Antivirus 360 removal - Help!

**scoucer** · 2009-03-17, 10:20

I'm reposting because I was told to following not attaching the HJT Log
I seem to have picked up a fake antivirus program Antivirus 360 which is preventing any scanning or even running, of my normal Spybot S&D, and Malwarebytes AntiMalware. I've managed to close down AV360 In the Services window of Task Manager, so I can work without interruption. I am at a loss as to how to actually get rid of it, I even Googled it and downloaded Xoft Spy software which said it would do it, but although that installed it would not actually run. Here's the HJT log. Thanks in anticipation.

Please remember I've stopped the AV360.exe in the task manager

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:07:01, on 17/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\PROGRA~1\COMPAN~3\ONETOU~3.EXE
C:\Program Files\Companion Suite IH\MFServices.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Companion Suite IH\MFPrintServer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\RetroExpress.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\John\temp\TeamViewer3\TeamViewer.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\retrospect.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {D263FA6D-84CC-48A8-9AF6-C664362B7A5B} - C:\WINDOWS\system32\winconfig.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\COMPAN~3\ONETOU~3.EXE
O4 - HKLM\..\Run: [MFServices] "C:\Program Files\Companion Suite IH\MFServices.exe" -n
O4 - HKLM\..\Run: [MFPrintServer] "C:\Program Files\Companion Suite IH\MFPrintServer.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.5\RetroExpress.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [B5EB89CC49E1D46661E532D6463E1A26] C:\Program Files\A360\av360.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1216063977093
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.5\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
O23 - Service: sgbx_device - Sagem - C:\WINDOWS\system32\sgbxcoms.exe

--
End of file - 6975 bytes

**Blade81** · 2009-03-18, 10:27

Hi

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

After that please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

**scoucer** · 2009-03-20, 21:37

Hi Blade81,

I really appreciate your help with this, I apologize for being a while replying, I've not had access to the computer for a while. Anyway I had problems with your first instruction..
I already had MBAM on the system, and it would not run (presumably blocked), nor would it uninstall, so I needed to go into Safe mode to uninstall, download yours and install afresh. It took ages waiting on the "finishing installation" screen. I finally gave up waiting, but assumed it was installed when I found it in Add/Remove Programs. (Of course it did not update) but when I tried to run it to perform the update and scan. It just did nothing (its name is in the Task Manager processes). I'm going to leave it on in case it is running very slowly like the installation.

Any further ideas?

**Blade81** · 2009-03-20, 22:08

Hi

Let's skip MBAM step for now and try next one on the list

**scoucer** · 2009-03-21, 11:34

Hi again,

I've downloaded Combofix as instructed (though I needed to do it in Safe Mode) without add-ons. But when I go back into normal mode, and stop AV360 in the Processes then run ComboFix I get the run dialog but after I click run - nothing happens - Combo Fix is listed in the running processes, but all the entries are using 00 CPU except System Idle Process which has 99. After a couple of minutes ComboFix disappears from the list.

I think this computer has got it bad, am I looking at a backup and restore to factory settings?

**Blade81** · 2009-03-21, 12:39

Hi

Let's try this way

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download Combofix*from any of the links below. You must*rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

Double click on Combo-Fix.exe*& follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log*so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

**scoucer** · 2009-03-21, 14:29

Thanks Blade81,

That got it working. Ive done as you asked and here are the two logs: HJT firs, then Combofix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:47, on 21/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: &Research - {D263FA6D-84CC-48A8-9AF6-C664362B7A5B} - C:\WINDOWS\system32\winconfig.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\COMPAN~3\ONETOU~3.EXE
O4 - HKLM\..\Run: [MFServices] "C:\Program Files\Companion Suite IH\MFServices.exe" -n
O4 - HKLM\..\Run: [MFPrintServer] "C:\Program Files\Companion Suite IH\MFPrintServer.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.5\RetroExpress.exe /h
O4 - HKLM\..\Run: [Xjuzuzojazij] rundll32.exe "C:\WINDOWS\ejuvurijan.dll",e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1216063977093
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.5\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
O23 - Service: sgbx_device - Sagem - C:\WINDOWS\system32\sgbxcoms.exe

--
End of file - 6283 bytes

ComboFix 09-03-19.02 - John 2009-03-21 13:18:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.642 [GMT 0:00]
Running from: c:\documents and settings\John\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\John\Start Menu\A360
c:\documents and settings\John\Start Menu\A360\A360.lnk
c:\documents and settings\John\Start Menu\A360\Help.lnk
c:\documents and settings\John\Start Menu\A360\Registration.lnk
c:\program files\A360
c:\program files\A360\av360.exe
c:\program files\A360\file.exe.tmp
c:\program files\A360\poli.exe
c:\program files\Common Files\System\Uninstall
c:\program files\Common Files\System\Uninstall\Uninstall A360.lnk
c:\windows\system32\drivers\UACevmasnqu.sys
c:\windows\system32\mdm.exe
c:\windows\system32\UACbqhwyxxb.log
c:\windows\system32\UACeyxvrbnm.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACphqpfqmf.dat
c:\windows\system32\UACrbhnympw.log
c:\windows\system32\UACswkbaexe.dll
c:\windows\system32\UACtprqpaxi.dll
c:\windows\system32\UACvstiloex.dll
c:\windows\system32\UACvwuwmteg.log
c:\windows\system32\UACwwkfxjko.dll
c:\windows\Ujuloco.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-21 10:34 . 2009-03-21 10:34 132,608 --a------ c:\windows\ejuvurijan.dll
2009-03-20 22:33 . 2009-03-20 22:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 22:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 22:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-17 09:06 . 2009-03-17 09:06 <DIR> d-------- c:\program files\Trend Micro
2009-03-16 15:56 . 2009-03-16 15:56 <DIR> d-------- c:\program files\XoftSpySE
2009-03-16 15:27 . 2009-03-16 15:27 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-16 15:27 . 2009-03-16 15:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-12 21:24 . 2009-03-12 21:24 299,520 --a------ c:\windows\system32\winconfig.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\RetroExp
2009-03-16 16:13 --------- d-----w c:\program files\MozyHome
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-16 21:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}]
2009-03-12 21:24 299520 --a------ c:\windows\system32\winconfig.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-26 8445952]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-26 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TomTomHOME.exe"="c:\program files\TomTom HOME\TomTomHOME.exe" [2008-02-14 3977128]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-01-26 40960]
"OneTouch Monitor"="c:\progra~1\COMPAN~3\ONETOU~3.EXE" [2005-07-08 122880]
"MFServices"="c:\program files\Companion Suite IH\MFServices.exe" [2005-07-08 159744]
"MFPrintServer"="c:\program files\Companion Suite IH\MFPrintServer.exe" [2005-07-08 65536]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RetroExpress"="c:\progra~1\RETROS~1\RETROS~1.5\RetroExpress.exe" [2008-07-10 9499928]
"Xjuzuzojazij"="c:\windows\ejuvurijan.dll" [2009-03-21 132608]
"nwiz"="nwiz.exe" [2007-04-26 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 10872]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-10 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sgbxcoms.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2008-07-18 9344]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-14 114768]
R1 mfxnt;mfxnt;c:\windows\system32\drivers\mfxnt.sys [2008-07-14 61288]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-07-14 20560]
S3 HttpUsb;XML interface;c:\windows\system32\drivers\HttpUsb.sys [2008-07-14 31784]
S3 sgbx_device;sgbx_device;c:\windows\system32\sgbxcoms.exe -service --> c:\windows\system32\sgbxcoms.exe -service [?]
S3 UsbItf;MF F@X activities;c:\windows\system32\drivers\UsbItf.sys [2008-07-14 10240]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5dede94-123e-11de-b805-001999234b1a}]
\Shell\AutoRun\command - g:\.\MigWiz\migsetup.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-B5EB89CC49E1D46661E532D6463E1A26 - c:\program files\A360\av360.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.wanadoo.co.uk/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 13:20:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-21 13:21:33
ComboFix-quarantined-files.txt 2009-03-21 13:21:31

Pre-Run: 130,498,887,680 bytes free
Post-Run: 130,545,700,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

146 --- E O F --- 2009-03-21 10:15:54

I hope you can make something of these

**Blade81** · 2009-03-21, 14:52

Hi again

Generate an Uninstall List

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\ejuvurijan.dll
c:\windows\system32\winconfig.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xjuzuzojazij"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-
"AntiVirusOverride"=-
"FirewallOverride"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Try running MBAM now.

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

**scoucer** · 2009-03-21, 17:18

Thanks again Blade81,

It's now working much better, I've again done as requested. Here below are the logs - MBAM first, then the latest HJT and lastly the combofix report

Malwarebytes' Anti-Malware 1.34
Database version: 1881
Windows 5.1.2600 Service Pack 3

21/03/2009 16:09:12
mbam-log-2009-03-21 (16-09-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 122480
Time elapsed: 19 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Program Files\A360\av360.exe.vir (Rogue.AV360) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\A360\poli.exe.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Ujuloco.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACeyxvrbnm.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACswkbaexe.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACtprqpaxi.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwwkfxjko.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP268\A0203395.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP268\A0203396.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP268\A0203397.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP268\A0203398.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP268\A0203415.exe (Rogue.AV360) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP268\A0203416.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP268\A0203424.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk (Rogue.Antivirus360) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:10:12, on 21/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Companion Suite IH\MFServices.exe
C:\Program Files\Companion Suite IH\MFPrintServer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\RetroExpress.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\retrospect.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\COMPAN~3\ONETOU~3.EXE
O4 - HKLM\..\Run: [MFServices] "C:\Program Files\Companion Suite IH\MFServices.exe" -n
O4 - HKLM\..\Run: [MFPrintServer] "C:\Program Files\Companion Suite IH\MFPrintServer.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.5\RetroExpress.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1216063977093
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.5\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
O23 - Service: sgbx_device - Sagem - C:\WINDOWS\system32\sgbxcoms.exe

--
End of file - 6392 bytes

Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player 11
ArcSoft PhotoImpression 5
AutoCAD 2005 - English
Autodesk DWF Viewer
avast! Antivirus
Companion Suite IH
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Lexmark Supplies Monitor
Lexmark Z55
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Professional
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero Suite
NVIDIA Drivers
OneTouch
PaperPort
Realtek High Definition Audio Driver
Retrospect Express HD 2.5
Samsung Converter
Samsung Master
Samsung USB Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Spybot - Search & Destroy
TomTom HOME
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Internet Explorer 7
Windows XP Service Pack 3
WinZip 12.0
XoftSpySE
Xvid 1.1.2 final uninstall

Thanks for your brilliant help!!

**Blade81** · 2009-03-21, 18:50

Hi

Looks like ComboFix log was left out. Could you post it too, please?

Thread: Antivirus 360 removal - Help!

Thread Tools

Display

Antivirus 360 removal - Help!

Posting Permissions