverw7a are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSErHrxpx
2009-11-27 22:35:34,765 INFO Service AVGIDSErHrxpx is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSErHrxpx RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSErHrxpx are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSErHrvtx
2009-11-27 22:35:34,765 INFO Service AVGIDSErHrvtx is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSErHrvtx RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSErHrvtx are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSErHrvta
2009-11-27 22:35:34,765 INFO Service AVGIDSErHrvta is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSErHrvta RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSErHrvta are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSErHrw7x
2009-11-27 22:35:34,765 INFO Service AVGIDSErHrw7x is not installed
2009-11-27 22:35:34,765 DEBUG Service AVGIDSErHrw7x RegCleanup
2009-11-27 22:35:34,765 DEBUG Registry keys for service AVGIDSErHrw7x are not present
2009-11-27 22:35:34,765 INFO Processing service AVGIDSErHrw7a
2009-11-27 22:35:34,781 INFO Service AVGIDSErHrw7a is not installed
2009-11-27 22:35:34,781 DEBUG Service AVGIDSErHrw7a RegCleanup
2009-11-27 22:35:34,781 DEBUG Registry keys for service AVGIDSErHrw7a are not present
2009-11-27 22:35:34,781 INFO ***** Registry keys and values *****
2009-11-27 22:35:34,781 INFO Processing registry SOFTWARE\Mozilla\Firefox\Extensions
2009-11-27 22:35:34,781 DEBUG Value SOFTWARE\Mozilla\Firefox\Extensions:{3f963a5b-e555-4543-90e2-c3908898db71} Remove
2009-11-27 22:35:34,781 INFO Value SOFTWARE\Mozilla\Firefox\Extensions:{3f963a5b-e555-4543-90e2-c3908898db71} is not present
2009-11-27 22:35:34,781 INFO Processing registry SOFTWARE\Mozilla\Firefox\Extensions
2009-11-27 22:35:34,781 DEBUG Value SOFTWARE\Mozilla\Firefox\Extensions:{1d5287d1-8a92-0001-1f31-1cec198018d8} Remove
2009-11-27 22:35:34,781 INFO Value SOFTWARE\Mozilla\Firefox\Extensions:{1d5287d1-8a92-0001-1f31-1cec198018d8} is not present
2009-11-27 22:35:34,781 INFO Processing registry SYSTEM\CurrentControlSet\Services\Eventlog\Application\Avg8Alrt
2009-11-27 22:35:34,781 DEBUG Key SYSTEM\CurrentControlSet\Services\Eventlog\Application\Avg8Alrt ForceRemove
2009-11-27 22:35:34,781 DEBUG Key SYSTEM\CurrentControlSet\Services\Eventlog\Application\Avg8Alrt not found
2009-11-27 22:35:34,781 INFO Processing registry SYSTEM\CurrentControlSet\Services\Eventlog\Application\Avg9Alrt
2009-11-27 22:35:34,781 DEBUG Key SYSTEM\CurrentControlSet\Services\Eventlog\Application\Avg9Alrt ForceRemove
2009-11-27 22:35:34,781 DEBUG Key SYSTEM\CurrentControlSet\Services\Eventlog\Application\Avg9Alrt not found
2009-11-27 22:35:34,781 INFO Processing registry SYSTEM\CurrentControlSet\Services\Eventlog\Application\AvgEms
2009-11-27 22:35:34,781 DEBUG Key SYSTEM\CurrentControlSet\Services\Eventlog\Application\AvgEms ForceRemove
2009-11-27 22:35:34,781 DEBUG Key SYSTEM\CurrentControlSet\Services\Eventlog\Application\AvgEms not found
2009-11-27 22:35:34,781 INFO Processing registry SYSTEM\CurrentControlSet\Services\Avg
2009-11-27 22:35:34,781 DEBUG Key SYSTEM\CurrentControlSet\Services\Avg ForceRemove
2009-11-27 22:35:34,781 DEBUG Key SYSTEM\CurrentControlSet\Services\Avg not found
2009-11-27 22:35:34,781 INFO Processing registry SYSTEM\CurrentControlSet\Services\Avg
2009-11-27 22:35:34,781 DEBUG Key SYSTEM\CurrentControlSet\Services\Avg ForceRemove
2009-11-27 22:35:34,781 DEBUG Key SYSTEM\CurrentControlSet\Services\Avg not found
2009-11-27 22:35:34,781 INFO Processing registry SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2AF1721-312E-4B07-8B17-CEB780DCD054}
2009-11-27 22:35:34,781 DEBUG Key SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2AF1721-312E-4B07-8B17-CEB780DCD054} ForceRemove
2009-11-27 22:35:34,781 DEBUG Key SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2AF1721-312E-4B07-8B17-CEB780DCD054} not found
2009-11-27 22:35:34,781 INFO Processing registry SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
2009-11-27 22:35:34,781 DEBUG Key SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} ForceRemove
2009-11-27 22:35:34,781 DEBUG Key SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found
2009-11-27 22:35:34,781 INFO Processing registry SOFTWARE\Microsoft\Internet Explorer\Toolbar
2009-11-27 22:35:34,781 DEBUG Value SOFTWARE\Microsoft\Internet Explorer\Toolbar:{CCC7A320-B3CA-4199-B1A6-9F516DD69829} Remove
2009-11-27 22:35:34,781 INFO Value SOFTWARE\Microsoft\Internet Explorer\Toolbar:{CCC7A320-B3CA-4199-B1A6-9F516DD69829} is not present
2009-11-27 22:35:34,781 INFO Processing registry SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
2009-11-27 22:35:34,781 DEBUG Key SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} ForceRemove
2009-11-27 22:35:34,781 DEBUG Key SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found
2009-11-27 22:35:34,781 INFO Processing registry SOFTWARE\Microsoft\Exchange\Client\Extensions
2009-11-27 22:35:34,781 DEBUG Value SOFTWARE\Microsoft\Exchange\Client\Extensions:Outlook Setup Extension Remove
2009-11-27 22:35:34,781 INFO Value SOFTWARE\Microsoft\Exchange\Client\Extensions:Outlook Setup Extension is not present
2009-11-27 22:35:34,781 INFO Processing registry SOFTWARE\Microsoft\Exchange\Client\Extensions
