Solve : Help! Trojan and Malware issues, Need ComboFix logs read!?

1.	Solve : Help! Trojan and Malware issues, Need ComboFix logs read!?
Answer» I have had several issues with malware and viruses Trojan.General and Trojan.Virtumonde. I was unable to open my system restore, had popups, unable to download or run malwarebytes, etc. I ran combo fix, and my system restore has come back, however, I still have popups and unwanted processes running. Here is my Combo Fix Log. Any help would be appreciated!! Thank you muchly in advance! ComboFix 10-03-14.01 - Michelle 03/14/2010 14:49:25.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1525 [GMT -4:00] Running from: c:\documents and settings\Michelle\Desktop\ComboFix.exe AV: a-squared Anti-Malware On-access scanning enabled (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255} AV: AVG Anti-Virus Free On-access scanning enabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\bezuyiza.dll c:\windows\system32\fogiguzu.dll c:\windows\Tasks\krynixfk.job . ((((((((((((((((((((((((( Files Created from 2010-02-14 to 2010-03-14 ))))))))))))))))))))))))))))))) . 2010-03-14 18:11 . 2010-03-14 18:11 -------- d-----w- C:\VundoFix Backups 2010-03-14 17:51 . 2010-03-14 18:10 -------- d-----w- c:\program files\a-squared Anti-Malware 2010-03-14 17:37 . 2010-03-14 17:37 -------- d-----w- c:\documents and settings\Michelle\Local Settings\Application Data\Threat Expert 2010-03-14 17:36 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll 2010-03-14 17:36 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-03-14 17:36 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-03-14 17:36 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-03-14 17:36 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-03-14 17:36 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-03-14 17:32 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-03-14 17:32 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-03-14 17:32 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-03-14 17:32 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-03-14 17:31 . 2010-03-14 18:30 -------- d-----w- c:\program files\Spyware Doctor 2010-03-14 17:31 . 2010-03-14 17:31 -------- d-----w- c:\documents and settings\Michelle\Application Data\PC Tools 2010-03-14 17:31 . 2010-03-14 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-03-14 01:03 . 2010-03-14 01:03 -------- d-----w- c:\documents and settings\Michelle\Application Data\Registry Mechanic 2010-03-14 00:58 . 2010-03-14 18:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-03-14 00:58 . 2010-03-14 17:37 -------- d-----w- c:\program files\Common Files\PC Tools 2010-03-13 16:55 . 2010-03-13 16:55 -------- d-----w- c:\documents and settings\Michelle\Application Data\Malwarebytes 2010-03-13 16:55 . 2010-03-13 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-03-13 08:44 . 2010-03-13 08:44 -------- d-----w- c:\documents and settings\Michelle\Local Settings\Application Data\WMTools Downloaded Files 2010-03-12 18:32 . 2010-03-12 18:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-03-12 18:32 . 2010-03-12 18:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2010-03-12 18:27 . 2010-03-14 18:56 823296 ----a-w- c:\windows\system32\drivers\mjvmswud.sys 2010-03-12 18:27 . 2010-03-14 18:55 -------- d-----w- c:\documents and settings\Michelle\Local Settings\Application Data\Windows Server 2010-03-11 04:25 . 2010-03-11 04:25 -------- d-----w- c:\program files\VideoLAN 2010-03-11 04:23 . 2010-03-11 04:23 -------- d-----w- c:\program files\Graboid 2010-02-22 01:18 . 2010-02-22 01:19 -------- d-----w- c:\program files\iTunes 2010-02-22 01:16 . 2010-02-22 01:16 -------- d-----w- c:\program files\Bonjour 2010-02-22 01:15 . 2010-02-22 01:15 -------- d-----w- c:\program files\QuickTime . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-13 08:38 . 2008-07-07 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2010-03-12 00:39 . 2008-07-25 05:28 -------- d-----w- c:\documents and settings\Michelle\Application Data\Move Networks 2010-03-11 21:10 . 2009-11-16 02:08 -------- d-----w- c:\documents and settings\Michelle\Application Data\U3 2010-03-11 04:10 . 2009-08-06 03:54 143976 ----a-w- c:\documents and settings\Michelle\Application Data\Move Networks\uninstall.exe 2010-03-11 04:10 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Michelle\Application Data\Move Networks\plugins\npqmp071701000002.dll 2010-03-11 04:10 . 2010-03-11 04:10 1794456 ----a-w- c:\documents and settings\Michelle\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe 2010-02-22 01:18 . 2008-05-30 19:13 -------- d-----w- c:\program files\iPod 2010-02-22 01:18 . 2008-05-30 19:20 -------- d-----w- c:\program files\Common Files\Apple 2010-02-22 01:10 . 2010-02-22 01:10 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe 2010-02-12 20:46 . 2008-05-30 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-02-09 18:24 . 2008-06-20 14:04 -------- d-----w- c:\program files\Common Files\Adobe 2010-02-04 05:51 . 2008-05-23 09:19 -------- d-----w- c:\program files\Google 2010-01-22 06:50 . 2008-09-24 16:00 -------- d-----w- c:\program files\Microsoft Silverlight 2010-01-05 06:11 . 2009-11-13 06:23 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-12-31 16:50 . 2004-08-10 17:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-21 19:14 . 2004-08-10 17:51 916480 ------w- c:\windows\system32\wininet.dll 2009-12-16 18:43 . 2004-08-10 18:01 343040 ----a-w- c:\windows\system32\mspaint.exe 1601-01-01 00:03 . 1601-01-01 00:03 47616 --sha-w- c:\windows\system32\hesanebo.dll 1601-01-01 00:03 . 1601-01-01 00:03 41472 --sha-w- c:\windows\system32\jagepeyu.dll 1601-01-01 00:03 . 1601-01-01 00:03 65536 --sha-w- c:\windows\system32\kijudawi.dll 1601-01-01 00:03 . 1601-01-01 00:03 95232 --sha-w- c:\windows\system32\parahuri.dll 1601-01-01 00:03 . 1601-01-01 00:03 41472 --sha-w- c:\windows\system32\tewehipo.dll 1601-01-01 00:03 . 1601-01-01 00:03 71168 --sha-w- c:\windows\system32\towoyila.dll 1601-01-01 00:03 . 1601-01-01 00:03 95744 --sha-w- c:\windows\system32\tudotipi.dll 1601-01-01 00:03 . 1601-01-01 00:03 41472 --sha-w- c:\windows\system32\wigafipe.dll 1601-01-01 00:03 . 1601-01-01 00:03 70656 --sha-w- c:\windows\system32\wirubifa.dll 1601-01-01 00:03 . 1601-01-01 00:03 65536 --sha-w- c:\windows\system32\yopufuju.dll . ((((((((((((((((((((((((((((( [email protected]_04.03.10 ))))))))))))))))))))))))))))))))))))))))) . + 2007-11-07 06:19 . 2007-11-07 06:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll - 2004-08-10 17:51 . 2009-12-09 14:28 72978 c:\windows\system32\perfc009.dat + 2004-08-10 17:51 . 2010-03-14 18:46 72978 c:\windows\system32\perfc009.dat + 2008-05-29 20:52 . 2010-03-14 17:46 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary INTERNET Files\Content.IE5\index.dat + 2008-05-29 20:52 . 2010-03-14 17:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-05-29 20:52 . 2010-03-13 19:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2010-03-14 17:46 . 2010-03-14 17:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2004-08-10 17:51 . 2009-12-09 14:28 445938 c:\windows\system32\perfh009.dat + 2004-08-10 17:51 . 2010-03-14 18:46 445938 c:\windows\system32\perfh009.dat + 2010-03-14 17:32 . 2010-03-14 17:32 228352 c:\windows\Installer\2c3fbd9.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5bed0556-7bd3-4b69-859d-18e889d39edb}] 1601-01-01 00:03 65536 --sha-w- c:\windows\system32\yopufuju.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-10 137752] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-10 162328] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-10 137752] "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168] "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-31 405504] "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 28160] "nolitamug"="c:\windows\system32\fogiguzu.dll" [BU] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-28 13:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2008-05-23 09:28 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ lsdelete [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] ="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared] 2010-01-02 18:09 3280712 ----a-w- c:\program files\a-squared Anti-Malware\a2guard.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] 2010-03-02 03:40 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3] 2010-02-08 16:02 2343632 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] 2008-06-12 20:47 50528 ----a-w- c:\program files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] 2009-12-12 14:00 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager] 2007-07-27 21:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellAutomatedPCTuneUp] 2007-10-11 14:49 465136 ----a-w- c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter] 2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate] 2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter] 2008-02-28 18:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] 2008-05-30 19:00 32768 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] 2004-04-20 20:50 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] 2004-04-20 20:50 118784 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] 2007-12-21 15:58 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2008-03-25 08:28 144784 ----a-w- c:\program files\Java\jre1.6.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2009-07-07 05:26 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Viewpoint Manager Service"=2 (0x2) "stllssvr"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "Microsoft Office Groove Audit Service"=3 (0x3) "idsvc"=3 (0x3) "IDriverT"=3 (0x3) "GoToAssist"=3 (0x3) "Bonjour Service"=2 (0x2) "avg8wd"=2 (0x2) "sdCoreService"=3 (0x3) "sdAuxService"=3 (0x3) "Lavasoft Ad-Aware Service"=2 (0x2) "iPod Service"=3 (0x3) "gusvc"=2 (0x2) "gupdate1c9fec391515878"=2 (0x2) "DellAMBrokerService"=3 (0x3) "Apple Mobile Device"=2 (0x2) "a2AntiMalware"=2 (0x2) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls] AppSecDll REG_SZ c:\documents and settings\Michelle\Local Settings\Application Data\Windows Server\xetpmk.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\Piolet\\piolet.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/4/2009 10:41 PM 64160] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/14/2010 1:32 PM 207280] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/7/2008 11:54 AM 335240] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [3/14/2010 1:36 PM 112592] S4 a2AntiMalware;a-squared Anti-Malware Service;c:\program files\a-squared Anti-Malware\a2service.exe [3/14/2010 1:51 PM 1858144] S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 11:53 AM 297752] S4 gupdate1c9fec391515878;Google Update Service (gupdate1c9fec391515878);c:\program files\Google\Update\GoogleUpdate.exe [7/7/2009 1:27 AM 133104] S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456] S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/14/2010 1:31 PM 365280] S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/29/2008 5:47 PM 24652] --- Other Services/Drivers In Memory --- Deregistered - mjvmswud . Contents of the 'Scheduled Tasks' folder 2010-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:40] 2010-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34] 2010-03-14 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-07 05:25] 2010-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 05:26] 2010-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 05:26] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080523 uInternet Settings,ProxyOverride = .local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://www.shockwave.com/content/weddingdash2/sis/WeddingDash2Web.1.0.0.13.cab . - - - - ORPHANS REMOVED - - - - SharedTaskScheduler-{96b8d020-ddd7-4df6-aa19-932bdf030a2a} - c:\windows\system32\fogiguzu.dll SSODL-pamadigop-{96b8d020-ddd7-4df6-aa19-932bdf030a2a} - c:\windows\system32\fogiguzu.dll MSConfigStartUp-nolitamug - c:\windows\system32\fogiguzu.dll MSConfigStartUp-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe MSConfigStartUp-zedazenayi - veriwada.dll *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-14 14:56 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mjvmswud] . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(736) c:\documents and settings\Michelle\Local Settings\Application Data\Windows Server\xetpmk.dll c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll - - - - - - - > 'lsass.exe'(792) c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll - - - - - - - > 'explorer.exe'(2576) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\documents and settings\Michelle\Local Settings\Application Data\Windows Server\xetpmk.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVG\AVG8\avgrsx.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\igfxsrvc.exe . ********************************************************************** . Completion time: 2010-03-14 15:01:40 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-14 19:01 ComboFix2.txt 2010-03-14 04:07 Pre-Run: 202,091,397,120 bytes free Post-Run: 202,164,076,544 bytes free - - End Of File - - D6E3B1801BCA361FBAF30DE7791787DE ComboFix logs should not be run without the guidance of a helper. It is a powerful tool and is INTENDED by its creator to be "used under the guidance and supervision of an expert", NOT for private or regular USE. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please download Malwarebytes Anti-Malware from Malwarebytes.org. Alternate link: BleepingComputer.com. (Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!) Double Click mbam-setup.exe to install the application. (Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!) Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Full Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note) Please save the log to a location you will remember. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.Thank you for replying. I had already tried to upload mbam.exe (malwareBytes) and even tried renaming the file and/or the extension and it would not let me run it. (the virus). i got to the point last night when I ended up clearing off my whole computer. It was bad - I even tried to delete registry keys and files and it would block access to it, etc. Thank you again for trying to help though! Consider this a case closed! -Michelle KWhy is that? Your computer could be cleaned...our assistance does not end when we cannot run something.In addition to not being able to run MalwareBytes, I tried several other programs without success. When I found programs that I could scan with (Spyware Doctor & Exterminate It!), I attempted to go into the folders/files and Registry and manually delete keys. I even attempted this through the run: CMD command. The virus was locked and would not allow me access to delete these files even in safe mode. I ended up purchasing Exterminate It! to also try and delete these items, and even when it would say it had cleaned them, I would reboot, and they would show up again in my virus scanner and Exterminate It! as if it was never "exterminated". I think this was a rootkit virus, both my virus scanner gave me: Virtumondo (Vundo) trojan, and TR/Crypt.XPACK.gen2. I literally spent 23 hours working on this with no luck, and I have minimal information on my computer that I can back up, so I decided to have it wiped. The Conbofix worked the fist time, but even that would not help at the end. I know this is not supposed to be run unless under the supervision of a tech, but I was desperate and figured someone would ask me to run it anyways. Again, thanks for the reply, at first I didn't know if I would hear from anyone. I am looking for suggestions on a good free/inexpensive virus scanner, I was using AVG before and it did not pick this virus up. I knew I had it because I had symptoms, and they were detected with Ad-Aware. Thanks for any help you can give! As this infection probably deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link: Malwarebytes' RANDOM - EXE Download When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step. Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded in step 8. MBAM will now start and you will be at the main program screen. Let me know if MBAM starts, please.I don't have the computer, and when I did have it, I tried that too, and it still found it. It was a nasty little bug! I just took it to GET wiped and reinstalled with windows and my software/files today. Any suggestions on virus scanners?Oh...that sucks. Hope you don't have to pay too much for a service you could have had for free. ========== Once this file would have been deleted, the infection would be mostly dead: c:\windows\system32\yopufuju.dll ======== Here is a small list of free antivirus software I recommend: Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall. AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall. Avast!: this is an advanced malware removal antivirus program. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Avira Antivir: this is an advanced malware removal antivirus program. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Rising Antivirus**: this is a lightweight, and great virus destroyer. It REMOVES tough viruses, and even rootkits and trojans get destroyed. I agree - however I tried to delete this file SEVERAL times through files, registry and through CMD command. If I still had the computer, how else would you have attempted to remove it?Use special commands in ComboFix. ComboFix is a program to run - how would you have manipulated it to run new commands? It seemed impossible and after wasting a whole weekend on it, It was well worth the $ to just get it cleaned.Cannot tell the secrets of the program. Only those trained will be able to use or know commands.I ask because Ive read othet posting about ComboFix, and from the comments Ive seen from other techs, Combo Fix can be read to manualyl remove files/keys, but thats it. You can't alter the program. Okay, thank you for your help!

Answer»

I have had several issues with malware and viruses Trojan.General and Trojan.Virtumonde. I was unable to open my system restore, had popups, unable to download or run malwarebytes, etc. I ran combo fix, and my system restore has come back, however, I still have popups and unwanted processes running. Here is my Combo Fix Log. Any help would be appreciated!! Thank you muchly in advance!

ComboFix 10-03-14.01 - Michelle 03/14/2010 14:49:25.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1525 [GMT -4:00]
Running from: c:\documents and settings\Michelle\Desktop\ComboFix.exe
AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bezuyiza.dll
c:\windows\system32\fogiguzu.dll
c:\windows\Tasks\krynixfk.job

.
((((((((((((((((((((((((( Files Created from 2010-02-14 to 2010-03-14 )))))))))))))))))))))))))))))))
.

2010-03-14 18:11 . 2010-03-14 18:11   --------   d-----w-   C:\VundoFix Backups
2010-03-14 17:51 . 2010-03-14 18:10   --------   d-----w-   c:\program files\a-squared Anti-Malware
2010-03-14 17:37 . 2010-03-14 17:37   --------   d-----w-   c:\documents and settings\Michelle\Local Settings\Application Data\Threat Expert
2010-03-14 17:36 . 2010-01-21 23:21   767952   ----a-w-   c:\windows\BDTSupport.dll
2010-03-14 17:36 . 2010-01-21 23:21   165840   ----a-w-   c:\windows\PCTBDRes.dll
2010-03-14 17:36 . 2010-01-21 23:21   149456   ----a-w-   c:\windows\SGDetectionTool.dll
2010-03-14 17:36 . 2010-01-21 23:21   1652688   ----a-w-   c:\windows\PCTBDCore.dll
2010-03-14 17:36 . 2009-10-28 05:36   1152444   ----a-w-   c:\windows\UDB.zip
2010-03-14 17:36 . 2008-11-26 16:08   131   ----a-w-   c:\windows\IDB.zip
2010-03-14 17:32 . 2010-02-05 13:17   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2010-03-14 17:32 . 2009-10-06 20:31   87784   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-14 17:32 . 2009-09-23 20:10   207280   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2010-03-14 17:32 . 2010-02-05 13:25   70408   ----a-w-   c:\windows\system32\drivers\pctplsg.sys
2010-03-14 17:31 . 2010-03-14 18:30   --------   d-----w-   c:\program files\Spyware Doctor
2010-03-14 17:31 . 2010-03-14 17:31   --------   d-----w-   c:\documents and settings\Michelle\Application Data\PC Tools
2010-03-14 17:31 . 2010-03-14 17:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Tools
2010-03-14 01:03 . 2010-03-14 01:03   --------   d-----w-   c:\documents and settings\Michelle\Application Data\Registry Mechanic
2010-03-14 00:58 . 2010-03-14 18:55   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-03-14 00:58 . 2010-03-14 17:37   --------   d-----w-   c:\program files\Common Files\PC Tools
2010-03-13 16:55 . 2010-03-13 16:55   --------   d-----w-   c:\documents and settings\Michelle\Application Data\Malwarebytes
2010-03-13 16:55 . 2010-03-13 16:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-13 08:44 . 2010-03-13 08:44   --------   d-----w-   c:\documents and settings\Michelle\Local Settings\Application Data\WMTools Downloaded Files
2010-03-12 18:32 . 2010-03-12 18:32   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2010-03-12 18:32 . 2010-03-12 18:32   --------   d-sh--w-   c:\windows\system32\config\systemprofile\PrivacIE
2010-03-12 18:27 . 2010-03-14 18:56   823296   ----a-w-   c:\windows\system32\drivers\mjvmswud.sys
2010-03-12 18:27 . 2010-03-14 18:55   --------   d-----w-   c:\documents and settings\Michelle\Local Settings\Application Data\Windows Server
2010-03-11 04:25 . 2010-03-11 04:25   --------   d-----w-   c:\program files\VideoLAN
2010-03-11 04:23 . 2010-03-11 04:23   --------   d-----w-   c:\program files\Graboid
2010-02-22 01:18 . 2010-02-22 01:19   --------   d-----w-   c:\program files\iTunes
2010-02-22 01:16 . 2010-02-22 01:16   --------   d-----w-   c:\program files\Bonjour
2010-02-22 01:15 . 2010-02-22 01:15   --------   d-----w-   c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-13 08:38 . 2008-07-07 15:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg8
2010-03-12 00:39 . 2008-07-25 05:28   --------   d-----w-   c:\documents and settings\Michelle\Application Data\Move Networks
2010-03-11 21:10 . 2009-11-16 02:08   --------   d-----w-   c:\documents and settings\Michelle\Application Data\U3
2010-03-11 04:10 . 2009-08-06 03:54   143976   ----a-w-   c:\documents and settings\Michelle\Application Data\Move Networks\uninstall.exe
2010-03-11 04:10 . 2009-10-15 00:50   5642688   ----a-w-   c:\documents and settings\Michelle\Application Data\Move Networks\plugins\npqmp071701000002.dll
2010-03-11 04:10 . 2010-03-11 04:10   1794456   ----a-w-   c:\documents and settings\Michelle\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2010-02-22 01:18 . 2008-05-30 19:13   --------   d-----w-   c:\program files\iPod
2010-02-22 01:18 . 2008-05-30 19:20   --------   d-----w-   c:\program files\Common Files\Apple
2010-02-22 01:10 . 2010-02-22 01:10   72488   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-12 20:46 . 2008-05-30 15:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-09 18:24 . 2008-06-20 14:04   --------   d-----w-   c:\program files\Common Files\Adobe
2010-02-04 05:51 . 2008-05-23 09:19   --------   d-----w-   c:\program files\Google
2010-01-22 06:50 . 2008-09-24 16:00   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-01-05 06:11 . 2009-11-13 06:23   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2009-12-31 16:50 . 2004-08-10 17:51   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 17:51   916480   ------w-   c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 18:01   343040   ----a-w-   c:\windows\system32\mspaint.exe
1601-01-01 00:03 . 1601-01-01 00:03   47616   --sha-w-   c:\windows\system32\hesanebo.dll
1601-01-01 00:03 . 1601-01-01 00:03   41472   --sha-w-   c:\windows\system32\jagepeyu.dll
1601-01-01 00:03 . 1601-01-01 00:03   65536   --sha-w-   c:\windows\system32\kijudawi.dll
1601-01-01 00:03 . 1601-01-01 00:03   95232   --sha-w-   c:\windows\system32\parahuri.dll
1601-01-01 00:03 . 1601-01-01 00:03   41472   --sha-w-   c:\windows\system32\tewehipo.dll
1601-01-01 00:03 . 1601-01-01 00:03   71168   --sha-w-   c:\windows\system32\towoyila.dll
1601-01-01 00:03 . 1601-01-01 00:03   95744   --sha-w-   c:\windows\system32\tudotipi.dll
1601-01-01 00:03 . 1601-01-01 00:03   41472   --sha-w-   c:\windows\system32\wigafipe.dll
1601-01-01 00:03 . 1601-01-01 00:03   70656   --sha-w-   c:\windows\system32\wirubifa.dll
1601-01-01 00:03 . 1601-01-01 00:03   65536   --sha-w-   c:\windows\system32\yopufuju.dll
.

((((((((((((((((((((((((((((( [email protected]_04.03.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 06:19 . 2007-11-07 06:19   54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
- 2004-08-10 17:51 . 2009-12-09 14:28   72978 c:\windows\system32\perfc009.dat
+ 2004-08-10 17:51 . 2010-03-14 18:46   72978 c:\windows\system32\perfc009.dat
+ 2008-05-29 20:52 . 2010-03-14 17:46   49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary INTERNET Files\Content.IE5\index.dat
+ 2008-05-29 20:52 . 2010-03-14 17:46   32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-29 20:52 . 2010-03-13 19:33   32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-03-14 17:46 . 2010-03-14 17:46   16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-10 17:51 . 2009-12-09 14:28   445938 c:\windows\system32\perfh009.dat
+ 2004-08-10 17:51 . 2010-03-14 18:46   445938 c:\windows\system32\perfh009.dat
+ 2010-03-14 17:32 . 2010-03-14 17:32   228352 c:\windows\Installer\2c3fbd9.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5bed0556-7bd3-4b69-859d-18e889d39edb}]
1601-01-01 00:03   65536   --sha-w-   c:\windows\system32\yopufuju.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-10 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-10 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-10 137752]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-31 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 28160]
"nolitamug"="c:\windows\system32\fogiguzu.dll" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:22   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-23 09:28   10536   ----a-w-   c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
2010-01-02 18:09   3280712   ----a-w-   c:\program files\a-squared Anti-Malware\a2guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-02 03:40   524632   ----a-w-   c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57   948672   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58   40368   ----a-w-   c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2010-02-08 16:02   2343632   ----a-w-   c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-06-12 20:47   50528   ----a-w-   c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51   177440   ----a-w-   c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-12 14:00   2043160   ----a-w-   c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43   118784   ------w-   c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellAutomatedPCTuneUp]
2007-10-11 14:49   465136   ----a-w-   c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:13   206064   ----a-w-   c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 17:44   16384   ----a-w-   c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-28 18:18   17920   ----a-w-   c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44   31072   ----a-w-   c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07   141608   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-05-30 19:00   32768   ----a-w-   c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-04-20 20:50   53248   ----a-w-   c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2004-04-20 20:50   118784   ----a-w-   c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-12-21 15:58   184320   ------w-   c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08   417792   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-03-25 08:28   144784   ----a-w-   c:\program files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-07 05:26   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"stllssvr"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"GoToAssist"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate1c9fec391515878"=2 (0x2)
"DellAMBrokerService"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"a2AntiMalware"=2 (0x2)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll   REG_SZ     c:\documents and settings\Michelle\Local Settings\Application Data\Windows Server\xetpmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Piolet\\piolet.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/4/2009 10:41 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/14/2010 1:32 PM 207280]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/7/2008 11:54 AM 335240]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [3/14/2010 1:36 PM 112592]
S4 a2AntiMalware;a-squared Anti-Malware Service;c:\program files\a-squared Anti-Malware\a2service.exe [3/14/2010 1:51 PM 1858144]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 11:53 AM 297752]
S4 gupdate1c9fec391515878;Google Update Service (gupdate1c9fec391515878);c:\program files\Google\Update\GoogleUpdate.exe [7/7/2009 1:27 AM 133104]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/14/2010 1:31 PM 365280]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/29/2008 5:47 PM 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - mjvmswud
.
Contents of the 'Scheduled Tasks' folder

2010-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:40]

2010-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-03-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-07 05:25]

2010-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 05:26]

2010-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 05:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080523
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://www.shockwave.com/content/weddingdash2/sis/WeddingDash2Web.1.0.0.13.cab
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{96b8d020-ddd7-4df6-aa19-932bdf030a2a} - c:\windows\system32\fogiguzu.dll
SSODL-pamadigop-{96b8d020-ddd7-4df6-aa19-932bdf030a2a} - c:\windows\system32\fogiguzu.dll
MSConfigStartUp-nolitamug - c:\windows\system32\fogiguzu.dll
MSConfigStartUp-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe
MSConfigStartUp-zedazenayi - veriwada.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-14 14:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mjvmswud]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\documents and settings\Michelle\Local Settings\Application Data\Windows Server\xetpmk.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(792)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2576)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\documents and settings\Michelle\Local Settings\Application Data\Windows Server\xetpmk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-03-14 15:01:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-14 19:01
ComboFix2.txt 2010-03-14 04:07

Pre-Run: 202,091,397,120 bytes free
Post-Run: 202,164,076,544 bytes free

- - End Of File - - D6E3B1801BCA361FBAF30DE7791787DE
ComboFix logs should not be run without the guidance of a helper. It is a powerful tool and is INTENDED by its creator to be "used under the guidance and supervision of an expert", NOT for private or regular USE. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.Thank you for replying. I had already tried to upload mbam.exe (malwareBytes) and even tried renaming the file and/or the extension and it would not let me run it. (the virus). i got to the point last night when I ended up clearing off my whole computer. It was bad - I even tried to delete registry keys and files and it would block access to it, etc.

Thank you again for trying to help though! Consider this a case closed!

-Michelle KWhy is that? Your computer could be cleaned...our assistance does not end when we cannot run something.In addition to not being able to run MalwareBytes, I tried several other programs without success. When I found programs that I could scan with (Spyware Doctor & Exterminate It!), I attempted to go into the folders/files and Registry and manually delete keys. I even attempted this through the run: CMD command. The virus was locked and would not allow me access to delete these files even in safe mode. I ended up purchasing Exterminate It! to also try and delete these items, and even when it would say it had cleaned them, I would reboot, and they would show up again in my virus scanner and Exterminate It! as if it was never "exterminated". I think this was a rootkit virus, both my virus scanner gave me: Virtumondo (Vundo) trojan, and TR/Crypt.XPACK.gen2. I literally spent 23 hours working on this with no luck, and I have minimal information on my computer that I can back up, so I decided to have it wiped.

The Conbofix worked the fist time, but even that would not help at the end. I know this is not supposed to be run unless under the supervision of a tech, but I was desperate and figured someone would ask me to run it anyways.

Again, thanks for the reply, at first I didn't know if I would hear from anyone. I am looking for suggestions on a good free/inexpensive virus scanner, I was using AVG before and it did not pick this virus up. I knew I had it because I had symptoms, and they were detected with Ad-Aware. Thanks for any help you can give!

As this infection probably deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link: Malwarebytes' RANDOM - EXE Download

When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded in step 8. MBAM will now start and you will be at the main program screen.

Let me know if MBAM starts, please.I don't have the computer, and when I did have it, I tried that too, and it still found it. It was a nasty little bug! I just took it to GET wiped and reinstalled with windows and my software/files today. Any suggestions on virus scanners?Oh...that sucks. Hope you don't have to pay too much for a service you could have had for free.

==========

Once this file would have been deleted, the infection would be mostly dead: c:\windows\system32\yopufuju.dll

========

Here is a small list of free antivirus software I recommend:

Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
Avast!: this is an advanced malware removal antivirus program. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software.
Avira Antivir: this is an advanced malware removal antivirus program. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software.
Rising Antivirus: this is a lightweight, and great virus destroyer. It REMOVES tough viruses, and even rootkits and trojans get destroyed.

I agree - however I tried to delete this file SEVERAL times through files, registry and through CMD command. If I still had the computer, how else would you have attempted to remove it?Use special commands in ComboFix. ComboFix is a program to run - how would you have manipulated it to run new commands? It seemed impossible and after wasting a whole weekend on it, It was well worth the $ to just get it cleaned.Cannot tell the secrets of the program. Only those trained will be able to use or know commands.I ask because Ive read othet posting about ComboFix, and from the comments Ive seen from other techs, Combo Fix can be read to manualyl remove files/keys, but thats it. You can't alter the program. Okay, thank you for your help!

Solve : Help! Trojan and Malware issues, Need ComboFix logs read!?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment