Member Avatar for ez-digital

I have a nasty and i need some help in cleaning this off of my system.There is an awful Anitvirus ad that pops up saying that my computer is infected and that "Antivirus Pro 2010" can fix the problem. Sounds to me like this is the problem.

Here is the list of steps I have taken that has lead me to this post.

step 1- the option to view hidden files is not available for me to change (my

Computer/ tools/folder options/ the only thing i see is....
Map network drive...
Disconnect network drive
Synchronize

Also I am logged in as the administrator and under my computer/ properties

there is no tab that is labeled System Restore.

Step 2- Atf- cleaner downloaded

Step 4- Antivirus pro 2010

also these icons keep installing on my desktop...
"C:\Program Files\Internet Explorer\iexplore.exe" nudetube.com

"C:\Program Files\Internet Explorer\iexplore.exe" youporn.com

"C:\Program Files\Internet Explorer\iexplore.exe" pornotube.com

Step 5- show all files option unavaliable
he option to view hidden files is not avaliable for me to change (my

Computer/ tools/folder options/ the only thing i see is....

Map network drive...
Disconnect network drive
Synchronize

Step 6- will not run Microsoft® Windows® Malicious Software Removal Tool .. says it is extracting files/ dialog box disappears and

then nothing...

Step 7- ATF Cleaner Successful

Step 8- Malwarebytes' Anti-Malware will not run setup

Step 9- ESET results are as follows....

C:\Documents and Settings\Guest\Local Settings\Temp\debug.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Guest\Local Settings\Temp\install.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Guest\Local Settings\Temp\svchost.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Guest\Local Settings\Temp\system.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Guest\Local Settings\Temp\taskmgr.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined
C:\WINDOWS\braviax.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\cru629.dat Win32/Small.EJX trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\braviax.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\cru629.dat Win32/Small.EJX trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\tapi.nfo Win32/Oficla.F trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\wingenocx.dll Win32/Adware.CoreguardAntivirus application cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\wisdstr.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\_scui.cpl a variant of Win32/Kryptik.AKT trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys a variant of Win32/UltimateDefender.A trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS a variant of Win32/UltimateDefender.A trojan unable to clean
C:\WINDOWS\SYSTEM32\DRIVERS\ce369842.sys a variant of Win32/Rustock.NKU trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\1846686026.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\2245236574.exe a variant of Win32/Kryptik.AKT trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\735105362.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\973492060.exe a variant of Win32/Kryptik.AKT trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\csrss.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\install.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\login.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\lsass.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\mdm.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\msupd_2.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\notepad.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\services.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\smss.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\spoolsv.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\svchost.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\system.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\TMP000000010A13B33D6A0CEDB1 a variant of Win32/Cryptoz trojan cleaned by deleting - quarantined
Operating memory Win32/Olmarik.KI trojan contained infected files


I cannot get Hijack this to run and am stuck at this point...I need a little help!!

  • 2 Contributors
  • 11 Replies
  • 169 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by PhilliePhan

Recommended Answers

All 11 Replies

Member Avatar for PhilliePhan

I cannot get Hijack this to run and am stuck at this point...I need a little help!!

Please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

PP :)

Member Avatar for ez-digital

this is the log that popped up...

Looking for cngaudit.dll

No matches found.


Looking for eventlog.dll

C:\I386\
eventlog.dll Wed Aug 4 2004 6:00:00a A.... 55,808 54.50 K

C:\WINDOWS\$NTSER~3\
eventlog.dll Wed Aug 4 2004 6:00:00a ..... 55,808 54.50 K

C:\WINDOWS\SYSTEM32\
eventlog.dll Sun Apr 13 2008 7:11:54p A.... 62,464 61.00 K

C:\WINDOWS\SERVIC~1\I386\
eventlog.dll Sun Apr 13 2008 7:11:54p ..... 56,320 55.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 230,400 bytes 225.00 K


Looking for logevent.dll

C:\WINDOWS\SYSTEM32\
logevent.dll Sun Apr 13 2008 7:11:54p A.... 56,320 55.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 56,320 bytes 55.00 K


Looking for netlogon.dll

C:\I386\
netlogon.dll Wed Aug 4 2004 6:00:00a A.... 407,040 397.50 K

C:\WINDOWS\$NTSER~3\
netlogon.dll Wed Aug 4 2004 6:00:00a ..... 407,040 397.50 K

C:\WINDOWS\SYSTEM32\
netlogon.dll Sun Apr 13 2008 7:12:02p A.... 407,040 397.50 K

C:\WINDOWS\SERVIC~1\I386\
netlogon.dll Sun Apr 13 2008 7:12:02p ..... 407,040 397.50 K

4 items found: 4 files, 0 directories.
Total of file sizes: 1,628,160 bytes 1.55 M


Looking for scecli.dll

C:\I386\
scecli.dll Wed Aug 4 2004 6:00:00a A.... 180,224 176.00 K

C:\WINDOWS\$NTSER~3\
scecli.dll Wed Aug 4 2004 6:00:00a ..... 180,224 176.00 K

C:\WINDOWS\SYSTEM32\
scecli.dll Sun Apr 13 2008 7:12:06p A.... 181,248 177.00 K

C:\WINDOWS\SERVIC~1\I386\
scecli.dll Sun Apr 13 2008 7:12:06p ..... 181,248 177.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 722,944 bytes 706.00 K

Member Avatar for PhilliePhan

this is the log that popped up...

OK - Let's do this next:

Please Download Win32kDiag from a linky below and save it to your Desktop. Leave it there for now.
http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:


Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll


-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.


THEN:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.


PP :)

Member Avatar for ez-digital

here are the logs I was given

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

==

Running from: C:\Documents and Settings\Ashley Austin\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Ashley Austin\Desktop\Win32kDiag.txt

Removing all found mount points.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\SYSTEM32\dumprep.exe

[1] 2004-08-04 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\SYSTEM32\dumprep.exe ()

Logfile of The Avenger Version 2.0, (c) by Swandog46

http://swandog46.geekstogo.com



Platform:  Windows XP



*******************



Script file opened successfully.

Script file read successfully.



Backups directory opened successfully at C:\Avenger



*******************



Beginning to process script file:



Rootkit scan active.

No rootkits found!



File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.



Completed script processing.



*******************



Finished!  Terminate.
Running from: C:\Documents and Settings\Ashley Austin\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Ashley Austin\Desktop\Win32kDiag.txt

Removing all found mount points.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\SYSTEM32\dumprep.exe

[1] 2004-08-04 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\SYSTEM32\dumprep.exe ()
Edited by crunchie because: Paste logs
Member Avatar for PhilliePhan

here are the logs I was given

AllRightyThen! Let's now do this:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.


PP :)

Member Avatar for ez-digital

Combo Fix Log

Member Avatar for PhilliePhan

Combo Fix Log

Ok - You are making good progress.

Now:
-- Download the attached file CFScript.txt to your Desktop
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

Then:
Please download JavaRa.zipto your Desktop and Extract it to its own folder.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish - I really don't need it, though.
-- Then, please go to http://www.java.com/en/ to download and install the latest version of Java.


NEXT:
Check and see if MBA-M can be updated and will run now (in Normal Windows Boot) and, if it does, do a Full Scan and have it remove what it finds and post that log too....


Also - I do not know what these are:
c:\program files\Common Files\qyroj.dat
c:\windows\puguk.dat
c:\windows\anolod.dat
c:\windows\ewopoho.dat
c:\windows\carupy.com
c:\windows\ydaqi.dat
c:\windows\system32\ezivufely.dat
c:\program files\Common Files\potup.lib
c:\program files\Common Files\sakefifo._sy
c:\program files\Common Files\xipywixe.lib
c:\program files\Common Files\ewaloc._sy
c:\program files\Common Files\yjur.db

Go here ---> and use the Browse Button at the top of the page to navigate to each of those items and and Upload them for analysis.
If they come back as malware, you'll need to DELETE them.

Let me know how you fare with these steps and we'll go from there.

PP:)

Edited by PhilliePhan because: The usual...
Member Avatar for ez-digital

thank you so much! and Thanks a million for the Help!!

regarding ...
"Also - I do not know what these are:
c:\program files\Common Files\qyroj.dat
c:\windows\puguk.dat
c:\windows\anolod.dat
c:\windows\ewopoho.dat
c:\windows\carupy.com
c:\windows\ydaqi.dat
c:\windows\system32\ezivufely.dat
c:\program files\Common Files\potup.lib
c:\program files\Common Files\sakefifo._sy
c:\program files\Common Files\xipywixe.lib
c:\program files\Common Files\ewaloc._sy
c:\program files\Common Files\yjur.db"

none of these came back as Malware!

ComboFix 09-09-14.02 - Ashley Austin 09/16/2009 10:07.3.1 - NTFSx86
Running from: c:\documents and settings\Ashley Austin\Desktop\svchost.com.exe
Command switches used :: c:\documents and settings\Ashley Austin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2009-08-16 to 2009-09-16  )))))))))))))))))))))))))))))))
.

2009-09-15 15:53 . 2009-09-15 15:53	--------	d-----w-	c:\documents and settings\Ashley Austin\Local Settings\Application Data\AVG Security Toolbar
2009-09-15 15:37 . 2009-09-15 15:37	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-15 13:26 . 2009-09-15 13:26	11717	----a-w-	c:\program files\Common Files\qyroj.dat
2009-09-14 14:08 . 2009-09-14 14:08	27784	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2009-09-14 14:07 . 2009-09-15 21:54	--------	d-----w-	c:\windows\system32\drivers\Avg
2009-09-11 21:23 . 2009-09-10 19:54	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-11 21:23 . 2009-09-11 21:23	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-11 21:23 . 2009-09-10 19:53	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-09-11 20:40 . 2009-09-11 20:40	--------	d-----w-	c:\program files\AVG
2009-09-11 20:40 . 2009-09-15 21:50	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg8
2009-09-11 20:04 . 2009-09-11 20:04	--------	d-----w-	c:\documents and settings\Ashley Austin\Application Data\AVG8
2009-09-11 19:32 . 2009-09-11 19:32	60168	----a-w-	c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:52 . 2009-09-11 14:52	--------	d-----w-	c:\documents and settings\Ashley Austin\Local Settings\Application Data\Yahoo!
2009-09-11 14:19 . 2009-09-15 20:23	--------	d--h--w-	c:\windows\PIF
2009-09-11 13:34 . 2009-09-11 13:43	--------	d-----w-	c:\program files\Windows Live Safety Center
2009-09-10 16:47 . 2009-06-21 21:44	153088	------w-	c:\windows\system32\dllcache\triedit.dll
2009-09-10 15:48 . 2009-09-10 15:48	--------	d-sh--w-	c:\documents and settings\Administrator\PrivacIE
2009-09-10 15:48 . 2009-09-10 15:48	--------	d-sh--w-	c:\documents and settings\Administrator\IETldCache
2009-09-10 15:00 . 2009-09-10 15:48	--------	d-----w-	c:\documents and settings\Administrator
2009-09-09 19:38 . 2009-09-09 19:38	11544	----a-w-	c:\windows\puguk.dat
2009-09-09 19:38 . 2009-09-09 19:38	14115	----a-w-	c:\windows\anolod.dat
2009-09-09 16:24 . 2009-09-09 16:24	15026	----a-w-	c:\windows\ewopoho.dat
2009-09-09 16:24 . 2009-09-09 16:24	13406	----a-w-	c:\windows\carupy.com
2009-09-09 14:13 . 2009-09-09 14:13	14983	----a-w-	c:\windows\ydaqi.dat
2009-09-09 14:13 . 2009-09-09 14:13	13233	----a-w-	c:\windows\system32\ezivufely.dat
2009-09-09 14:05 . 2009-09-09 14:05	--------	d-sh--w-	c:\windows\system32\config\systemprofile\IETldCache
2009-08-27 14:42 . 2009-08-27 14:43	--------	d-----w-	c:\documents and settings\Ashley Austin\.WHCC
2009-08-27 14:42 . 2009-08-27 14:43	--------	d-----w-	c:\documents and settings\Ashley Austin\.roescache
2009-08-24 19:48 . 2008-10-16 19:06	268648	----a-w-	c:\windows\system32\mucltui.dll
2009-08-24 19:48 . 2008-10-16 19:06	208744	----a-w-	c:\windows\system32\muweb.dll
2009-08-24 13:27 . 2009-08-24 13:27	--------	d-----w-	c:\windows\system32\XPSViewer
2009-08-24 13:27 . 2009-08-24 13:27	--------	d-----w-	c:\program files\MSBuild
2009-08-24 13:26 . 2009-08-24 13:26	--------	d-----w-	c:\program files\Reference Assemblies
2009-08-24 13:25 . 2008-07-06 12:06	89088	------w-	c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-24 13:25 . 2008-07-06 12:06	117760	------w-	c:\windows\system32\prntvpt.dll
2009-08-24 13:25 . 2008-07-06 10:50	597504	------w-	c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-24 13:25 . 2009-08-24 13:26	--------	d-----w-	C:\fa72aa210f7738c01210d1
2009-08-24 13:25 . 2008-07-06 12:06	575488	------w-	c:\windows\system32\xpsshhdr.dll
2009-08-24 13:25 . 2008-07-06 12:06	575488	------w-	c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-24 13:25 . 2008-07-06 12:06	1676288	------w-	c:\windows\system32\xpssvcs.dll
2009-08-24 13:25 . 2008-07-06 12:06	1676288	------w-	c:\windows\system32\dllcache\xpssvcs.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 13:53 . 2004-11-29 13:50	45130	----a-w-	c:\documents and settings\Ashley Austin\Application Data\wklnhst.dat
2009-09-15 18:30 . 2009-09-15 18:30	19496	----a-w-	c:\program files\Common Files\potup.lib
2009-09-15 18:30 . 2009-09-15 18:30	15173	----a-w-	c:\program files\Common Files\sakefifo._sy
2009-09-15 18:15 . 2008-04-07 16:21	--------	d-----w-	c:\documents and settings\All Users\Application Data\PC Tools
2009-09-15 18:15 . 2008-04-07 16:22	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2009-09-15 15:23 . 2004-11-12 18:02	60168	----a-w-	c:\documents and settings\Ashley Austin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 19:13 . 2009-09-10 19:13	18398	----a-w-	c:\program files\Common Files\xipywixe.lib
2009-09-10 19:13 . 2009-09-10 19:13	12983	----a-w-	c:\program files\Common Files\ewaloc._sy
2009-09-09 19:38 . 2009-09-09 19:38	14856	----a-w-	c:\program files\Common Files\yjur.db
2009-09-09 14:26 . 2009-01-14 22:35	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-09 14:25 . 2004-11-29 13:35	--------	d-----w-	c:\program files\Microsoft Works
2009-08-24 18:08 . 2009-01-14 21:32	--------	d-----w-	c:\documents and settings\Ashley Austin\Application Data\GetRightToGo
2009-08-13 14:35 . 2004-11-10 00:26	--------	d--h--w-	c:\program files\InstallShield Installation Information
2009-08-13 14:35 . 2004-11-10 00:27	--------	d--h--w-	c:\program files\Dell
2009-08-13 14:30 . 2008-06-16 18:45	--------	d-----w-	c:\documents and settings\All Users\Application Data\WinZip
2009-08-13 14:29 . 2004-11-10 00:39	--------	d-----w-	c:\program files\Sonic
2009-08-13 14:28 . 2004-11-10 00:29	--------	d-----w-	c:\program files\Common Files\Real
2009-08-13 14:20 . 2008-10-01 18:11	--------	d-----w-	c:\program files\Inkscape
2009-08-11 19:59 . 2009-08-11 19:59	45732	---ha-w-	c:\windows\system32\mlfcache.dat
2009-08-06 21:09 . 2008-02-15 20:50	--------	d-----w-	c:\program files\Google
2009-08-05 09:01 . 2004-08-04 11:00	204800	----a-w-	c:\windows\system32\mswebdvd.dll
2009-07-23 13:18 . 2009-01-28 14:27	--------	d-----w-	c:\documents and settings\Ashley Austin\Application Data\Apple Computer
2009-07-17 19:01 . 2004-08-04 11:00	58880	----a-w-	c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-04 11:00	286720	----a-w-	c:\windows\system32\wmpdxm.dll
2009-07-09 17:16 . 2009-03-31 16:50	2060288	----a-w-	c:\windows\system32\usbaaplrc.dll
2009-07-09 17:16 . 2009-01-28 14:22	39424	----a-w-	c:\windows\system32\drivers\usbaapl.sys
2009-07-03 17:09 . 2004-08-04 11:00	915456	------w-	c:\windows\system32\wininet.dll
2004-11-12 20:38 . 2004-11-12 20:38	848	--sha-w-	c:\windows\SYSTEM32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-10 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-09-14 73728]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [x]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [x]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [x]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe [2005-10-28 491520]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-09-14 297752]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\AppleSoft
Malwarebytes' Anti-Malware 1.41
Database version: 2812
Windows 5.1.2600 Service Pack 3

9/16/2009 1:41:52 PM
mbam-log-2009-09-16 (13-41-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 157522
Time elapsed: 1 hour(s), 16 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir (Rogue.AntivirusPro) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\Uninstall.exe.vir (Rogue.AntivirusPro) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Protection System\psystem.exe.vir (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.dll.vir (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tajf83ikdmf.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACifxrbqitnx.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrfqxnrjetk.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACyviyqrxepm.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Rogue.AntivirusPro) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Member Avatar for PhilliePhan

You are welcome - Happy to help :)

Everything looks OK to me. I think you are good to go - How are things working now?

--- I am still a bit worried about those files you scanned, but if they came back clean it would be best to err an the side of caution and leave them alone.

Let's remove Combofix and the files/folders it created:

-- First, change the name of Combofix back to Combofix.exe

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Let me know how things are working and if Combofix was successfully removed.

Cheers :)
PP

Member Avatar for ez-digital

ComboFix was successfully removed.

Everything is back to working conditions! Best of all.. no more annoying pop up ad!

Once again thank you so much for your help. It is greatly appreciated!

**Monica**

Member Avatar for PhilliePhan

Once again thank you so much for your help. It is greatly appreciated

You're welcome, Monica :)

If all is working properly, please mark this one as solved.

Cheers :)
PP

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.