2009-11-27 22:35:34,781 DEBUG Value SOFTWARE\Microsoft\Exchange\Client\Extensions:AVG Exchange Extension Remove
2009-11-27 22:35:34,781 INFO Value SOFTWARE\Microsoft\Exchange\Client\Extensions:AVG Exchange Extension is not present
2009-11-27 22:35:34,781 INFO Processing registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
2009-11-27 22:35:34,781 DEBUG Value SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:AppInit_DLLs Modify
2009-11-27 22:35:34,781 DEBUG Value SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:AppInit_DLLs doesn't need to be modified
2009-11-27 22:35:34,781 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
2009-11-27 22:35:34,796 DEBUG Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} Remove
2009-11-27 22:35:34,796 INFO Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} is not present
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
2009-11-27 22:35:34,796 DEBUG Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} Remove
2009-11-27 22:35:34,796 INFO Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} is not present
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
2009-11-27 22:35:34,796 DEBUG Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} Remove
2009-11-27 22:35:34,796 INFO Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} is not present
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
2009-11-27 22:35:34,796 DEBUG Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} Remove
2009-11-27 22:35:34,796 INFO Value SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} is not present
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2009-11-27 22:35:34,796 DEBUG Value SOFTWARE\Microsoft\Windows\CurrentVersion\Run:AVG8_TRAY Remove
2009-11-27 22:35:34,796 INFO Value SOFTWARE\Microsoft\Windows\CurrentVersion\Run:AVG8_TRAY is not present
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2009-11-27 22:35:34,796 DEBUG Value SOFTWARE\Microsoft\Windows\CurrentVersion\Run:AVG9_TRAY Remove
2009-11-27 22:35:34,796 INFO Value SOFTWARE\Microsoft\Windows\CurrentVersion\Run:AVG9_TRAY is not present
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG8Uninstall
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG8Uninstall ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG8Uninstall not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG9Uninstall
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG9Uninstall ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG9Uninstall not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C} ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3 ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3 not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3 ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3 not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Classes\AvgDiagFile
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\AvgDiagFile ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\AvgDiagFile not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Classes\AvgDiagFile
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\AvgDiagFile ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\AvgDiagFile not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Classes\.avgdi
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\.avgdi ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\.avgdi not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\AVG8 Shell Extension
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\AVG8 Shell Extension ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\AVG8 Shell Extension not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG8 Shell Extension
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG8 Shell Extension ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG8 Shell Extension not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG8 Shell Extension
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG8 Shell Extension ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG8 Shell Extension not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\AVG\Clients
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG\Clients ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG\Clients not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\AVG\AVG8
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG\AVG8 ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG\AVG8 not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\AVG\AVG9
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG\AVG9 ForceRemove
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\AVG\AVG IDS
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG\AVG IDS ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG\AVG IDS not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\AVG
2009-11-27 22:35:34,796 DEBUG Value SOFTWARE\AVG:DumpType Remove
2009-11-27 22:35:34,796 INFO Value SOFTWARE\AVG:DumpType is not present
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\AVG
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG Remove
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\AVG Security Toolbar
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG Security Toolbar ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG Security Toolbar not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\AVG\AVG8
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG\AVG8 ForceRemove
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG\AVG8 not found
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\AVG\AVG9
2009-11-27 22:35:34,796 DEBUG Key SOFTWARE\AVG\AVG9 ForceRemove
2009-11-27 22:35:34,796 INFO Processing registry SOFTWARE\AVG
2009-11-27 22:35:34,812 DEBUG Key SOFTWARE\AVG Remove
2009-11-27 22:35:34,812 INFO Processing registry SOFTWARE\AVG Security Toolbar
2009-11-27 22:35:34,812 DEBUG Key SOFTWARE\AVG Security Toolbar ForceRemove
2009-11-27 22:35:34,812 DEBUG Key SOFTWARE\AVG Security Toolbar not found
2009-11-27 22:35:34,812 INFO Processing registry SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks
2009-11-27 22:35:34,812 DEBUG Value SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks:{A3BC75A2-1F87-4686-AA43-5347D756017C} Remove
2009-11-27 22:35:34,812 INFO Value SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks:{A3BC75A2-1F87-4686-AA43-5347D756017C} is not present
2009-11-27 22:35:34,812 INFO Processing registry SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
2009-11-27 22:35:34,812 DEBUG Key SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} ForceRemove
2009-11-27 22:35:34,812 DEBUG Key SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found
2009-11-27 22:35:34,812 INFO Processing registry SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser
2009-11-27 22:35:34,812 DEBUG Value SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser:{CCC7A320-B3CA-4199-B1A6-9F516DD69829} Remove
2009-11-27 22:35:34,812 INFO Value SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser:{CCC7A320-B3CA-4199-B1A6-9F516DD69829} is not present
2009-11-27 22:35:34,812 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
2009-11-27 22:35:34,812 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} ForceRemove
2009-11-27 22:35:34,812 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found
2009-11-27 22:35:34,812 INFO Processing registry SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3BC75A2-1F87-4686-AA43-5347D756017C}
2009-11-27 22:35:34,812 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3BC75A2-1F87-4686-AA43-5347D756017C} ForceRemove
2009-11-27 22:35:34,812 DEBUG Key SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found
2009-11-27 22:35:34,812 INFO Processing registry aAvgAPI.AvgBro
2009-11-27 22:35:34,812 DEBUG Key aAvgAPI.AvgBro ForceRemove
2009-11-27 22:35:34,812 DEBUG Key aAvgAPI.AvgBro not found
2009-11-27 22:35:34,812 INFO Processing registry AVG.Office
2009-11-27 22:35:34,812 DEBUG Key AVG.Office ForceRemove
2009-11-27 22:35:34,812 DEBUG Key AVG.Office not found
2009-11-27 22:35:34,812 INFO Processing registry AVG.Office.8
2009-11-27 22:35:34,812 DEBUG Key AVG.Office.8 ForceRemove
2009-11-27 22:35:34,812 DEBUG Key AVG.Office.8 not found
2009-11-27 22:35:34,812 INFO Processing registry avgtoolbar.AVGTOOLBAR
2009-11-27 22:35:34,921 DEBUG Key avgtoolbar.AVGTOOLBAR ForceRemove
2009-11-27 22:35:34,921 DEBUG Key avgtoolbar.AVGTOOLBAR not found
2009-11-27 22:35:34,921 INFO Processing registry avgtoolbar.AVGTOOLBARMenu Button
2009-11-27 22:35:34,921 DEBUG Key avgtoolbar.AVGTOOLBARMenu Button ForceRemove
2009-11-27 22:35:34,921 DEBUG Key avgtoolbar.AVGTOOLBARMenu Button not found
2009-11-27 22:35:34,921 INFO Processing registry avgtoolbar.AVGTOOLBARToggle Button
2009-11-27 22:35:34,921 DEBUG Key avgtoolbar.AVGTOOLBARToggle Button ForceRemove
2009-11-27 22:35:34,921 DEBUG Key avgtoolbar.AVGTOOLBARToggle Button not found
2009-11-27 22:35:34,921 INFO Processing registry LinkScannerIE.NavFilter
2009-11-27 22:35:34,921 DEBUG Key LinkScannerIE.NavFilter ForceRemove
2009-11-27 22:35:34,921 DEBUG Key LinkScannerIE.NavFilter not found
2009-11-27 22:35:34,921 INFO Processing registry LinkScannerIE.NavFilter.1
2009-11-27 22:35:34,921 DEBUG Key LinkScannerIE.NavFilter.1 ForceRemove
2009-11-27 22:35:34,921 DEBUG Key LinkScannerIE.NavFilter.1 not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{04373D9C-5ED8-44f2-BA00-7895D6A5A2DA}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{04373D9C-5ED8-44f2-BA00-7895D6A5A2DA} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{04373D9C-5ED8-44f2-BA00-7895D6A5A2DA} not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{18B30EBF-6B58-425E-AC54-831C05D91B5A}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{18B30EBF-6B58-425E-AC54-831C05D91B5A} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{18B30EBF-6B58-425E-AC54-831C05D91B5A} not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E2698E} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E2698E} not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{A057A204-BACC-4D26-9990-79A187E2698F}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E2698F} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E2698F} not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{A057A204-BACC-4D26-9990-79A187E26990}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E26990} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{A057A204-BACC-4D26-9990-79A187E26990} not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{9781B2D1-AF27-474F-A3A5-C0763FBDF3B7}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{9781B2D1-AF27-474F-A3A5-C0763FBDF3B7} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{9781B2D1-AF27-474F-A3A5-C0763FBDF3B7} not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found
2009-11-27 22:35:34,921 INFO Processing registry CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
2009-11-27 22:35:34,921 DEBUG Key CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found
2009-11-27 22:35:34,921 INFO Processing registry Interface\{52261B0E-CA1A-4FA9-9805-4D01202DF09D}
2009-11-27 22:35:34,921 DEBUG Key Interface\{52261B0E-CA1A-4FA9-9805-4D01202DF09D} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key Interface\{52261B0E-CA1A-4FA9-9805-4D01202DF09D} not found
2009-11-27 22:35:34,921 INFO Processing registry Interface\{8EA1F9F2-997A-4832-8E09-815E3D0C0A0C}
2009-11-27 22:35:34,921 DEBUG Key Interface\{8EA1F9F2-997A-4832-8E09-815E3D0C0A0C} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key Interface\{8EA1F9F2-997A-4832-8E09-815E3D0C0A0C} not found
2009-11-27 22:35:34,921 INFO Processing registry Interface\{7F24AABF-C822-4C18-9432-21433208F4DC}
2009-11-27 22:35:34,921 DEBUG Key Interface\{7F24AABF-C822-4C18-9432-21433208F4DC} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key Interface\{7F24AABF-C822-4C18-9432-21433208F4DC} not found
2009-11-27 22:35:34,921 INFO Processing registry TypeLib\{3E536428-8E1A-4A2C-8463-4A8F74763C30}
2009-11-27 22:35:34,921 DEBUG Key TypeLib\{3E536428-8E1A-4A2C-8463-4A8F74763C30} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key TypeLib\{3E536428-8E1A-4A2C-8463-4A8F74763C30} not found
2009-11-27 22:35:34,921 INFO Processing registry TypeLib\{5DAB1D4C-D020-41CD-936F-D63FF662E9F7}
2009-11-27 22:35:34,921 DEBUG Key TypeLib\{5DAB1D4C-D020-41CD-936F-D63FF662E9F7} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key TypeLib\{5DAB1D4C-D020-41CD-936F-D63FF662E9F7} not found
2009-11-27 22:35:34,921 INFO Processing registry TypeLib\{A0C8F0F1-DE25-4ADB-8F0B-508F6CA43DE9}
2009-11-27 22:35:34,921 DEBUG Key TypeLib\{A0C8F0F1-DE25-4ADB-8F0B-508F6CA43DE9} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key TypeLib\{A0C8F0F1-DE25-4ADB-8F0B-508F6CA43DE9} not found
2009-11-27 22:35:34,921 INFO Processing registry TypeLib\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
2009-11-27 22:35:34,921 DEBUG Key TypeLib\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} ForceRemove
2009-11-27 22:35:34,921 DEBUG Key TypeLib\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found
2009-11-27 22:35:34,921 INFO ***** Files and folders *****
2009-11-27 22:35:34,921 DEBUG Missing ParentDir path for fileItem number 0
2009-11-27 22:35:34,921 DEBUG Missing ParentDir path for fileItem number 1
2009-11-27 22:35:34,921 DEBUG Missing ParentDir path for fileItem number 2
2009-11-27 22:35:34,921 DEBUG Missing ParentDir path for fileItem number 3
2009-11-27 22:35:34,921 DEBUG Missing ParentDir path for fileItem number 4
2009-11-27 22:35:34,921 DEBUG Missing ParentDir path for fileItem number 5
2009-11-27 22:35:34,921 DEBUG Missing ParentDir path for fileItem number 6
2009-11-27 22:35:34,921 DEBUG Missing ParentDir path for fileItem number 7
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 8
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 9
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 10
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 11
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 12
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 13
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 14
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 15
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 16
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\Tom McNeal\Application Data\AVGTOOLBAR
2009-11-27 22:35:34,937 INFO Directory C:\Documents and Settings\Tom McNeal\Application Data\AVGTOOLBAR not found
2009-11-27 22:35:34,937 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Start Menu\Programs\avg 8.0
2009-11-27 22:35:34,937 INFO Directory C:\Documents and Settings\All Users\Start Menu\Programs\avg 8.0 not found
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Start Menu\Programs\avg free 8.0
2009-11-27 22:35:34,937 INFO Directory C:\Documents and Settings\All Users\Start Menu\Programs\avg free 8.0 not found
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Start Menu\Programs\avg 8.5
2009-11-27 22:35:34,937 INFO Directory C:\Documents and Settings\All Users\Start Menu\Programs\avg 8.5 not found
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Start Menu\Programs\avg free 8.5
2009-11-27 22:35:34,937 INFO Directory C:\Documents and Settings\All Users\Start Menu\Programs\avg free 8.5 not found
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Desktop\avg 8.0.lnk
2009-11-27 22:35:34,937 INFO File C:\Documents and Settings\All Users\Desktop\avg 8.0.lnk not found
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Desktop\avg free 8.0.lnk
2009-11-27 22:35:34,937 INFO File C:\Documents and Settings\All Users\Desktop\avg free 8.0.lnk not found
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Desktop\avg 8.5.lnk
2009-11-27 22:35:34,937 INFO File C:\Documents and Settings\All Users\Desktop\avg 8.5.lnk not found
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Desktop\avg free 8.5.lnk
2009-11-27 22:35:34,937 INFO File C:\Documents and Settings\All Users\Desktop\avg free 8.5.lnk not found
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 27
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 28
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 29
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 30
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 31
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 32
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 33
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 34
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 35
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 36
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 37
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 38
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 39
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 40
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 41
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 42
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 43
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 44
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 45
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 46
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 47
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 48
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 49
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 50
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 51
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 52
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 53
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 54
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 55
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 56
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 57
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 58
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 59
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 60
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 61
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 62
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 63
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 64
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 65
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 66
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 67
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 68
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 69
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 70
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar\Languages
2009-11-27 22:35:34,937 INFO Directory C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar\Languages not found
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
2009-11-27 22:35:34,937 INFO Directory C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar not found
2009-11-27 22:35:34,937 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Desktop\avg 9.0.lnk
2009-11-27 22:35:34,937 INFO File C:\Documents and Settings\All Users\Desktop\avg 9.0.lnk not found
2009-11-27 22:35:34,937 DEBUG Processing item C:\Documents and Settings\All Users\Desktop\avg free 9.0.lnk
2009-11-27 22:35:34,937 INFO File C:\Documents and Settings\All Users\Desktop\avg free 9.0.lnk not found
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 76
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 77
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 78
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 79
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 80
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 81
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 82
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 83
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 84
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 85
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 86
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 87
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 88
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 89
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 90
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 91
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 92
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 93
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 94
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 95
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 96
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 97
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 98
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 99
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 100
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 101
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 102
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 103
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 104
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 105
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 106
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 107
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 108
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 109
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 110
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 111
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 112
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 113
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 114
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 115
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 116
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 117
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 118
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 119
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 120
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 121
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 122
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 123
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 124
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 125
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 126
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 127
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 128
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 129
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 130
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 131
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 132
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 133
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 134
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 135
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 136
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 137
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 138
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 139
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 140
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 141
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 142
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 143
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 144
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 145
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 146
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 147
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 148
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 149
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 150
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 151
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 152
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 153
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 154
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 155
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 156
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 157
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 158
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 159
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 160
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 161
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 162
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 163
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 164
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 165
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 166
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 167
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 168
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 169
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 170
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 171
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 172
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 173
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 174
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 175
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 176
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 177
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 178
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 179
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 180
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 181
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 182
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 183
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 184
2009-11-27 22:35:34,937 DEBUG Missing ParentDir path for fileItem number 185
2009-11-27 22:35:34,937 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-11-27 22:35:34,937 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-11-27 22:35:34,937 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-11-27 22:35:34,953 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-11-27 22:35:34,953 DEBUG Processing item C:\WINDOWS\System32\Drivers
2009-11-27 22:35:34,953 DEBUG Processing item C:\WINDOWS\System32\Drivers\avg
2009-11-27 22:35:34,953 INFO Directory C:\WINDOWS\System32\Drivers\avg not found
2009-11-27 22:35:34,953 DEBUG Processing item C:\WINDOWS\System32
2009-11-27 22:35:34,953 DEBUG Processing item C:\Program Files\AVG
2009-11-27 22:35:34,953 INFO Directory C:\Program Files\AVG not found
2009-11-27 22:35:34,953 DEBUG Missing ParentDir path for fileItem number 194
2009-11-27 22:35:34,953 INFO ***** Avg Fw NDIS driver *****
2009-11-27 22:35:35,562 INFO FW NDIS driver not present

TomZT
2009-11-28, 02:07
Hi Blade,
I dug into the AVG Support Forum and have solved the AVG 9.0 Installation Issue. AVG is now installed and updated. I have not yet performed an AVG scan and have disabled the AVG Resident Shield. I will wait until you give me the OK before doing so.

FYI: In case it may help others, the warning of potentially incompatible software (OLE (Part 1 of 5)) issue is a known problem and this compatability check will be omitted in the next release.

The AVG forum recommends doing a regedit to find the entry that may be causing the problem OR SIMPLY CHOOSE THE SKIP OPTION!

I chose SKIP and the remainder of the installation went fine.

Again, I apologize for all the trouble I'm having!

Blade81
2009-11-28, 12:27
Good. Seems that it's time for the final steps now :)


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis


Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK



Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

TomZT
2009-11-28, 18:46
Hi Blade,

I was happy to hear that it's time for final cleanup. Unfortunately, I am posting this from one of my other computers.

I completed the Reset of System Restore and then uninstalled ComboFix.

I ran OTC and it appeared to do everything you said it would do...
UNTIL OTC rebooted the machine... The reboot did not complete successfully.

The computer is displaying a black screen with a blinking cursor in the upper left hand corner. I've waited about 15 minutes but nothing is happening.

Should I turn the machine OFF and then ON again to see if it will boot?

Help needed!

Blade81
2009-11-28, 18:53
Should I turn the machine OFF and then ON again to see if it will boot?
Yes, reboot it.

TomZT
2009-11-28, 18:55
After posting the above, while waiting for your reply, I opened the two CD trays to make sure there was no disks inserted there.

After closing the second CD drive tray, the Windows screen appeared and the machine booted up. Why this behavior? Should I still be worried?

Blade81
2009-11-28, 18:59
It may have tried to load from cd of some reason. Still, I don't think there's any need to be worried.

TomZT
2009-11-28, 19:07
Thanks Blade... That's a relief!

I will continue with the cleanup and updating of Windows and Office then post a reply with a few questions.

For now, what should I do with the remaining tools on my desktop...

HJT - ATF - GMER - MBAM Setup - SystemLook - MalwareBytes A/M

Any special instructions for removing those tools?

Should I consider keeping the MalwareBytes Anti-Malware, perhaps in instead of the AVG 9.0?

Blade81
2009-11-28, 19:26
HJT - ATF - GMER - MBAM Setup - SystemLook - MalwareBytes A/M

Any special instructions for removing those tools?
Uninstall HJT from add/remove programs and then delete its C:\Program Files\Trend Micro\HijackThis folder. I'd keep ATF Cleaner and run it occasionally to clean needless temporary items. MBAM Setup file and SystemLook can be deleted without special ways. MBAM itself I've commented below :)


Should I consider keeping the MalwareBytes Anti-Malware, perhaps in instead of the AVG 9.0?
Malwarebytes Anti-Malware is for antispyware protection while AVG 9 is for antivirus protection. Both protect from different things and should be left installed.

TomZT
2009-11-28, 20:00
1. Do you think I should upgrade from IE7 to IE8 at this time? Or stay with IE7 for now?

2. Should I leave the Recovery Console installed by ERUNT on the machine

3. Is it safe now to reconnect our other computers to the home network?

4. TASHI suggested that I ask my volunteer about this... One of our computers, is an old Dell Dimension P166x running the DOS based Windows for Workgroups Ver. 3.11. This system pre-dates Internet Explorer and I know of no Anti-Virus or Anti-Malware programs compatible with this OS. The machine is never used to access the internet directly but is connected to our network via the old NETBUI network protocol that I've installed on a couple of our XP machines. Is this Windows 3.11 machine vulnerable to infections or pose any threat to our other machines if I leave it connected to our network?

5 Do you recommend installing and running ERUNT - ATF or MBAM on our other XP machines?

Blade81
2009-11-28, 20:15
1. It's up to you :) Not extremely necessary if you keep IE 7 up-to-date.

2. Recovery console appearing at boot was installed by ComboFix to be exact. I'd leave it installed there.

3. Yes.

4. Heh.. it's been really big while when I've seen and used Windows 3.x series version last time. Most modern malware is designed to attack newer OSes (Windows 9x and up). Also, if the system is not connected to internet then it shouldn't pose a threat. That's how I see it.

5. Having ATF Cleaner run occasionally and MBAM installed wouldn't be a bad idea.

TomZT
2009-11-29, 17:02
Hi Blades,

I spent much of yesterday doing final cleanup and updating. Everything seemed to be working great UNTIL... I could not log on to the forum last night!

Of course at first, I feared the worst but after trying other sites successfully and discovered the forum still wouldn't load from other computers, I was relieved to decide that the forum was simply down for maintenance.

The infected computer does appear to fully healed. Simple words of thanks cannot describe how truly grateful I am for your expert help and assistance. Thank you soooo much for hanging in there with me!

TomZT

Blade81
2009-11-29, 17:07
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.