Infected with System Defender and Antivirus XP 2008

[zelda2727]

Hi there, I'm on vacation visiting my relatives and their pc is totally full of garbage. I'm trying to clean it up for them but still need help because there is just too much for me to know what to do with. The most annoying items are System Defender and Antivirus XP 2008.

I have done most of the steps except I think for installing ie spypad. There is just so much junk on here I'm not sure if it would just be better to reformat the machine and start fresh or clean it manually.

I downloaded and ran Adaware and it found around 450 objects to remove. And then I tried to run a free scan with trend micro but it kept stalling out so I found AVG and downloaded it and ran a scan. It found around 80 objects, mostly trojans to remove. I'm pretty sure there are/were key loggers present so I was trying to use an antivirus program I didn't have to register with an email address because I didn't want to compromise my accounts.

They apparently were not using an antivirus program really at all. Spyware Doctor was sort of running but it wasn't doing much so I took it off. After doing the scan with AVG, System Defender has already stopped popping up every few minutes but I'm not sure if it's gone completely. But the tray icons for it and Antivirus XP are gone so that's a good sign at least. And the pc is already running remarkably better than it was earlier today when I first started trying to clean it up.

Any help/advice would be appreciated and if you think I should just reformat instead of cleaning this thing up I'll definitely consider it.

Thanks,
Zelda

p.s. should I stick with using this AVG free edition or have them upgrade to something else like norton or mcafee? I'm looking for something comprehensive but relatively inexpensive for them to use so any advice on other software/services to check out would be wonderful so I can help keep them from getting infected like this. I don't know too much about purchasing my own antivirus software because my own internet provider bundles it with their service so I've never had to really check around for it before. :P


hjt log follows:
-------------------------------------------

Deckard's System Scanner v20071014.68
Run by Louise on 2008-07-11 01:51:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
98: 2008-07-11 05:52:12 UTC - RP513 - Deckard's System Scanner Restore Point
97: 2008-07-11 03:35:24 UTC - RP512 - Configured AVG Free 8.0
96: 2008-07-11 03:28:35 UTC - RP511 - Installed AVG Free 8.0
95: 2008-07-10 18:50:48 UTC - RP510 - Installed Java(TM) 6 Update 7
94: 2008-07-10 17:48:18 UTC - RP509 - Installed Ad-Aware


-- First Restore Point --
1: 2008-07-03 08:55:43 UTC - RP416 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-11 01:54:29
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIACA.EXE
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Louise\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5D72C2A4-9AC6-4727-A705-CEA1F0220B78} - C:\WINDOWS\system32\urqQiIcY.dll (file missing)
O2 - BHO: (no name) - {E4F30191-AA10-4234-A1D1-45A17169E765} - C:\WINDOWS\system32\yayabAPJ.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O3 - Toolbar: (no name) - SITEguard - (no file)
O3 - Toolbar: nqgpedlr - {AB802BE5-5918-4875-954F-C878E08FC60E} - C:\WINDOWS\nqgpedlr.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 2)" /O5 "LPT1:" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Framework] C:\WINDOWS\system32\scvh0st.exe
O4 - HKLM\..\Run: [mmnext06] C:\Program Files\Common Files\trjdwnl.dll
O4 - HKLM\..\Run: [shellbn] C:\WINDOWS\shlext32.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [systray] c:\windows\mstre6.exe
O4 - HKLM\..\Run: [a8c68548] rundll32.exe "C:\WINDOWS\system32\dturykad.dll",b
O4 - HKLM\..\Run: [XP SecurityCenter] "C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe" /hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...irector/sw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1215754971500
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: urqQiIcY - C:\WINDOWS\system32\urqQiIcY.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: SysMon - {6079f8da-6ed7-4f97-88f5-95510d6e89cb} - C:\WINDOWS\Resources\SysMon.dll (file missing)
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe


--
End of file - 8694 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 Ip6Fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)
S3 XDva004 - c:\windows\system32\xdva004.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2005-09-07 22:31:35 364 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-06-11 and 2008-07-11 -----------------------------

2008-07-11 01:42:55 0 d-------- C:\WINDOWS\LastGood
2008-07-10 23:37:15 0 d--h----- C:\$AVG8.VAULT$
2008-07-10 23:35:44 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-10 23:30:49 0 d-------- C:\iSecurity
2008-07-10 23:28:35 0 d-------- C:\Program Files\AVG
2008-07-10 23:28:35 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-10 23:18:41 0 d-------- C:\Program Files\SystemDefender
2008-07-10 16:51:09 17389 --a------ C:\WINDOWS\obacyfun.sys
2008-07-10 16:51:09 17415 --a------ C:\WINDOWS\cufu.dll
2008-07-10 16:51:09 16031 --a------ C:\WINDOWS\ajomamos.reg
2008-07-10 16:51:09 15911 --a------ C:\Documents and Settings\Louise\Application Data\ylehytyso.sys
2008-07-10 16:51:09 16924 --a------ C:\Documents and Settings\Louise\Application Data\ulavisiruj.vbs
2008-07-10 16:51:09 13475 --a------ C:\Documents and Settings\Louise\Application Data\oqeju.com
2008-07-10 16:51:09 14696 --a------ C:\Documents and Settings\Louise\Application Data\apycaxi.com
2008-07-10 16:51:09 17166 --a------ C:\Documents and Settings\All Users\Application Data\sujodili.exe
2008-07-10 16:51:09 18409 --a------ C:\Documents and Settings\All Users\Application Data\isoluwixec.exe
2008-07-10 16:51:09 19904 --a------ C:\Documents and Settings\All Users\Application Data\ifugoqa.sys
2008-07-10 16:22:20 0 d-------- C:\Program Files\SpywareBlaster
2008-07-10 15:58:57 92672 --a------ C:\WINDOWS\system32\dturykad.dll
2008-07-10 15:56:37 116352 --a------ C:\WINDOWS\system32\uvdidv.dll
2008-07-10 15:56:37 116352 --a------ C:\WINDOWS\system32\ocmnojme.dll
2008-07-10 15:55:55 259550 --ahs---- C:\WINDOWS\system32\giSCJRqr.ini2
2008-07-10 15:55:51 322304 --a------ C:\WINDOWS\system32\rqRJCSig.dll
2008-07-10 15:52:10 1 --a------ C:\WINDOWS\tmark2.dat
2008-07-10 15:51:04 0 d-------- C:\Documents and Settings\Don\Application Data\rhc9v3j0eccl
2008-07-10 14:56:56 0 d-------- C:\Documents and Settings\Louise\.housecall6.6
2008-07-10 14:54:16 0 d-------- C:\WINDOWS\Sun
2008-07-10 14:54:16 0 d-------- C:\Documents and Settings\Louise\Application Data\Sun
2008-07-10 14:51:17 0 d-------- C:\Program Files\Java
2008-07-10 14:50:59 0 d-------- C:\Program Files\Common Files\Java
2008-07-10 13:48:22 0 d-------- C:\Program Files\Lavasoft
2008-07-10 13:48:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 13:41:55 0 d-------- C:\Program Files\RogueRemover FREE
2008-07-10 13:32:51 116352 --a------ C:\WINDOWS\system32\bqkhig.dll
2008-07-10 13:32:50 116352 --a------ C:\WINDOWS\system32\ulxdmlwx.dll
2008-07-09 15:18:35 0 d-------- C:\Documents and Settings\Louise\Application Data\rhc9v3j0eccl
2008-07-09 13:27:46 112256 --a------ C:\WINDOWS\system32\jyspvi.dll
2008-07-09 13:27:45 112256 --a------ C:\WINDOWS\system32\etbfuskh.dll
2008-07-09 13:25:40 0 d-------- C:\Documents and Settings\chris\Application Data\rhc9v3j0eccl
2008-07-05 23:08:27 88576 --a------ C:\WINDOWS\system32\soenfygl.dll
2008-07-05 17:27:31 0 d-------- C:\Documents and Settings\Nick\Application Data\rhc9v3j0eccl
2008-07-05 17:27:04 0 d-------- C:\Program Files\rhc9v3j0eccl
2008-07-05 11:00:02 206 --a------ C:\Documents and Settings\Louise\delself.bat
2008-07-04 19:18:59 206 --a------ C:\Documents and Settings\Nick\delself.bat
2008-07-04 10:32:32 0 d-------- C:\WINDOWS\system32\931928
2008-07-04 10:32:31 0 d-------- C:\Program Files\iSecurity
2008-07-04 10:26:43 206 --a------ C:\Documents and Settings\chris\delself.bat
2008-07-04 10:26:21 0 d-------- C:\Documents and Settings\chris\Application Data\TmpRecentIcons
2008-07-03 23:30:00 0 d-------- C:\Documents and Settings\Don\Application Data\TmpRecentIcons
2008-07-03 15:28:06 206 --a------ C:\Documents and Settings\Don\delself.bat
2008-07-03 15:14:06 0 d-------- C:\WINDOWS\system32\734914
2008-07-03 15:14:05 10240 --a------ C:\Program Files\antiviirus.exe
2008-07-03 04:55:33 304818 --ahs---- C:\WINDOWS\system32\JPAbayay.ini2
2008-07-03 04:49:39 0 d-------- C:\Program Files\VAV
2008-07-03 04:49:37 0 d-------- C:\Program Files\PCHealthCenter
2008-06-29 21:25:26 12168 --a------ C:\WINDOWS\qydipyz.reg
2008-06-29 21:25:26 17899 --a------ C:\Documents and Settings\Don\Application Data\wuzetisuk.bat
2008-06-29 21:25:25 11368 --a------ C:\WINDOWS\system32\xyfovewumo.dat
2008-06-29 21:25:25 19400 --a------ C:\WINDOWS\system32\pekowo.vbs
2008-06-29 21:25:25 12253 --a------ C:\WINDOWS\system32\lynexyjypo.dat
2008-06-29 21:25:25 16691 --a------ C:\WINDOWS\system32\gogovoq.exe
2008-06-29 21:25:25 18420 --a------ C:\WINDOWS\qege.exe
2008-06-29 21:25:25 16485 --a------ C:\WINDOWS\numifowali.dat
2008-06-29 21:25:25 11282 --a------ C:\Program Files\Common Files\alon.dll
2008-06-29 21:25:25 12183 --a------ C:\Documents and Settings\All Users\Application Data\rysisiqiqa.vbs
2008-06-22 08:05:06 18597 --a------ C:\WINDOWS\system32\weso.dat
2008-06-22 08:05:06 18919 --a------ C:\WINDOWS\system32\manuhyquc.exe
2008-06-22 08:05:06 13712 --a------ C:\WINDOWS\system32\imix.dat
2008-06-22 08:05:06 16958 --a------ C:\WINDOWS\system32\ewapecobyb.vbs
2008-06-22 08:05:06 13151 --a------ C:\WINDOWS\qyfuga.vbs
2008-06-22 08:05:06 17588 --a------ C:\WINDOWS\jukelec.dat
2008-06-22 08:05:06 19745 --a------ C:\WINDOWS\etumoje.com
2008-06-22 08:05:06 10295 --a------ C:\Program Files\Common Files\juqiroko.sys
2008-06-22 08:05:06 12878 --a------ C:\Program Files\Common Files\gosymejan.sys
2008-06-22 08:05:06 14975 --a------ C:\Documents and Settings\chris\Application Data\ujamufi.bin
2008-06-22 08:05:06 10818 --a------ C:\Documents and Settings\All Users\Application Data\ubybi.dat
2008-06-22 08:05:06 15778 --a------ C:\Documents and Settings\All Users\Application Data\saturinik.pif
2008-06-22 08:05:06 10738 --a------ C:\Documents and Settings\All Users\Application Data\qibuw.bin
2008-06-22 08:05:06 17427 --a------ C:\Documents and Settings\All Users\Application Data\ivomov.bin
2008-06-14 22:58:15 0 d-------- C:\Program Files\The Creative Assembly
2008-06-14 10:11:26 0 d-------- C:\Documents and Settings\Louise\Application Data\Talkback
2008-06-14 10:11:21 0 d-------- C:\Documents and Settings\Louise\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2008-07-10 16:51:09 0 d-------- C:\Program Files\Common Files
2008-07-10 16:51:09 19628 --a------ C:\Program Files\Common Files\ycykomipif.db
2008-07-10 16:51:09 18510 --a------ C:\Documents and Settings\Louise\Application Data\uxekeludow.db
2008-07-10 16:51:09 14739 --a------ C:\Documents and Settings\Louise\Application Data\lodyku.ban
2008-07-10 16:51:09 12021 --a------ C:\Documents and Settings\Louise\Application Data\erahax.lib
2008-07-10 14:42:21 0 d-------- C:\Program Files\BurstWriting
2008-07-10 14:42:07 0 d-------- C:\Program Files\Win Stream plugin
2008-07-10 13:47:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-29 21:25:25 11848 --a------ C:\Program Files\Common Files\aselem.dl
2008-06-22 08:05:06 13793 --a------ C:\Program Files\Common Files\yjavora._dl
2008-06-14 23:13:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-18 18:28:12 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2008-05-18 18:26:20 0 d-------- C:\Program Files\Windows NT
2008-05-18 18:26:16 0 d-------- C:\Program Files\Movie Maker
2008-05-18 18:26:15 0 d-------- C:\Program Files\Messenger
2008-05-18 14:10:04 0 d-------- C:\Program Files\Common Files\iS3
2008-05-14 23:05:37 18 --a------ C:\SYSREST
2008-05-14 17:18:07 0 d-------- C:\Documents and Settings\Louise\Application Data\U3


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D72C2A4-9AC6-4727-A705-CEA1F0220B78}]
C:\WINDOWS\system32\urqQiIcY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4F30191-AA10-4234-A1D1-45A17169E765}]
C:\WINDOWS\system32\yayabAPJ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [02/23/2005 07:05 AM]
"SoundMan"="SOUNDMAN.EXE" [06/02/2005 10:28 PM C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 09:50 PM]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [02/07/2005 11:00 PM]
"EPSON Stylus CX3800 Series (Copy 2)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [02/07/2005 11:00 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"Windows Framework"="C:\WINDOWS\system32\scvh0st.exe" []
"mmnext06"="C:\Program Files\Common Files\trjdwnl.dll" []
"shellbn"="C:\WINDOWS\shlext32.exe" []
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [10/01/2007 09:08 PM]
"iSecurity applet"="iSecurity.cpl" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"systray"="c:\windows\mstre6.exe" []
"a8c68548"="C:\WINDOWS\system32\dturykad.dll" [07/10/2008 03:58 PM]
"XP SecurityCenter"="C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe" []
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/10/2008 11:35 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5D72C2A4-9AC6-4727-A705-CEA1F0220B78}"= C:\WINDOWS\system32\urqQiIcY.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysMon"= {6079f8da-6ed7-4f97-88f5-95510d6e89cb} - C:\WINDOWS\Resources\SysMon.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqQiIcY]
urqQiIcY.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=iSecurity.cpl

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yayabAPJ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-11 01:55:20 ------------

[TheBruce1]

Hi,

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present.

Please Do Not Attach logs to your posts unless you are advised to do so.


========

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

=========

Quote:

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)
AV: Norton Internet Security v2005 (Symantec Corporation)

You have two antivirus programs installed, please remove AVG8 via add/remove.

===========

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

AntivirXP08<----Rogue

============

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with all the required logs

=============

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

===========

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

===========
Logs Required
Report.txt
C:\Combofix.txt
Hijackthis Log

[zelda2727]

Quote:

You have two antivirus programs installed, please remove AVG8 via add/remove.

===========

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

AntivirXP08<----Rogue

I cannot remove AVG it is the only antivirus program that is up to date. Norton does not work and I cannot figure out how to uninstall it. It does not show up the add/remove list on control panel.

AntiviriXP08 also does not appear in my add/remove list.

How should I proceed?

Zelda

[TheBruce1]

Carry on with the rest of the instructions.

[zelda2727]

I keep getting an error when clicking on the link to SDFix

------

Well, I thought I figured out how to download it but it just won't cooperate. If I click on the link my browsers say they can't connect and when I try to download in firefox it seems like it is downloading but it isn't really. It hasn't saved anything to my desktop and if I try to click "open" from the download manager it says the file doesn't exist.

Any suggestions?

Zelda

[zelda2727]

just to be clear,
*all firewalls are turned off
*all av's are turned off
*I tried the link in both ie and ff.

So I am hoping that the site is just down temporarily, otherwise I have no clue why I can't connect. The rest of my internet browsing has been fine.

Zelda

[TheBruce1]

Ok, that link seems to be down, download SDFix from Here

Follow instructions carefully.

[zelda2727]

Alrighty, the following posts contain my logs.

Zelda


report.txt
---------------------------

SDFix: Version 1.205
Run by Louise on Tue 07/15/2008 at 02:00 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\chris\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\chris\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\chris\Desktop\Spyware&Malware Protection.url - Deleted
C:\Program Files\PCHealthCenter\0.exe - Deleted
C:\Program Files\PCHealthCenter\0.gif - Deleted
C:\Program Files\PCHealthCenter\1.gif - Deleted
C:\Program Files\PCHealthCenter\2.gif - Deleted
C:\Program Files\PCHealthCenter\3.gif - Deleted
C:\Program Files\PCHealthCenter\sc.html - Deleted
C:\Program Files\PCHealthCenter\sex1.ico - Deleted
C:\Program Files\PCHealthCenter\sex2.ico - Deleted
C:\Program Files\VAV\vav.ooo - Deleted
C:\Program Files\VAV\vav0.dat - Deleted
C:\Program Files\VAV\vav1.dat - Deleted
C:\WINDOWS\system32\sex1.ico - Deleted
C:\WINDOWS\system32\sex2.ico - Deleted
C:\Documents and Settings\Louise\Desktop\Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\Louise\Desktop\SystemDefender.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk - Deleted



Folder C:\Program Files\PCHealthCenter - Removed
Folder C:\Program Files\SystemDefender - Removed
Folder C:\Program Files\VAV - Removed
Folder C:\iSecurity - Removed
Folder C:\WINDOWS\system32\734914 - Removed
Folder C:\WINDOWS\system32\834668 - Removed
Folder C:\WINDOWS\system32\931928 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 14:34:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Disabled:æTorrent"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Disabled:AOL TopSpeed"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Disabled:Blizzard Downloader"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW.exe"="C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW.exe:*:Disabled:Rome: Total War"
"C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-BI.exe"="C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-BI.exe:*:Disabled:Rome: Total War - Barbarian Invasion"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 11 Jul 2008 2,980,056 ..SH. --- "C:\WINDOWS\system32\dakyrutd.tmp"
Sun 6 Jan 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 19 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 14 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3e13424b5ca403dd00c8550d4b5fddd\BIT38.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT2FD.tmp"

Finished!

[zelda2727]

combofix.txt
ComboFix 08-07-14.2 - Louise 2008-07-15 14:56:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1032 [GMT -4:00]
Running from: C:\Documents and Settings\Louise\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Louise\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
C:\Documents and Settings\chris\Application Data\Microsoft\Internet Explorer\Quick Launch\XP Antivirus 2008.lnk
C:\Documents and Settings\chris\Application Data\rhc9v3j0eccl
C:\Documents and Settings\chris\Desktop\SystemDefender.lnk
C:\Documents and Settings\chris\Local Settings\Temporary Internet Files\juzugac.reg
C:\Documents and Settings\chris\Local Settings\Temporary Internet Files\uwahelavu.ban
C:\Documents and Settings\chris\Local Settings\Temporary Internet Files\wulopy.exe
C:\Documents and Settings\chris\My Documents\My Documents.url
C:\Documents and Settings\chris\My Documents\My Music\My Music.url
C:\Documents and Settings\chris\My Documents\My Pictures\My Pictures.url
C:\Documents and Settings\chris\My Documents\My Videos\My Video.url
C:\Documents and Settings\chris\Start Menu\XP Antivirus 2008
C:\Documents and Settings\chris\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk
C:\Documents and Settings\chris\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk
C:\Documents and Settings\Don\Application Data\macromedia\Flash Player\#SharedObjects\FZ5W2Z5N\www.broadcaster.com
C:\Documents and Settings\Don\Application Data\macromedia\Flash Player\#SharedObjects\FZ5W2Z5N\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Don\Application Data\macromedia\Flash Player\#SharedObjects\FZ5W2Z5N\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Don\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Don\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Don\Application Data\rhc9v3j0eccl
C:\Documents and Settings\Don\Local Settings\Temporary Internet Files\yjekuqyq.pif
C:\Documents and Settings\Don\Local Settings\Temporary Internet Files\zopuji.scr
C:\Documents and Settings\Louise\Application Data\rhc9v3j0eccl
C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\sicyjywyca.vbs
C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\vatuxivy.exe
C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\ycaxi.inf
C:\Documents and Settings\Nick\Application Data\rhc9v3j0eccl
C:\Documents and Settings\Nick\Desktop\SystemDefender.lnk
C:\Program Files\BurstWriting
C:\Program Files\BurstWriting\uninstall.dat
C:\Program Files\rhc9v3j0eccl
C:\Program Files\Win Stream plugin
C:\Program Files\Win Stream plugin\basis.xml
C:\Program Files\Win Stream plugin\download.html
C:\Program Files\Win Stream plugin\icons.bmp_16.bmp
C:\Program Files\Win Stream plugin\version.txt
C:\Program Files\Win Stream plugin\win_stream_plugin.crc
C:\SystemDefender.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\dakyrutd.ini
C:\WINDOWS\system32\dakyrutd.ini2
C:\WINDOWS\system32\dakyrutd.tmp
C:\WINDOWS\system32\giSCJRqr.ini
C:\WINDOWS\system32\giSCJRqr.ini2
C:\WINDOWS\system32\ivfvwjfl.ini
C:\WINDOWS\system32\JPAbayay.ini
C:\WINDOWS\system32\JPAbayay.ini2
C:\WINDOWS\system32\lgyfneos.ini
C:\WINDOWS\system32\lscexucj.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ugdenqlc.ini
C:\WINDOWS\system32\ulpdpkfi.ini
C:\WINDOWS\system32\vwhstwef.ini
C:\WINDOWS\system32\wfilgriv.ini
C:\WINDOWS\system32\yfhsbmxw.ini
C:\WINDOWS\tmark2.dat

.
((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-15 13:56 . 2008-07-15 13:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-15 13:44 . 2008-07-15 14:36 <DIR> d-------- C:\SDFix
2008-07-14 14:19 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-14 14:19 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-14 14:19 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-14 14:19 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-14 14:19 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-14 14:19 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-14 14:19 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-14 14:19 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-14 14:19 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-14 12:39 . 2008-07-14 12:39 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-14 12:22 . 2008-07-14 12:22 3,666 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-13 03:23 . 2008-07-13 03:24 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-11 20:25 . 2008-07-11 20:25 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-11 20:25 . 2008-07-11 20:25 <DIR> d-------- C:\8cf532742959ba9cd3f72a8271
2008-07-11 17:49 . 2008-07-11 17:55 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-11 03:08 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-11 02:25 . 2008-07-11 02:25 <DIR> d-------- C:\Program Files\Panda Security
2008-07-11 02:25 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-11 01:57 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-11 01:57 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-11 01:51 . 2008-07-11 01:51 <DIR> d-------- C:\Deckard
2008-07-10 23:37 . 2008-07-14 06:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-10 23:35 . 2008-07-15 10:03 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-10 23:35 . 2008-07-10 23:35 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-10 23:35 . 2008-07-10 23:35 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-10 23:28 . 2008-07-10 23:28 <DIR> d-------- C:\Program Files\AVG
2008-07-10 23:28 . 2008-07-10 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-10 16:51 . 2008-07-10 16:51 19,904 --a------ C:\Documents and Settings\All Users\Application Data\ifugoqa.sys
2008-07-10 16:51 . 2008-07-10 16:51 18,409 --a------ C:\Documents and Settings\All Users\Application Data\isoluwixec.exe
2008-07-10 16:51 . 2008-07-10 16:51 17,415 --a------ C:\WINDOWS\cufu.dll
2008-07-10 16:51 . 2008-07-10 16:51 17,389 --a------ C:\WINDOWS\obacyfun.sys
2008-07-10 16:51 . 2008-07-10 16:51 17,166 --a------ C:\Documents and Settings\All Users\Application Data\sujodili.exe
2008-07-10 16:51 . 2008-07-10 16:51 16,924 --a------ C:\Documents and Settings\Louise\Application Data\ulavisiruj.vbs
2008-07-10 16:51 . 2008-07-10 16:51 16,031 --a------ C:\WINDOWS\ajomamos.reg
2008-07-10 16:51 . 2008-07-10 16:51 15,911 --a------ C:\Documents and Settings\Louise\Application Data\ylehytyso.sys
2008-07-10 16:51 . 2008-07-10 16:51 14,696 --a------ C:\Documents and Settings\Louise\Application Data\apycaxi.com
2008-07-10 16:51 . 2008-07-10 16:51 13,475 --a------ C:\Documents and Settings\Louise\Application Data\oqeju.com
2008-07-10 16:51 . 2008-07-10 16:51 12,414 --a------ C:\WINDOWS\system32\qasykec._sy
2008-07-10 16:22 . 2008-07-12 00:11 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-10 15:14 . 2008-07-10 15:03 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-10 14:56 . 2008-07-10 17:08 <DIR> d-------- C:\Documents and Settings\Louise\.housecall6.6
2008-07-10 14:54 . 2008-07-10 14:54 <DIR> d-------- C:\WINDOWS\Sun
2008-07-10 14:52 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-10 14:51 . 2008-07-10 14:51 <DIR> d-------- C:\Program Files\Java
2008-07-10 14:50 . 2008-07-10 14:50 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-10 13:48 . 2008-07-10 13:48 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-10 13:48 . 2008-07-10 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 13:41 . 2008-07-10 23:16 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-07-10 13:14 . 2008-07-10 13:16 144 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-07-05 11:00 . 2008-07-10 23:32 206 --a------ C:\Documents and Settings\Louise\delself.bat
2008-07-04 19:30 . 2008-07-10 23:36 1,764 --a------ C:\Antivirus XP 2008.lnk
2008-07-04 19:18 . 2008-07-07 22:37 206 --a------ C:\Documents and Settings\Nick\delself.bat
2008-07-04 10:26 . 2008-07-04 10:26 <DIR> d-------- C:\Documents and Settings\chris\Application Data\TmpRecentIcons
2008-07-04 10:26 . 2008-07-09 13:25 206 --a------ C:\Documents and Settings\chris\delself.bat
2008-07-03 23:30 . 2008-07-03 23:30 <DIR> d-------- C:\Documents and Settings\Don\Application Data\TmpRecentIcons
2008-07-03 15:28 . 2008-07-10 15:51 206 --a------ C:\Documents and Settings\Don\delself.bat
2008-06-29 21:25 . 2008-06-29 21:25 19,400 --a------ C:\WINDOWS\system32\pekowo.vbs
2008-06-29 21:25 . 2008-06-29 21:25 18,420 --a------ C:\WINDOWS\qege.exe
2008-06-29 21:25 . 2008-06-29 21:25 17,899 --a------ C:\Documents and Settings\Don\Application Data\wuzetisuk.bat
2008-06-29 21:25 . 2008-06-29 21:25 16,691 --a------ C:\WINDOWS\system32\gogovoq.exe
2008-06-29 21:25 . 2008-06-29 21:25 16,485 --a------ C:\WINDOWS\numifowali.dat
2008-06-29 21:25 . 2008-06-29 21:25 15,773 --a------ C:\WINDOWS\iziqyro._sy
2008-06-29 21:25 . 2008-06-29 21:25 13,426 --a------ C:\WINDOWS\system32\utub._sy
2008-06-29 21:25 . 2008-06-29 21:25 12,253 --a------ C:\WINDOWS\system32\lynexyjypo.dat
2008-06-29 21:25 . 2008-06-29 21:25 12,183 --a------ C:\Documents and Settings\All Users\Application Data\rysisiqiqa.vbs
2008-06-29 21:25 . 2008-06-29 21:25 12,168 --a------ C:\WINDOWS\qydipyz.reg
2008-06-29 21:25 . 2008-06-29 21:25 11,368 --a------ C:\WINDOWS\system32\xyfovewumo.dat
2008-06-29 21:25 . 2008-06-29 21:25 11,282 --a------ C:\Program Files\Common Files\alon.dll
2008-06-29 21:25 . 2008-06-29 21:25 10,296 --a------ C:\WINDOWS\uwocygifo._dl
2008-06-22 08:05 . 2008-06-22 08:05 19,745 --a------ C:\WINDOWS\etumoje.com
2008-06-22 08:05 . 2008-06-22 08:05 18,919 --a------ C:\WINDOWS\system32\manuhyquc.exe
2008-06-22 08:05 . 2008-06-22 08:05 18,597 --a------ C:\WINDOWS\system32\weso.dat
2008-06-22 08:05 . 2008-06-22 08:05 17,588 --a------ C:\WINDOWS\jukelec.dat
2008-06-22 08:05 . 2008-06-22 08:05 17,427 --a------ C:\Documents and Settings\All Users\Application Data\ivomov.bin
2008-06-22 08:05 . 2008-06-22 08:05 17,323 --a------ C:\WINDOWS\ocecejydel.inf
2008-06-22 08:05 . 2008-06-22 08:05 16,958 --a------ C:\WINDOWS\system32\ewapecobyb.vbs
2008-06-22 08:05 . 2008-06-22 08:05 15,778 --a------ C:\Documents and Settings\All Users\Application Data\saturinik.pif
2008-06-22 08:05 . 2008-06-22 08:05 15,764 --a------ C:\WINDOWS\uguxojyqa._dl
2008-06-22 08:05 . 2008-06-22 08:05 14,975 --a------ C:\Documents and Settings\chris\Application Data\ujamufi.bin
2008-06-22 08:05 . 2008-06-22 08:05 13,712 --a------ C:\WINDOWS\system32\imix.dat
2008-06-22 08:05 . 2008-06-22 08:05 13,151 --a------ C:\WINDOWS\qyfuga.vbs
2008-06-22 08:05 . 2008-06-22 08:05 12,878 --a------ C:\Program Files\Common Files\gosymejan.sys
2008-06-22 08:05 . 2008-06-22 08:05 10,818 --a------ C:\Documents and Settings\All Users\Application Data\ubybi.dat
2008-06-22 08:05 . 2008-06-22 08:05 10,738 --a------ C:\Documents and Settings\All Users\Application Data\qibuw.bin
2008-06-22 08:05 . 2008-06-22 08:05 10,606 --a------ C:\WINDOWS\rowobyle.lib
2008-06-22 08:05 . 2008-06-22 08:05 10,295 --a------ C:\Program Files\Common Files\juqiroko.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 18:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-10 20:51 19,628 ----a-w C:\Program Files\Common Files\ycykomipif.db
2008-07-10 17:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 01:25 11,848 ----a-w C:\Program Files\Common Files\aselem.dl
2008-06-22 12:05 13,793 ----a-w C:\Program Files\Common Files\yjavora._dl
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 03:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-15 02:58 --------- d-----w C:\Program Files\The Creative Assembly
2008-06-14 14:11 --------- d-----w C:\Documents and Settings\Louise\Application Data\Talkback
2008-06-07 01:13 --------- d-----w C:\Documents and Settings\chris\Application Data\Talkback
2008-05-27 00:04 --------- d-----w C:\Documents and Settings\Don\Application Data\U3
2008-05-18 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-05-18 18:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\SITEguard
2008-05-18 18:10 --------- d-----w C:\Program Files\Common Files\iS3
.

------- Sigcheck -------

2005-03-02 21:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 11:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 08:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 21:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 11:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\SoftwareDistribution\Download\4d9d678c0d8af22c04a4a7fc7f1ff86c\sp2gdr\user32.dll
2007-03-08 11:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2004-09-29 21:27 656896 2c07195588d69a067c2afdaa31759295 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2005-01-27 20:08 657920 a8eac5330876548e9966a7d13025d196 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
2005-05-02 23:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-03-10 10:43 657920 c8663b488996e89a84c3d17c1d12b79e C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
2005-07-03 05:09 659456 6e533d155b259eb2363d3e04b5be309f C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2007-08-20 06:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 22:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 09:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2004-08-04 08:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB834707$\wininet.dll
2004-09-29 21:47 656896 cba65b573c66fe23f647ff96e3a10994 C:\WINDOWS\$NtUninstallKB867282$\wininet.dll
2005-03-10 11:02 656896 6f018d6319be4f96426ea829b79e05d5 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
2005-01-27 20:13 656896 b5e043e440b210014e021b24cf0a72e3 C:\WINDOWS\$NtUninstallKB890923$\wininet.dll
2005-05-02 23:52 657920 1a078af3f85d10ba56444c23b3a18e74 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll
2005-07-03 05:11 658432 5b5ff992c0fa762ccf8655fc290e6e52 C:\WINDOWS\$NtUninstallKB925454$\wininet.dll
2006-10-23 11:34 664576 231ef4179acabe486376b5ca893f1076 C:\WINDOWS\$NtUninstallKB928090$\wininet.dll
2007-01-04 10:05 665088 3ffa1573fc274e5aa7467d03941c45ee C:\WINDOWS\$NtUninstallKB931768$\wininet.dll
2007-02-20 05:52 665600 b258c922d22deec880b60720531d7627 C:\WINDOWS\$NtUninstallKB933566$\wininet.dll
2007-04-18 08:46 665600 4261ba03afd659de04f0a17