1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Persistent Virus/Malware/Trojan

Discussion in 'Virus & Other Malware Removal' started by bmwcelo, Jun 15, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. bmwcelo

    bmwcelo Thread Starter

    Joined:
    Jun 15, 2009
    Messages:
    4
    Hi everyone :)

    Thanks for all the work you all do here. It's a great service to users everywhere.

    I'm having a hard time removing various malware that were downloaded by a trojan or virus. This is extremely frustrating -- I think its all gone and bam, restart and its all back again. My gut tells me its Virut, but let's see what you guys think.

    A couple notes: I've already done ComboFix to get rid of the Google Redirect virus. Installed Spybot to protect hosts file. I've run MBAM, AVG, Spybot, and HJT a ton of times. I just can't get it out! Most recently, two programs have showed up: System Security and Malware something. MBAM tries to remove them but they're still here. My wallpaper keeps getting changed to some black background with a huge warning on it.

    Thanks for the help!!!

    *edit: I'm thinking about just reformatting/hp-restoring the computer. Any thoughts on saving this computer before I do so?

    Here's HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:49:30 AM, on 6/15/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\avast!AVSControlService.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Documents and Settings\All Users\Application Data\18296714\18296714.exe
    C:\Documents and Settings\All Users\Application Data\98306706\98306706.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Documents and Settings\Administrator\Local Settings\Application

    Data\Google\Update\GoogleUpdate.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\PC Tools Firewall Plus\FWService.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\PDF Complete\pdfsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Documents and Settings\Administrator\Desktop\Downloads\HiJackThis.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\avast!Antivirus.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=smb&pf=workstation
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=smb&pf=workstation
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=smb&pf=workstation
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI

    RoboForm\roboform.dll
    O2 - BHO: Chrome copyright - {aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmcd.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program

    Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program

    Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber

    Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    O4 - HKLM\..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [18296714] C:\Documents and Settings\All Users\Application

    Data\18296714\18296714.exe
    O4 - HKLM\..\Run: [98306706] C:\Documents and Settings\All Users\Application

    Data\98306706\98306706.exe
    O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application

    Data\1361538659.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local

    Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application

    Data\1361538659.exe
    O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI

    RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft

    Office\OFFICE11\ONENOTEM.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: customize menu - file://C:\Program Files\Siber Systems\AI

    RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: fill forms - file://C:\Program Files\Siber Systems\AI

    RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: roboform toolbar - file://C:\Program Files\Siber Systems\AI

    RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: save forms - file://C:\Program Files\Siber Systems\AI

    RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Fill Forms - {320af880-6646-11d3-abee-c5dbf3571f46} - file://C:\Program

    Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320af880-6646-11d3-abee-c5dbf3571f46} -

    file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320af880-6646-11d3-abee-c5dbf3571f49} - file://C:\Program Files\Siber

    Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320af880-6646-11d3-abee-c5dbf3571f49} -

    file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program

    Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} -

    file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

    {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O11 - Options group: [java_sun] Java (Sun)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?124276096784

    3
    O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object) -

    http://studio-5.financialcontent.com/beyondthedow/
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

    Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
    O23 - Service: avast!avscontrolservice - Unknown owner -

    C:\WINDOWS\System32\avast!AVSControlService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. -

    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -

    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
    O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program

    Files\Java\jre6\bin\jqs.exe
    O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
    O23 - Service: PC Tools Firewall Plus (pctoolsfirewallplus) - PC Tools - C:\Program Files\PC

    Tools Firewall Plus\FWService.exe
    O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF

    Complete\pdfsvc.exe
    O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\


    ***HERE IS MBAM ***


    Malwarebytes' Anti-Malware 1.37
    Database version: 2225
    Windows 5.1.2600 Service Pack 2

    6/15/2009 10:33:40 AM
    mbam-log-2009-06-15 (10-33-40).txt

    Scan type: Quick Scan
    Objects scanned: 78944
    Time elapsed: 1 minute(s), 59 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 2
    Registry Keys Infected: 5
    Registry Values Infected: 1
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 7

    Memory Processes Infected:
    C:\WINDOWS\system32\avast!Antivirus.exe (Trojan.Agent) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\WINDOWS\system32\jbnmck.dll (Trojan.Agent) -> Delete on reboot.
    C:\Program Files\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malware Doctor (Rogue.MalwareDoc) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\jbnmck.dll (Trojan.Agent) -> Delete on reboot.
    C:\Program Files\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\1361538659.exe (Rogue.MalwareDoc) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\avast!Antivirus.exe (Trojan.Agent) -> Quarantined and deleted successfully.
     
  2. bmwcelo

    bmwcelo Thread Starter

    Joined:
    Jun 15, 2009
    Messages:
    4
    Just did a MBAM scan in Safe Mode (this is the most recent scan). Here's the log below.

    Malwarebytes' Anti-Malware 1.37
    Database version: 2225
    Windows 5.1.2600 Service Pack 2

    6/15/2009 11:47:00 AM
    mbam-log-2009-06-15 (11-47-00).txt

    Scan type: Quick Scan
    Objects scanned: 77147
    Time elapsed: 6 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 4
    Registry Data Items Infected: 2
    Folders Infected: 2
    Files Infected: 14

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18296714 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\98306706 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malware Doctor (Rogue.MalwareDoc) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malware Doctor (Rogue.MalwareDoc) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\18296714 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\98306706 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\all users\application data\18296714\18296714.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\18296714\18296714.glu (Rogue.Multiple.H) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\18296714\pc18296714cnf (Rogue.Multiple.H) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\18296714\pc18296714ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\98306706\98306706.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\jbnmcd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\1361538659.exe (Rogue.MalwareDoc) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\avast!Antivirus.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\kungsfkdffddcx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\kungsfliowpsxm.dll (Trojan.Agent) -> Quarantined and deleted successfully.
     
  3. bmwcelo

    bmwcelo Thread Starter

    Joined:
    Jun 15, 2009
    Messages:
    4
    Malware Doctor is still present after running Combo Fix. Here is the log

    ComboFix 09-06-04.01 - Administrator 06/15/2009 13:32.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2569 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
    .
    - REDUCED FUNCTIONALITY MODE -
    .

    ((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
    .

    2009-06-15 18:49 . 2009-06-15 20:33 99422 ----a-w- c:\windows\system32\drivers\64fda163.sys
    2009-06-15 17:43 . 2009-06-15 20:33 99422 ----a-w- c:\windows\system32\drivers\17dc09bd.sys
    2009-06-14 10:18 . 2009-06-14 10:18 124416 ----a-w- c:\windows\system32\avast!AVSControlService.exe
    2009-06-14 10:18 . 2009-06-15 20:33 99422 ----a-w- c:\windows\system32\drivers\bf5f7b58.sys
    2009-06-14 10:18 . 2009-06-15 18:49 124416 ----a-w- c:\documents and settings\LocalService\Application Data\1458931097.exe
    2009-06-14 10:18 . 2009-06-15 18:49 66048 ----a-w- c:\documents and settings\LocalService\Application Data\615289520.exe
    2009-06-04 19:29 . 2009-06-04 19:28 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2009-06-04 19:28 . 2009-06-04 19:29 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
    2009-06-04 19:23 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2009-06-04 19:23 . 2009-06-04 19:23 -------- d-----w- c:\program files\Panda Security
    2009-06-04 18:09 . 2009-06-04 18:09 -------- d-----w- c:\program files\eBay
    2009-06-04 18:09 . 2009-06-04 18:09 -------- d-----w- c:\documents and settings\All Users\eBay
    2009-06-04 17:47 . 2009-06-04 19:24 -------- d-----w- c:\program files\Common Files\Adobe
    2009-06-04 00:51 . 2009-06-04 00:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
    2009-06-03 22:03 . 2009-06-15 19:12 -------- d--h--w- C:\$AVG8.VAULT$
    2009-06-03 21:44 . 2009-06-03 21:44 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-06-03 21:03 . 2009-06-03 21:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\PCToolsFirewallPlus
    2009-06-03 20:48 . 2009-03-06 23:45 130424 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2009-06-03 20:48 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2009-06-03 20:48 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2009-06-03 20:47 . 2009-06-03 20:48 -------- d-----w- c:\program files\Common Files\PC Tools
    2009-06-03 20:47 . 2009-01-21 17:38 95640 ----a-w- c:\windows\system32\drivers\pctplfw.sys
    2009-06-03 20:47 . 2008-09-22 19:29 97408 ----a-w- c:\windows\system32\drivers\pctfw.sys
    2009-06-03 20:47 . 2009-06-03 21:03 -------- d-----w- c:\program files\PC Tools Firewall Plus
    2009-06-03 20:44 . 2009-06-15 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-06-03 20:44 . 2009-06-03 21:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-06-03 20:44 . 2009-06-03 20:44 410984 ----a-w- c:\windows\system32\deploytk.dll
    2009-06-03 20:43 . 2009-06-03 20:43 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
    2009-06-03 20:32 . 2009-06-03 20:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2009-06-03 20:32 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-06-03 20:32 . 2009-06-03 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-06-03 20:32 . 2009-06-03 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-06-03 20:32 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-06-03 18:41 . 2009-06-03 18:41 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2009-06-01 19:19 . 2009-06-01 19:19 -------- d-s---w- c:\documents and settings\LocalService\UserData
    2009-05-30 00:04 . 2009-05-30 00:04 -------- d-----w- c:\program files\CCleaner
    2009-05-29 23:13 . 2000-01-24 13:01 453632 ----a-w- c:\windows\system32\stdvcl40.dll
    2009-05-29 23:13 . 2009-06-01 21:34 -------- d-----w- c:\program files\Web CEO
    2009-05-29 17:16 . 2009-05-29 17:16 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
    2009-05-28 18:55 . 2009-05-28 18:55 -------- d-----w- c:\program files\Siber Systems
    2009-05-28 01:11 . 2009-05-28 01:11 -------- d-----w- c:\windows\ERUNT
    2009-05-28 01:09 . 2009-05-28 01:40 -------- d-----w- C:\SDFix
    2009-05-28 01:02 . 2009-05-28 01:02 -------- d--h--w- c:\windows\system32\GroupPolicy
    2009-05-28 00:47 . 2009-06-15 20:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-05-28 00:47 . 2009-06-03 19:10 -------- d-----w- c:\program files\SpywareBlaster
    2009-05-28 00:32 . 2009-05-28 00:32 212480 ----a-w- c:\windows\system32\dllcache\ndis.sys
    2009-05-28 00:31 . 2009-05-28 01:47 -------- d-----w- c:\windows\dhcp
    2009-05-28 00:31 . 2009-05-28 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
    2009-05-28 00:31 . 2009-06-15 17:35 87103 ----a-w- c:\windows\system32\kungsfupwktpmt.dat
    2009-05-22 00:33 . 2009-05-30 00:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
    2009-05-22 00:32 . 2009-05-22 00:49 -------- d-----w- c:\program files\Adobe_Photoshop_CS3
    2009-05-21 20:26 . 2009-05-21 20:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\com.seesmic.desktop.client.D89F32799270693BEF34AAA36E9B2632B59240FA.1
    2009-05-21 20:26 . 2009-05-21 20:26 -------- d-----w- c:\program files\Seesmic Desktop
    2009-05-21 20:25 . 2009-05-21 20:25 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2009-05-21 20:25 . 2009-05-21 20:25 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2009-05-21 19:35 . 2009-05-22 00:49 -------- d-----w- c:\program files\Portable Adobe Dreamweaver CS4 10.0 Final
    2009-05-21 18:58 . 2009-05-21 18:58 -------- d-----w- c:\program files\QuickTime
    2009-05-21 18:58 . 2009-05-21 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2009-05-21 18:58 . 2009-05-21 18:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
    2009-05-21 18:58 . 2009-05-21 18:58 -------- d-----w- c:\program files\Apple Software Update
    2009-05-21 18:58 . 2009-05-21 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2009-05-21 18:58 . 2009-05-21 18:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
    2009-05-21 17:25 . 2009-05-21 17:25 -------- d-----w- c:\program files\Citrix
    2009-05-21 17:25 . 2009-05-21 17:25 70984 ----a-w- c:\documents and settings\Administrator\g2mdlhlpx.exe
    2009-05-21 17:25 . 2009-05-21 17:25 -------- d-----w- c:\windows\Sun
    2009-05-20 20:05 . 2009-05-20 20:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Notepad++
    2009-05-20 20:05 . 2009-05-20 20:05 -------- d-----w- c:\program files\Notepad++
    2009-05-20 19:58 . 2009-05-20 19:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nvu
    2009-05-20 17:43 . 2009-05-20 17:43 -------- d-----w- c:\program files\MSECache
    2009-05-20 01:07 . 2009-06-03 23:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
    2009-05-20 01:07 . 2009-05-20 01:07 -------- d-----w- c:\program files\FileZilla FTP Client
    2009-05-19 20:40 . 2009-05-19 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby
    2009-05-19 20:32 . 2003-06-19 00:31 17920 ----a-w- c:\windows\system32\mdimon.dll
    2009-05-19 20:31 . 2009-05-19 20:31 -------- d-----w- c:\program files\Microsoft ActiveSync
    2009-05-19 20:31 . 2009-05-19 20:32 -------- d-----w- c:\windows\SHELLNEW
    2009-05-19 20:31 . 2009-05-19 20:31 -------- d-----w- c:\program files\Microsoft.NET
    2009-05-19 20:30 . 2009-05-19 20:30 -------- d--h--r- C:\MSOCache
    2009-05-19 20:29 . 2009-05-19 20:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-05-19 20:29 . 2009-05-19 20:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2009-05-19 20:29 . 2009-05-19 20:29 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-05-19 20:29 . 2009-05-19 20:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-05-19 20:29 . 2009-06-15 17:27 -------- d-----w- c:\windows\system32\drivers\Avg
    2009-05-19 20:28 . 2009-06-15 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2009-05-19 20:28 . 2009-05-19 20:28 -------- d-----w- c:\program files\AVG
    2009-05-19 20:14 . 2009-05-19 20:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\SampleView
    2009-05-19 20:10 . 2009-05-19 20:10 -------- d-----w- c:\windows\system32\XPSViewer
    2009-05-19 20:10 . 2009-05-19 20:10 -------- d-----w- c:\program files\MSBuild
    2009-05-19 20:10 . 2009-05-19 20:10 -------- d-----w- c:\program files\Reference Assemblies
    2009-05-19 20:10 . 2009-05-19 20:10 -------- d-----w- C:\88010bec754907f9eb
    2009-05-19 20:10 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2009-05-19 20:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2009-05-19 20:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
    2009-05-19 20:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2009-05-19 20:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
    2009-05-19 20:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2009-05-19 20:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2009-05-19 20:09 . 2009-05-19 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2009-05-19 20:09 . 2009-05-19 20:09 -------- d-----w- c:\program files\NOS
    2009-05-19 20:09 . 2009-03-03 21:53 17464 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kg4v43dr.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg.exe
    2009-05-19 20:09 . 2009-03-03 21:53 12792 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kg4v43dr.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg_bootstrap.exe
    2009-05-19 20:09 . 2009-03-03 21:53 109420 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kg4v43dr.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll
    2009-05-19 20:08 . 2009-05-19 20:08 -------- d-----w- c:\program files\MSXML 6.0

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-06-04 18:11 . 2009-05-19 18:41 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-06-04 18:08 . 2009-05-19 18:41 -------- d-----w- c:\program files\Common Files\InstallShield
    2009-06-03 20:44 . 2009-05-19 18:39 -------- d-----w- c:\program files\Java
    2009-05-29 17:09 . 2009-05-19 19:16 -------- d-----w- c:\program files\Digsby
    2009-05-28 00:32 . 2004-08-04 06:14 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
    2009-05-21 17:44 . 2009-05-19 19:00 27736 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-19 20:41 . 2009-05-19 19:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby
    2009-05-19 19:29 . 2009-05-19 19:29 -------- d-----w- c:\program files\microsoft frontpage
    2009-05-19 19:17 . 2009-05-19 19:17 0 ----a-w- c:\windows\nsreg.dat
    2009-05-19 19:12 . 2009-05-19 18:44 -------- d-----w- c:\program files\HPQ
    2009-05-19 19:12 . 2006-04-26 00:31 89527 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2009-05-19 18:59 . 2009-05-19 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
    2009-05-19 18:59 . 2009-05-19 18:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
    2009-05-19 18:56 . 2009-05-19 18:56 -------- d-----w- c:\program files\Program Shortcuts
    2009-05-19 18:51 . 2009-05-19 18:51 0 ----a-w- c:\windows\ativpsrm.bin
    2009-05-19 18:49 . 2009-05-19 18:49 1678 --sha-r- c:\windows\system32\drivers\103C_HP_WS_HP xw4550 Workstation_YW_0xw_QUSH849_EU_48WS_I0AC8h_SHP_V_B786F7 v01.05_T080425_WXP2_L409_M3071_J250_7AMD_8Dual-Core Opteron 1220_92.79_#090519_N14E4167B_()_X_CD6_Z_2_G1002958C_OATAPI DVD A DH16A1L_D.MRK
    2009-05-19 18:48 . 2009-05-19 18:39 -------- d-----w- c:\program files\Hewlett-Packard
    2009-05-19 18:47 . 2009-05-19 18:47 -------- d-----w- c:\program files\Hewlett-Packard Company
    2009-05-19 18:47 . 2009-05-19 18:43 -------- d-----w- c:\program files\Broadcom
    2009-05-19 18:46 . 2009-05-19 18:46 -------- d-----w- c:\program files\AMD
    2009-05-19 18:46 . 2009-05-19 18:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
    2009-05-19 18:43 . 2009-05-19 18:43 315392 ----a-w- c:\windows\HideWin.exe
    2009-05-19 18:43 . 2009-05-19 18:43 -------- d-----w- c:\program files\Realtek
    2009-05-19 18:43 . 2009-05-19 18:43 -------- d-----w- c:\program files\PDF Complete
    2009-05-19 18:43 . 2009-05-19 18:41 -------- d-----w- c:\program files\ATI Technologies
    2009-05-19 18:39 . 2009-05-19 18:39 -------- d-----w- c:\program files\Common Files\Java
    2009-05-07 05:13 . 2009-05-07 05:13 49152 ----a-r- c:\windows\system32\inetwh32.dll
    2009-05-07 05:13 . 2009-05-07 05:13 1044480 ----a-r- c:\windows\system32\roboex32.dll
    .

    ------- Sigcheck -------

    [7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\ndis.sys
    [-] 2009-05-28 00:32 212480 1DDCD4F10C093B87A59A0FBA97E8462D c:\windows\system32\dllcache\ndis.sys
    [-] 2009-05-28 00:32 212480 1DDCD4F10C093B87A59A0FBA97E8462D c:\windows\system32\drivers\ndis.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-05-28 160592]
    "Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-04 133104]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FRYMXINS"="c:\program files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [X]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-25 318488]
    "Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-19 1947928]
    "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-20 16384512]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-05-28 160592]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-8-6 51776]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-05-19 20:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\SMINST\\Scheduler.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/4/2009 12:23 PM 28544]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/19/2009 1:29 PM 325896]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/19/2009 1:29 PM 108552]
    R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [6/3/2009 1:48 PM 159600]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/19/2009 1:29 PM 908568]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/19/2009 1:29 PM 298776]
    R2 pctappevent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [6/3/2009 1:48 PM 73840]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [5/19/2009 11:43 AM 576536]
    S1 2380dda4;2380dda4;c:\windows\system32\drivers\2380dda4.sys --> c:\windows\system32\drivers\2380dda4.sys [?]
    S2 avast!antivirus;avast!antivirus;c:\windows\System32\avast!Antivirus.exe -k netsvcs --> c:\windows\System32\avast!Antivirus.exe -k netsvcs [?]
    S2 avast!avscontrolservice;avast!avscontrolservice;c:\windows\System32\avast!AVSControlService.exe -k netsvcs --> c:\windows\System32\avast!AVSControlService.exe -k netsvcs [?]
    S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [6/3/2009 1:47 PM 95640]
    S4 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [5/19/2009 12:25 PM 123392]
    S4 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/19/2009 1:09 PM 33176]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{647fdbaa-59de-11de-afdf-00215a0f04c6}]
    \shell\autorun\command - F:\PortableRoboForm.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2009-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-66089096-997920734-1432684647-500.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-04 00:51]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=smb&pf=workstation
    IE: customize menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: fill forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: roboform toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: save forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kg4v43dr.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-06-15 13:33
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\system32\drivers\SKYNETphheyuiq.sys 19968 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETqximyxta]
    "imagepath"="\systemroot\system32\drivers\SKYNETphheyuiq.sys"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\17dc09bd]
    "ImagePath"="\SystemRoot\System32\drivers\17dc09bd.sys"
    --

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\64fda163]
    "ImagePath"="\SystemRoot\System32\drivers\64fda163.sys"
    --

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bf5f7b58]
    "ImagePath"="\SystemRoot\System32\drivers\bf5f7b58.sys"
    --

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kungsfyrqqjlqg]
    "imagepath"="\systemroot\system32\drivers\kungsfixdlmprq.sys"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kungsfyrqqjlqg]
    @DACL=(02 0000)
    "start"=dword:00000001
    "type"=dword:00000001
    "group"="file system"
    "imagepath"=expand:"\\systemroot\\system32\\drivers\\kungsfixdlmprq.sys"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETqximyxta]
    @DACL=(02 0000)
    "start"=dword:00000001
    "type"=dword:00000001
    "group"="file system"
    "imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNETphheyuiq.sys"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1024)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2009-06-15 13:33
    ComboFix-quarantined-files.txt 2009-06-15 20:33
    ComboFix2.txt 2009-06-15 19:39

    Pre-Run: 223,184,551,936 bytes free
    Post-Run: 223,171,829,760 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    273
     
  4. bmwcelo

    bmwcelo Thread Starter

    Joined:
    Jun 15, 2009
    Messages:
    4
    Well, don't know why I didn't get any help but its OK. I reformatted.

    Solved? Sure.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/835497

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice