Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

I have the PC antispyware 2010 virus and can't kill it

This is a discussion on I have the PC antispyware 2010 virus and can't kill it within the Resolved HJT Threads forums, part of the Tech Support Forum category. I was just searching the web the other day minding my own business and then boom, my antivir virus program


 
 
Thread Tools Search this Thread
Old 08-16-2009, 04:01 PM   #1
Guest
 
Join Date: Aug 2009
Posts: 5
OS:



I was just searching the web the other day minding my own business and then boom, my antivir virus program (which was updated) pop'd up and 2 or 3 little pop ups came up of different trojans. I chose the delete option but it just didn't work...a few seconds later there was a little baloon on the bottom right of the screen that showed the pc antispyware 2010, which after researching, I know is a virus. Anyway, I ended up thinking that I should restart my computer and then maybe the antivirus software would stop it. The problem was as soon as windows started to boot up for a split second I'd see a blue screen and then it'd just keep restarting...it'd never boot up. I managed to boot it up in safe mode with networking.

I came across this site from a friend and read the posting instructions and everything. What I did next was pretty stupid. I honestly really didn't want to have to post this and waste your time on this so I went ahead and ran combofix. I ran combofix in safe mode and it restarted my computer in normal mode and actually started up. I thought everything was going to be fine but when that message came up from combofix saying something like 'don't run any programs until this is complete' everything that automatically starts when windows starts started anyway, including my antivir software. It immediatly found a file from c:\windows\system32\dllcache\figaro.sys and said it was a trojan. I didn't cilck anything until combofix finished and produced a log and then I clicked "deny access" from my antivir option on that figaro.sys. Well 2 seconds later i got 3 more pop ups from antivir showing other viruses and next thing you know I was back to square one. No matter if I pressed "deny access", "delete", or "move to quarantine" it would always follow by popping up more things and going back to squre one.

I tried to manually go in and delete the figaro.sys but to make a long story short I couldn't find it. Anyway once again, when I restarted my computer it wouldn't start so I had to do it in safe mode again. I ran combofix again and same things happened.

So basically i'm officially stumped. I know it wasn't smart to use combofix without you telling me to but I just really wanted it fixed and didn't want to have to post this and take away your time from helping other people. But now there's nothing I can do. I could try to use another antivirus program but I don't think it'll work.

So I'm gonna go ahead and post the DDS.txt, attach.txt and the GMER ones as requested. Since I already ran the combofix I'll go ahead and throw it in and include it on this message space. It may not be valid though because other stuff might have got back installed by the time the log picked up.

Also, when/if you have me run combofix is there anyway we can make it to where the computer restarts that it WILL NOT let any of my startup programs start until it's finished? Because I'm currently in safe mode and I dont' know if I can disable my antivirus from safe mode. No matter what I do it always boots back up. So like I said basically windows will not boot up period until after the combofix works and restarts it itself. I also ran ALL of these following logs using windows safe mode with networking. I don't know if that makes a difference but I was just letting you know.

Here are all the logs requested plus the most recent combofix I ran...


DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by HP_Administrator at 14:54:04.46 on Sun 08/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2603 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
svchost.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [GCS] "c:\program files\grabclipsave\GrabClipSave.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [msword98] c:\documents and settings\hp_administrator\msword98.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [DVDTray] c:\program files\ahead\odd toolkit\DVDTray.exe
mRun: [nwiz] nwiz.exe /install
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [msword98] c:\windows\system32\msword98.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [braviax]
mRun: [PC Antispyware 2010] "c:\program files\pc_antispyware2010\PC_Antispyware2010.exe" /hide
dRun: [braviax]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1.lnk - c:\program files\panasonic\videocamsuite\VideoCamSuiteAutoStart.exe
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228670282218
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} - hxxp://media.rivals.com/msichat.cab
DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} - hxxp://static.mediazone.com/player/1.0.0.67/MZPlayer.CAB
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup163.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\lqd5wd9c.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-30 11608]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-30 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-30 185089]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-30 55656]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2009-08-16 14:25 19,222 a------- c:\windows\fokoxeg.lib
2009-08-16 14:25 18,807 a------- c:\windows\opat.bin
2009-08-16 14:25 17,264 a------- c:\windows\idegy.exe
2009-08-16 14:25 17,204 a------- c:\windows\linib.com
2009-08-16 14:25 14,873 a------- c:\windows\idocu.reg
2009-08-16 14:25 14,749 a------- c:\windows\yfolyvewu.vbs
2009-08-16 14:25 13,171 a------- c:\windows\labufujux.dat
2009-08-16 14:25 12,868 a------- c:\windows\cahopopu.dll
2009-08-16 14:25 10,649 a------- c:\program files\common files\ojocu.com
2009-08-16 14:25 10,538 a------- c:\program files\common files\miven.scr
2009-08-16 14:25 10,081 a------- c:\program files\common files\ixuf.bat
2009-08-16 14:25 11,505 a------- c:\windows\system32\sukesovy.reg
2009-08-16 14:25 347,541 a------- c:\windows\system32\_scui.cpl
2009-08-16 14:25 <DIR> --d----- c:\program files\PC_Antispyware2010
2009-08-16 14:20 189,957 a------- c:\windows\system32\wisdstr.exe
2009-08-16 14:20 29,184 a------- c:\windows\system32\drivers\beep.sys
2009-08-16 14:20 29,184 a------- c:\windows\system32\dllcache\beep.sys
2009-08-16 14:20 11,264 a------- c:\windows\system32\braviax.exe
2009-08-15 14:31 29,184 a------- c:\windows\system32\dllcache\figaro.sys
2009-08-15 14:15 <DIR> --d----- c:\program files\Trend Micro
2009-08-15 13:03 <DIR> --d----- c:\program files\Loaris Trojan Remover
2009-08-15 11:17 19,594 a------- c:\program files\common files\umohaviw.dat
2009-08-15 11:17 18,763 a------- c:\windows\ivyxor.exe
2009-08-15 11:17 17,275 a------- c:\windows\buwive.ban
2009-08-15 11:17 13,119 a------- c:\windows\hucyqiguz.dll
2009-08-15 11:17 11,332 a------- c:\program files\common files\urenasyr.vbs
2009-08-15 11:17 11,298 a------- c:\windows\system32\ubozyj.pif
2009-08-15 11:17 11,008 a------- c:\program files\common files\kyze.dll
2009-08-15 11:17 10,132 a------- c:\windows\wagatijyli.scr
2009-08-15 00:22 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-08-14 23:25 146 a------- c:\documents and settings\hp_administrator\delself.bat
2009-08-14 23:12 216,064 a------- c:\windows\PEV.exe
2009-08-14 23:12 161,792 a------- c:\windows\SWREG.exe
2009-08-14 23:12 98,816 a------- c:\windows\sed.exe
2009-08-14 22:43 619,584 a------- c:\windows\system32\dllcache\ntfs.sys
2009-08-14 22:43 26,686 a------- c:\windows\system32\msword98.exe
2009-08-14 22:43 26,686 a------- c:\documents and settings\hp_administrator\msword98.exe
2009-08-12 16:00 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:59 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-06 10:07 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-06 03:06 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-06 03:05 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-06 03:05 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-06 03:05 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-06 03:05 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-06 03:05 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-06 03:05 <DIR> --d----- C:\8ef50a60667d490149557bbd8adb4b
2009-08-06 03:05 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-06 03:05 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-20 22:34 2 a------- c:\windows\msoffice.ini
2009-07-20 22:24 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\uTorrent
2009-07-20 21:05 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-07-20 21:03 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-07-20 21:03 <DIR> --d----- c:\windows\Logs

==================== Find3M ====================

2009-08-16 14:25 19,186 a------- c:\program files\common files\aqul._dl
2009-08-16 14:25 18,137 a------- c:\program files\common files\wumykef.ban
2009-08-15 14:31 619,584 a------- c:\windows\system32\drivers\ntfs.sys
2009-08-15 11:17 10,794 a------- c:\program files\common files\egocyfolyz.lib
2009-08-06 03:34 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 08:18 5,937,152 a------- c:\windows\system32\dllcache\cache\mshtml.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 06:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 09:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 07:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 01:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\dllcache\quartz.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-04-27 13:39 47,360 a------- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys
2007-06-15 21:59 0 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2008-09-14 11:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 14:54:15.29 ===============



COMBOFIX LOG:


ComboFix 09-08-10.06 - HP_Administrator 08/15/2009 14:24.10.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2605 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\All Users\Application Data\ijykemut.pif"
"c:\documents and settings\All Users\Application Data\ivepyrisix.sys"
"c:\documents and settings\All Users\Application Data\jococez.sys"
"c:\documents and settings\All Users\Application Data\mohozav.com"
"c:\documents and settings\LocalService\Application Data\ofomow.bat"
"c:\documents and settings\LocalService\Application Data\vebaxivaba.pif"
"c:\documents and settings\LocalService\Local Settings\Application Data\soqa.bat"
"c:\documents and settings\Michael\Application Data\fynomumew.dll"
"c:\documents and settings\Michael\Application Data\yxupij.dll"
"c:\documents and settings\Michael\Local Settings\Application Data\timyxyf.com"
"c:\documents and settings\Michael\Local Settings\Application Data\ufafakuvu.vbs"
"c:\program files\Common Files\atasus.bat"
"c:\windows\bokytib.exe"
"c:\windows\ebosus.vbs"
"c:\windows\fynypiko.bin"
"c:\windows\muqilybyqy.bin"
"c:\windows\system32\dllcache\figaro.sys"
"c:\windows\system32\gadodeto.scr"
"c:\windows\system32\irelosyvy.bat"
"c:\windows\system32\vuzapyw.dat"
"c:\windows\system32\xavise.reg"
"c:\windows\system32\yjosyc.pif"
"c:\windows\system32\yjyn.scr"
"c:\windows\uniji.dat"
"c:\windows\uzati.scr"
"c:\windows\wixukudy.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\LocalService\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\bylopiqyp.dll
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\pebypuxi.reg
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\program files\PC_Antispyware2010
c:\program files\PC_Antispyware2010\AVEngn.dll
c:\program files\PC_Antispyware2010\data\daily.cvd
c:\program files\PC_Antispyware2010\htmlayout.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\PC_Antispyware2010\PC_Antispyware2010.cfg
c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe
c:\program files\PC_Antispyware2010\pthreadVC2.dll
c:\windows\system32\_scui.cpl
c:\windows\system32\braviax.exe

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ntfs.sys

.
((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.

2009-08-15 19:31 . 2009-08-15 19:31 29184 ----a-w- c:\windows\system32\dllcache\figaro.sys
2009-08-15 19:19 . 2009-08-15 19:19 -------- d-----w- C:\rsit
2009-08-15 19:15 . 2009-08-15 19:15 -------- d-----w- c:\program files\Trend Micro
2009-08-15 18:03 . 2009-08-15 19:21 -------- d-----w- c:\program files\Loaris Trojan Remover
2009-08-15 04:25 . 2009-08-15 19:31 146 ----a-w- c:\documents and settings\HP_Administrator\delself.bat
2009-08-15 03:43 . 2009-08-15 19:31 619584 ----a-w- c:\windows\system32\dllcache\ntfs.sys
2009-08-15 03:43 . 2009-08-15 03:43 26686 ----a-w- c:\windows\system32\msword98.exe
2009-08-15 03:43 . 2009-08-15 03:43 26686 ----a-w- c:\documents and settings\HP_Administrator\msword98.exe
2009-08-12 20:59 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-06 08:06 . 2009-08-06 08:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-06 08:06 . 2009-08-06 08:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-06 08:05 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-06 08:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-06 08:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-06 08:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-06 08:05 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-06 08:05 . 2009-08-06 08:05 -------- d-----w- C:\8ef50a60667d490149557bbd8adb4b
2009-08-06 08:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-06 08:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-21 03:26 . 2009-07-21 03:26 -------- d-----w- c:\program files\uTorrent
2009-07-21 03:24 . 2009-08-09 21:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-07-21 02:05 . 2007-04-04 23:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-07-21 02:03 . 2009-07-21 02:03 -------- d-----w- c:\windows\Logs
2009-07-21 01:57 . 2009-07-21 01:57 12862 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{0E2B767B-EA6A-489B-BF83-8083FE1DB661}\_1EEFFF72773535163E4216.exe
2009-07-17 19:01 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 19:31 . 2004-08-10 04:00 619584 ----a-w- c:\windows\system32\drivers\ntfs.sys
2009-08-15 16:31 . 2008-06-27 12:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-13 08:05 . 2008-12-20 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-13 04:09 . 2009-04-03 02:19 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-08-10 02:05 . 2006-05-06 20:30 90528 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 20:37 . 2006-07-15 23:29 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Vso
2009-08-06 08:34 . 2009-05-01 03:31 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-06 08:17 . 2008-12-07 17:31 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-05 09:01 . 2004-08-09 21:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 22:56 . 2006-05-06 20:33 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-21 22:56 . 2006-05-06 20:18 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-07-21 22:54 . 2006-05-06 20:33 -------- d-----w- c:\program files\HP Games
2009-07-21 22:53 . 2006-05-06 20:46 -------- d-----w- c:\program files\Quicken
2009-07-21 22:52 . 2007-12-01 01:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-07-21 22:50 . 2008-04-23 01:34 -------- d-----w- c:\program files\AoA Audio Extractor
2009-07-21 22:50 . 2006-07-24 17:42 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-07-21 22:25 . 2006-07-24 17:40 -------- d-----w- c:\program files\Common Files\AOL
2009-07-21 03:34 . 2006-07-24 17:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AOL
2009-07-21 03:34 . 2006-07-24 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-17 19:01 . 2004-08-09 21:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-09 21:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 03:23 . 2009-07-08 03:23 -------- d-----w- c:\program files\WinSCP
2009-07-03 17:09 . 2004-08-09 21:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-20 01:45 . 2007-01-11 02:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-20 01:45 . 2008-12-07 18:03 -------- d-----w- c:\program files\SpywareBlaster
2009-06-17 02:34 . 2009-06-17 02:34 -------- d-----w- c:\program files\RealVNC
2009-06-16 14:36 . 2004-08-09 21:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-09 21:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-09 21:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-10 04:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 17:43 . 2009-06-11 17:43 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 21:47 . 2009-06-10 21:47 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 14:19 . 2004-08-09 21:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-09 21:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-09 21:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 16:42 . 2009-06-11 17:45 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 16:42 . 2009-06-11 17:45 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-03 19:09 . 2004-08-09 21:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 16:33 . 2008-12-10 02:07 410984 ----a-w- c:\windows\system32\deploytk.dll
2008-04-27 18:25 . 2008-04-27 18:21 72 --sha-w- c:\windows\S8DF04565.tmp
.

------- Sigcheck -------

[7] 2004-08-09 21:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\cache\beep.sys

[-] 2007-02-09 11:23 574976 05AB81909514BFD69CBB1F2C147CF6B9 c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2004-08-10 04:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\$NtUninstallKB930916$\ntfs.sys
[-] 2004-08-09 21:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\I386\NTFS.SYS
[7] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2009-08-15 19:31 619584 4DFB45D14330ACE7FD32EE8DBCF50C97 c:\windows\system32\dllcache\ntfs.sys
[7] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\dllcache\cache\ntfs.sys
[-] 2009-08-15 19:31 619584 4DFB45D14330ACE7FD32EE8DBCF50C97 c:\windows\system32\drivers\ntfs.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( [email protected]_05.15.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 16:17 . 2009-08-15 16:17 10132 c:\windows\wagatijyli.scr
+ 2009-08-15 19:31 . 2009-08-15 19:31 16384 c:\windows\temp\Perflib_Perfdata_610.dat
+ 2009-08-15 16:17 . 2009-08-15 16:17 11298 c:\windows\system32\ubozyj.pif
+ 2009-08-15 16:17 . 2009-08-15 16:17 18763 c:\windows\ivyxor.exe
+ 2009-08-15 16:17 . 2009-08-15 16:17 13119 c:\windows\hucyqiguz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"GCS"="c:\program files\GrabClipSave\GrabClipSave.exe" [2003-04-14 976896]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"msword98"="c:\documents and settings\HP_Administrator\msword98.exe" [2009-08-15 26686]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-15 49152]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-01-24 86016]
"msword98"="c:\windows\system32\msword98.exe" [2009-08-15 26686]
"Regedit32"="c:\windows\system32\regedit.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-03-08 16010240]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-02 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-01-24 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Auto run of VideoCam Suite 1.0.lnk - c:\program files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe [2008-3-15 161160]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.0-enUS-downloader.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blilzzard Downloader
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:VNC

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/30/2009 10:31 PM 108289]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} - hxxp://static.mediazone.com/player/1.0.0.67/MZPlayer.CAB
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\lqd5wd9c.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-08-15 14:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(556)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft ActiveSync\rapimgr.exe
c:\docume~1\HP_ADM~1\LOCALS~1\temp\BN1.tmp
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Avira\AntiVir Desktop\guardgui.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\Avira\AntiVir Desktop\avscan.exe
c:\hp\KBD\kbd.exe
.
**************************************************************************
.
Completion time: 2009-08-15 14:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-15 19:42
ComboFix2.txt 2009-08-15 15:43
ComboFix3.txt 2009-08-15 05:23
ComboFix4.txt 2009-05-01 02:03

Pre-Run: 88,032,858,112 bytes free
Post-Run: 87,810,834,432 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=,1,2,3,4
326 --- E O F --- 2009-08-13 08:05
Attached Files
File Type: zip Attach.zip (5.5 KB, 23 views)
Rwhite64 is offline  
Sponsored Links
Advertisement
 
Old 08-20-2009, 06:47 AM   #2
Guest
 
Join Date: Aug 2009
Posts: 5
OS:



Pump, Please

Been about 4 days. I understand you guys are busy and appreciate the help in advance. I've still had the computer sitting in safe mode since the post and wasn't going to try anything else until I hear a response from you guys.

Thanks
Rwhite64 is offline  
Old 08-20-2009, 02:36 PM   #3
Guest
 
Join Date: Aug 2009
Posts: 5
OS:



BUMP, please

(I just realized earlier today I typed in 'Pump, please' and was afraid I might of messed myself up if you guys do some type of search typing 'bump, please'). Not meaning this to be like another bump, but I just didn't want to mess myself up by thinking you guys wouldn't see it since I typed Pump instead of bump....I would of edited the post but it won't let me do that.

As you can tell...it just has not been my week, lol.
Rwhite64 is offline  
Sponsored Links
Advertisement
 
Old 08-21-2009, 07:07 AM   #4
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hello Rwhite64,

See if you can disable Avira via it's control panel Start>All Programs>Avira


Delete your existing Combofix.exe and download a fresh copy from one of these locations. Save it to your desktop

Link 1
Link 2

Double click to run it, then please post the C:\ComboFix.txt
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 08-21-2009, 09:14 AM   #5
Guest
 
Join Date: Aug 2009
Posts: 5
OS:



Thank you very much for the response. I actually had a friend come over last night who works in their Computer department for the university. He saw that whatever combofix I had needed to be updated and after the update it automatically cleared everything plus that figaro.sys file on it's own. I went ahead and ran malwarebytes and it got rid of a few other little things and also ran a full computer scan from kaspersky online. The only thing it found a c:\windows32\dllcache\ntfs.sys virus and I deleted that after scanning with avira.

After all that I ran a kaspersky scan again and it found nothing, and the quick scan from malwarebytes also shows up nothing. So he went ahead and uninstalled combofix from the 'run' prompt and as far as I know I think I'm good to go.

My Interent service provider actually provides something called security suite by mcafee which has a full anti-virus, spyware, firewall, anti phising program, so I think I'm just going to download that to avoid this in the future.

What's most annoying about it is I was just surfing the internet...I want to say I was looking up something from google when I got the virus. It wasn't like I was downloading something from an email or anything. So I guess I better get myself better protected. I thought I the free version of avira would of done the trick along with the spyware blaster and always installing updates, but I know viruses just get more and more complicated so I'll give that a try.

Thanks again for the response and I love what you guys do to help people. I know first hand from a friend and you guys completely helped him fix his computer. I think with his knowledge of computers and things we got mine fixed as well. If I have any additional problems I'll start a new thread on it and it's ok with me if you go ahead and close this thread and move on to someone else....unless there's anything you see with that ntfs.sys virus that might be bad.

Thanks again for all the help you provide.
Rwhite64 is offline  
Old 08-21-2009, 05:15 PM   #6
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hi Rwhite64,

It sounds as though you have all well in hand.


Quote:
I want to say I was looking up something from google when I got the virus.
I highly recommend you install Web of Trust. WOT, (Web of Trust), warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.


- Scan here https://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


- Most importantly, Think Prevention

==========================

Take care and surf safely.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 08-21-2009, 09:21 PM   #7
Guest
 
Join Date: Aug 2009
Posts: 5
OS:



I will certainly heed your advice and check out WOT. I already had spyware blaster but I hadn't updated it in probably a month or so, so I'll remember to do that. this Mcafee thing I installed also has a "mcafee siteadvisor" so that'll probably do a lot of what WOT does as well.

Hopefully I won't have any more problems and have to come back =). Thanks for the help and like I said I know everyone here really appreciates the great things you do.

You can go ahead and mark this thread as resolved if you like.

Thanks again.
Rwhite64 is offline  
Old 08-21-2009, 09:41 PM   #8
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Actually, I used to use Site Advisor, but I'm finding WOT to be more reliable. You may find this blog an interesting read.

Take care, and I hope you have an enjoyable weekend.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 09:35 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts