1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

PC Trashed

Discussion in 'Virus & Other Malware Removal' started by Neverdone, Jul 11, 2011.

Thread Status:
Not open for further replies.
  1. Neverdone

    Neverdone Thread Starter

    Jul 11, 2011
    A while back my room mate was using my PC and said it started acting funny. Of course I went and was checking it out and of course it had gotten a virus.

    I am running stopzilla and was using malwarbytes but neither of them seem to be helping my situation. Stopzilla removed several hundred instances of viruses, but there must be still something in the background running because every time I plug the network connection back in it slows down to the speed of stupid. I tried loading system restore but it just comes up and says system restore cannot protect your computer. Now I don't know what to do but format and I really don't want to do that unless completely necessary. I do have an external hardrive and can back up stuff to that but I am afraid that the virus might latch on to that as well so would rather not.

    After reading a few posts I downloaded hijack this and ran a scan for people to see. Maybe someone can help.
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:27:57 AM, on 7/11/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Ask.com\Updater\Updater.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Google\Update\\GoogleCrashHandler.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\STOPzilla!\STOPzilla.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z039&form=ZGAPHP
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    R3 - URLSearchHook: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files\DVDVideoSoftTB\prxtbDVD0.dll
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
    O2 - BHO: DVDVideoSoftTB - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files\DVDVideoSoftTB\prxtbDVD0.dll
    O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\\gears.dll
    O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O3 - Toolbar: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files\DVDVideoSoftTB\prxtbDVD0.dll
    O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
    O4 - HKLM\..\Run: [Lcirifu] rundll32.exe "C:\WINDOWS\agijoyigere.dll",Startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [nLite] %systemroot%\inf\nlite.cmd (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nLite] %systemroot%\inf\nlite.cmd (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\\gears.dll
    O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\\gears.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

    End of file - 7504 bytes

    Please Help!!
  2. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    Run the following :-

    Step 1

    Please download OTM by OldTimer.
    Alternative Mirror 1
    Alternative Mirror 2
    Save it to your desktop.
    Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
    • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


      ipconfig /flushdns /c

    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:


    Where mmddyyyy_hhmmss is the date of the tool run.

    Step 2

    [​IMG] Please download Malwarebytes Anti-Malware and save it to your desktop.
    Alernative D/L mirror
    Alternative D/L mirror

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Post the logs from OTM and Malwarebytes in your reply, also give update on issues...

  3. Neverdone

    Neverdone Thread Starter

    Jul 11, 2011
    OK so I ran the OTM software and a Malwarbytes Scan here are the results:

    OTM Scan
    All processes killed
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Lcirifu deleted successfully.
    Error: Unable to interpret <:Service> in the current context!
    Error: Unable to interpret <Lcirifu> in the current context!
    ========== FILES ==========
    File/Folder C:\WINDOWS\agijoyigere.dll not found.
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========


    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 10269 bytes
    ->FireFox cache emptied: 54601419 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 45558 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 41620 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 450364397 bytes
    ->Flash cache emptied: 15619 bytes

    User: NetworkService
    ->Temp folder emptied: 655360 bytes
    ->Temporary Internet Files folder emptied: 136626107 bytes
    ->Java cache emptied: 826 bytes
    ->Flash cache emptied: 20259 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 3272035 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1365412 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 617.00 mb

    OTM by OldTimer - Version log created on 07112011_150544

    Files moved on Reboot...
    File C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_5e0.dat not found!

    Registry entries deleted on Reboot...


    Malwarebytes' Anti-Malware

    Database version: 7075

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    7/11/2011 5:19:36 PM
    mbam-log-2011-07-11 (17-19-36).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 230619
    Time elapsed: 1 hour(s), 52 minute(s), 47 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    I have not yet tried connecting my network connection. Thought I would wait and see what you guys say first. In the mean time I just keep moving stuff to it from my laptop with a small thumb drive.
  4. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    We need to see some additional information about what is happening in your machine.*
    Please perform the following scan:
    • Download DDS by sUBs from one of the following links.* Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool.* *
    • When done, DDS will open two (2) logs
      * * * * *1. DDS.txt
      * * * * *2. Attach.txt
    • Save both reports to your desktop.
    • The instructions here ask you to attach the Attach.txt.
    • Instead of attaching, please copy/past both logs into your next reply.
    • Close the program window, and delete the program from your desktop.
    Please note:* You may have to disable any script protection running if the scan fails to run.
    After downloading the tool, disconnect from the internet and disable all antivirus protection.
    Run the scan, enable your A/V and reconnect to the internet.*
    Information on A/V control HERE

  5. Neverdone

    Neverdone Thread Starter

    Jul 11, 2011
    I tried to run this program but it will not. It starts to then just shuts off. How do you disable "script protection"? Maybe that is what is stopping it.
  6. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    Make sure all of your security is turned off before you run DDS
  7. Neverdone

    Neverdone Thread Starter

    Jul 11, 2011
    I went through and made sure my virus protection and everything is off, tried to run it again. This is what happens.

    That window goes away, then nothing.
  8. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    See if your system will connect to the internet then proceed as follows :-

    Please download Rkill and save to your Desktop.
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use Link 1 from the following list and so on in sequencial order until one runs successfully.
    Link 1

    Link 2

    Link 3

    Link 4

    Link 5

    Link 6
    • A log pops up at the end of the run. This log file is also located at C:\rkill.log. Please post this log in your reply.
    • If you get an alert from your own Security Program, accept it and allow Rkill to run, it is very safe and will not harm your system.
      If the alert is from the Infection Malware program (you`ll know by the name) leave the alert open and run the same Rkill version again. You may have to run it several times, it may take upto 9 to work.
    • If the tool does not run from any of the links provided, please let me know.

    Do not re-boot if RKill is successful,


    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-


    • Ensure that Combofix is saved directly to the Desktop <--- Very important
    • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available Here if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the logs in next reply please...

  9. Neverdone

    Neverdone Thread Starter

    Jul 11, 2011
    Tried to run these this morning. It took the second link to run rkill. This is what happened.....

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 08/04/2011 at 9:19:32.
    Operating System: Microsoft Windows XP

    Processes terminated by Rkill or while it was running:

    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Documents and Settings\Administrator\Desktop\rkill.com

    Rkill completed on 08/04/2011 at 9:21:30.

    Then when I tried to run combofix it would not run. It kept displaying either "Not Admin!!" and wouldnt run or saying incompatible OS (I am running windows XP). Or it would say can not find 'HIDEC' it would not run successfully.
  10. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    Boot into Safe Mode, make sure all security is OFF, then try Combofix again...
  11. Neverdone

    Neverdone Thread Starter

    Jul 11, 2011
    Safe Mode Worked......

    This is the log for combofix


    ComboFix 11-08-03.03 - Administrator 08/05/2011 20:04:39.1.2 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.718 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.com
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    c:\documents and settings\Administrator\Application Data\Adobe\plugs
    c:\documents and settings\Administrator\Application Data\Adobe\shed
    c:\documents and settings\Administrator\Application Data\PriceGong
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\Administrator\Local Settings\Application Data\{EDFDB25B-D9BA-412F-B878-315F78B80FB1}
    c:\documents and settings\Administrator\Local Settings\Application Data\{EDFDB25B-D9BA-412F-B878-315F78B80FB1}\chrome.manifest
    c:\documents and settings\Administrator\Local Settings\Application Data\{EDFDB25B-D9BA-412F-B878-315F78B80FB1}\chrome\content\_cfg.js
    c:\documents and settings\Administrator\Local Settings\Application Data\{EDFDB25B-D9BA-412F-B878-315F78B80FB1}\chrome\content\overlay.xul
    c:\documents and settings\Administrator\Local Settings\Application Data\{EDFDB25B-D9BA-412F-B878-315F78B80FB1}\install.rdf
    c:\documents and settings\Administrator\WINDOWS
    c:\program files\Search Toolbar
    c:\program files\Search Toolbar\icon.ico
    c:\program files\Search Toolbar\SearchToolbar.dll
    c:\program files\Search Toolbar\SearchToolbarUninstall.exe
    c:\program files\Search Toolbar\SearchToolbarUpdater.exe
    ((((((((((((((((((((((((( Files Created from 2011-07-06 to 2011-08-06 )))))))))))))))))))))))))))))))
    2011-07-11 19:05 . 2011-07-11 19:05 -------- d-----w- C:\_OTM
    2011-07-11 15:26 . 2011-07-11 15:26 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-07-11 15:26 . 2011-07-11 15:26 -------- d-----w- c:\program files\Trend Micro
    2011-07-08 01:25 . 2011-07-08 01:40 -------- d-----w- c:\program files\PeerBlock
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2011-06-02 21:57 . 2011-06-02 21:57 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
    2011-06-02 21:57 . 2011-06-02 21:57 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
    2011-06-02 21:57 . 2011-06-02 21:57 546256 ----a-r- c:\windows\system32\SZComp5.dll
    2011-06-02 21:57 . 2011-06-02 21:57 456144 ----a-r- c:\windows\system32\SZBase5.dll
    2011-06-02 21:57 . 2011-06-02 21:57 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
    2011-06-02 21:57 . 2011-06-02 21:57 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
    2011-06-02 21:57 . 2011-06-02 21:57 22992 ----a-r- c:\windows\system32\SZIO5.dll
    2011-06-02 21:57 . 2011-06-02 21:57 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
    2011-06-02 21:57 . 2011-06-02 21:57 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
    2011-06-02 21:57 . 2011-06-02 21:57 738768 ----a-r- c:\windows\system32\IS3Base5.dll
    2011-06-02 21:57 . 2011-06-02 21:57 390608 ----a-r- c:\windows\system32\IS3UI5.dll
    2011-06-02 21:57 . 2011-06-02 21:57 230864 ----a-r- c:\windows\system32\IS3Win325.dll
    2011-05-29 13:11 . 2011-01-01 02:05 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 13:11 . 2011-06-11 01:35 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-11 00:11 . 2011-05-11 00:11 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    *Note* empty entries & legit default entries are not shown
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\prxtbDVD0.dll" [2011-01-17 175912]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
    2011-01-17 14:54 175912 ----a-w- c:\program files\DVDVideoSoftTB\prxtbDVD0.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2011-05-17 17:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\prxtbDVD0.dll" [2011-01-17 175912]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
    "{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\prxtbDVD0.dll" [2011-01-17 175912]
    "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-30 335872]
    "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
    [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=c:\windows\pss\Adobe Gamma.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
    backup=c:\windows\pss\Desktop Manager.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2008-03-13 14:34 81920 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-04-06 01:39 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire 4.0.8 Pro\\LimeWire.exe"=
    "c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
    R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [5/12/2010 6:01 PM 59280]
    R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [3/1/2010 9:48 PM 72064]
    S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/22/2010 10:26 PM 691696]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/7/2010 12:08 AM 136176]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/31/2010 10:05 PM 366640]
    S3 DCamUSBSTK02H;STK02H Camera;c:\windows\system32\DRIVERS\STK02HW2.sys --> c:\windows\system32\DRIVERS\STK02HW2.sys [?]
    S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [4/9/2010 7:59 PM 101520]
    S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/7/2010 12:08 AM 136176]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/10/2011 9:35 PM 22712]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    Contents of the 'Scheduled Tasks' folder
    2011-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-07 04:08]
    2011-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-07 04:08]
    2011-08-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2011-05-17 17:29]
    ------- Supplementary Scan -------
    uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tqpfns2g.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - google.com
    FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=GAM1&o=15491&locale=en_US&apn_uid=77A26D05-7689-4FD6-95D7-8848822DCD19&apn_ptnrs=HE&apn_sauid=82F2B0D4-B395-4A57-9824-6DDFA8EFA708&apn_dtid=YYYYYYYYUS&q=
    FF - user.js: yahoo.homepage.dontask - true
    - - - - ORPHANS REMOVED - - - -
    HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
    Notify-TPSvc - TPSvc.dll
    MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
    AddRemove-RealFlightG4Pro - c:\program files\Common Files\KnifeEdge\LauncherHelperG4.exe
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-05 20:15
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Maxtor_6Y080L0 rev.YAR41KW0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8520953B
    user & kernel MBR OK
    --------------------- LOCKED REGISTRY KEYS ---------------------
    Completion time: 2011-08-05 20:19:35
    ComboFix-quarantined-files.txt 2011-08-06 00:19
    Pre-Run: 40,392,642,560 bytes free
    Post-Run: 40,357,175,296 bytes free
    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - C2C662B27F90EA402367AB89CDCF9369
  12. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    We need to install the Recovery Console. This will help us restore your system in the event of a serious crash. It's very simple to complete and will only take a few moments. It may also be useful in the future.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

    Note: If you have SP2 or SP3, use the SP2 package.

    Transfer all files you just downloaded, to the desktop of the infected computer.

    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console


    • at the next prompt, click 'NO' to run the full ComboFix scan.
    • When the tool is finished, it will produce a report for you.

    Please post the C:\ComboFix.txt in your next reply.


    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    "Ucojoziqowuka"=hex:34,01,47,03,37,05,33,07,3e,09,3c,0b,3e,0d,4c,0f,56,11,2 a,
    13,20,15,25,17,2c,19,58,1b,5d,1d,5b,1f,19,21,13,23,13,25,17,27,1c,29,6e,2b, \
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe



    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Let me see the log from Combofix, also give update on current issues...

  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1006794

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice