23 replies to this topic

[Jesusfreak]

I hope it's ok to ask you this. I didn't see anywhere else I could post. I finally got to a point where I could run Malwarebytes after several days.
Upon running the software several times I noticed it kept coming up with two repeat offenders. Trojan.agent and some type of registry issue.
I kept trying to remove them over a period of several days after getting rid of System Security 2009. My computer ran fine for a few days but then rebooted itself two days ago and although I have run several pieces of recommended software I still seem to be infected.
Now the browser won't open or when it does I still get the virus software pop ups and redirects. There also seemed to be another search bar at
the top of the browser with a little Microsoft symbol but it was never there before.

I don't know what else to do. I still cannot boot to safe mode, I can't even reinstall Windows. Can you help me?

Thanks so much!

[Fatdcuk]

Hi ya,

I have snipped PM advice as would be confusing

STEP 01
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[Jesusfreak]

Sorry for the confusion. I loaded Combofix on my Desktop, clicked on it, hit run....nothing happened for over 15 minutes.....I tried it again. Nothing. Any more suggestions? Everything is running but I know that Trojan.agent and Rootkit.trace are still there. My browser is running fine at this moment because before I turned everything off to run Combofix it had blocked something trying to get on my computer and I elected to have it permanantly blocked in the future. I have not rebooted though since then. That's the latest I can tell you. Any more suggestions? Thanks so much.

Fatdcuk, on Jul 28 2009, 12:31 AM, said:

Hi ya,

I have snipped PM advice as would be confusing

STEP 01
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[Fatdcuk]

Hi ya,

Please boot into safe mode and attempt to run ComboFix from there.

[Jesusfreak]

Fatdcuk, on Jul 28 2009, 11:37 AM, said:

Hi ya,

Please boot into safe mode and attempt to run ComboFix from there.

I'm actually not sure I can boot in to safe mode. I haven't been able to but I will give it a try this evening.

Again, my thanks.

[Jesusfreak]

Jesusfreak, on Jul 28 2009, 12:45 PM, said:

I'm actually not sure I can boot in to safe mode. I haven't been able to but I will give it a try this evening.

Again, my thanks.

I tried to boot to safe mode but as I thought my computer won't do that. I have updated Malwarebytes and still the only two things to show up are Trojan.agent and Rootkit.trace.

Sometimes my computer boots, sometimes it locks up on the desktop and I need to reboot. Sometimes the browser will close by it's self.

I'm open to suggestions. Thanks so much for the help.

PS. I read some of the articles your forums point to. I know how I got this virus. Through a codec. What an idiot i was. :-(

[Jesusfreak]

Forgot to add this...

Malwarebytes' Anti-Malware 1.39
Database version: 2523
Windows 5.1.2600 Service Pack 3

7/28/2009 4:26:56 PM
mbam-log-2009-07-28 (16-26-56).txt

Scan type: Quick Scan
Objects scanned: 97312
Time elapsed: 1 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
I:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

[Fatdcuk]

Ok RootRepeal has just been updated so would like to try that angle of attack again to see if we can attack the rootkit with that.

Download Rootrepeal 1.3.3>>>
http://rootrepeal.googlepages.com/

Extract the file and run rootrepeal.exe

Click on report tab on the bottom right of the software then press scan

Put at check(Tick) in all box's except the 2 SSDT option's then press OK

Place a check(Tick) in drive to be scanned(Usually you will only have to select C).

Please save the logfile generated and copy and paste the contents of that log into your next reply.

[Jesusfreak]

Fatdcuk, on Jul 28 2009, 11:07 PM, said:

Ok RootRepeal has just been updated so would like to try that angle of attack again to see if we can attack the rootkit with that.

Download Rootrepeal 1.3.3>>>
http://rootrepeal.googlepages.com/

Extract the file and run rootrepeal.exe

Click on report tab on the bottom right of the software then press scan

Put at check(Tick) in all box's except the 2 SSDT option's then press OK

Place a check(Tick) in drive to be scanned(Usually you will only have to select C).

Please save the logfile generated and copy and paste the contents of that log into your next reply.

It worked

Here is what I came up with.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/28 17:37
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: I:\WINDOWS\system32\UACbqbrfwofmxdulhbxv.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACetjmukeshaxivrtnk.db
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UAChqipyiuwykltuqrdh.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACllrvxvkbwjpnbgpwy.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACndjitmairulteppjw.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACpyqbitltmoiopjqga.dat
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACuniorjihvmwidjary.dll
Status: Invisible to the Windows API!

Path: I:\WINDOWS\Temp\UACaf5a.tmp
Status: Invisible to the Windows API!

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\uActivate.dll
Status: Invisible to the Windows API!

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\uActivate.SET
Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys
Status: Invisible to the Windows API!

Path: i:\documents and settings\admin\local settings\temp\~df41d9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\uActivate.dll
Status: Invisible to the Windows API!

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\uActivate.SET
Status: Invisible to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgldr.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log
Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log
Status: Locked to the Windows API!

Path: i:\documents and settings\admin\local settings\application data\ahead\nero home\is2.db-journal
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: I:\Documents and Settings\Billy\Local Settings\Apps\2.0\389B0ZLN.GK6\PNKEV4VA.MLG\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: I:\Documents and Settings\Billy\Local Settings\Apps\2.0\389B0ZLN.GK6\PNKEV4VA.MLG\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

[Fatdcuk]

Great here come's the bomb

Run Rootrepeal file scan only.

Highlight the following line and right click on it.Select *wipe file*

Path: I:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys
Status: Invisible to the Windows API!

Then reboot immediately!!

After rebooting please run MBAM quick scan.Allow it to delete what if inds and reboot again.

Please post back the log from that MBAM quickscan

[Jesusfreak]

Fatdcuk, on Jul 29 2009, 01:06 AM, said:

Great here come's the bomb

Run Rootrepeal file scan only.

Highlight the following line and right click on it.Select *wipe file*

Path: I:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys
Status: Invisible to the Windows API!

Then reboot immediately!!

After rebooting please run MBAM quick scan.Allow it to delete what if inds and reboot again.

Please post back the log from that MBAM quickscan

Success!!!!! You are the bomb! I ran Rootrepeal and the culprit was exposed.

Here is the log. (I must add that when I rebooted Avira started killing files as Malwarebytes was finding them. I forgot to turn it off first. So this log might be incomplete.) I ran a second log after I rebooted. I thought you might want to see it as well. It had the Trojan.TDSS. I guess to be expected? I am running a deep scan right now with Malwarebytes.

Malwarebytes' Anti-Malware 1.39
Database version: 2524
Windows 5.1.2600 Service Pack 3

7/28/2009 8:05:10 PM
mbam-log-2009-07-28 (20-04-23).txt

Scan type: Full Scan (I:\|)
Objects scanned: 128550
Time elapsed: 20 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\rp2\A0001009.dll (Trojan.TDSS) -> No action taken.
i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\RP2\A0001010.dll (Trojan.TDSS) -> No action taken.
i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\RP2\A0001012.dll (Trojan.TDSS) -> No action taken.






Malwarebytes' Anti-Malware 1.39
Database version: 2523
Windows 5.1.2600 Service Pack 3

7/28/2009 7:33:17 PM
mbam-log-2009-07-28 (19-32-59).txt

Scan type: Quick Scan
Objects scanned: 97520
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
i:\WINDOWS\system32\UACllrvxvkbwjpnbgpwy.dll (Trojan.TDSS) -> No action taken.
i:\WINDOWS\system32\UACndjitmairulteppjw.dll (Trojan.TDSS) -> No action taken.
i:\WINDOWS\system32\UACuniorjihvmwidjary.dll (Trojan.TDSS) -> No action taken.
i:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys (Trojan.Agent) -> No action taken.

If I have any major problems I will let you know. No more codecs for me. Hard lesson learned.

My wife and I would like to contribute to your hard work. Where can we do that?

[Fatdcuk]

Hi ya,

Works like a charm when the tech works,the trouble with these very advanced malwares is they know they cant hide from our tech so they have to result to dirty tricks to take us out the equation.

Victim of our own sucess unfortunetly,ok would like to see a couple more logs before i sound the all clear.

Can you please run ComboFix from regular mode as directed earliar.Now the rootkit is nuked it should be working again

Also can yopu post a HijackThis log.

Thanks in advance

[Jesusfreak]

Fatdcuk, on Jul 29 2009, 02:28 AM, said:

Hi ya,

Works like a charm when the tech works,the trouble with these very advanced malwares is they know they cant hide from our tech so they have to result to dirty tricks to take us out the equation.

Victim of our own sucess unfortunetly,ok would like to see a couple more logs before i sound the all clear.

Can you please run ComboFix from regular mode as directed earliar.Now the rootkit is nuked it should be working again

Also can yopu post a HijackThis log.

Thanks in advance

Will do.

[Jesusfreak]

Jesusfreak, on Jul 29 2009, 03:03 AM, said:

Will do.

I have a few questions for you. Now I'm scared to death of fake viruses, etc. Where can I download HijackThis?

Also, Combo fix is still resident on my desktop. It is ok to use that one?

[Fatdcuk]

Hi yeah,

Yes that CF is good to use,run that routine first.

HiJackThis
[*]Please download this program Trend Micro HijackThis to your desktop.
[*]Double-click on it to run and install it.
[*]Then launch the program and click on Do a system scan and save a logfile. This log file will open in Notepad.
[*]Do not do anything with HJT at this point except copy and paste the contents of the log generated into a reply.

I will give you heaps of support info after we have finished cleaning your PC but first of all lets make sure it's clean then i can point you in the direction of how to secure and avoid malware etc

[Jesusfreak]

Fatdcuk, on Jul 29 2009, 12:47 PM, said:

Hi yeah,

Yes that CF is good to use,run that routine first.

HiJackThis
[*]Please download this program Trend Micro HijackThis to your desktop.
[*]Double-click on it to run and install it.
[*]Then launch the program and click on Do a system scan and save a logfile. This log file will open in Notepad.
[*]Do not do anything with HJT at this point except copy and paste the contents of the log generated into a reply.

I will give you heaps of support info after we have finished cleaning your PC but first of all lets make sure it's clean then i can point you in the direction of how to secure and avoid malware etc

Awesome. Look forward to the advice and tips. Will run tonight. Heading out of town on business so if not tonight next week when I return. Very impressed with the professional help here.

[Jesusfreak]

Jesusfreak, on Jul 29 2009, 02:03 PM, said:

Awesome. Look forward to the advice and tips. Will run tonight. Heading out of town on business so if not tonight next week when I return. Very impressed with the professional help here.

I didn't have time for the Combofix but Hijackthis went fast. Here's the file. I'll try and check in during my trip.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:32 PM, on 7/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Avira\AntiVir Desktop\sched.exe
I:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
I:\Program Files\Avira\AntiVir Desktop\avguard.exe
I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Common Files\LightScribe\LSSrvc.exe
I:\PROGRA~1\AVG\AVG8\avgrsx.exe
I:\PROGRA~1\AVG\AVG8\avgnsx.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Java\jre6\bin\jusched.exe
I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
I:\WINDOWS\RTHDCPL.EXE
I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
I:\Program Files\MSI\Live Update 3\LMonitor.exe
I:\Program Files\Nero\Nero 7\InCD\InCD.exe
I:\PROGRA~1\AVG\AVG8\avgtray.exe
I:\Program Files\Avira\AntiVir Desktop\avgnt.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Documents and Settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
I:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
I:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
I:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
I:\Program Files\Logitech\SetPoint\KEM.exe
I:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] I:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LiveMonitor] I:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [InCD] I:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG8_TRAY] I:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "I:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SansaDispatch] I:\Documents and Settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] I:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "I:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ccleaner] "I:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [Advanced SystemCare 3] "I:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = I:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://I:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238224748875
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - I:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - I:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - I:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - I:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - I:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6495 bytes

[Fatdcuk]

Ok well nothing bad in the HJT log

ComboFix will dig a bit deeper + it will remove the orphaned service load value for the recently evicted Rootkit.So before we give you the green light would rather wait for that report first.

np if you cant do today just post it up when you get around to it

[Jesusfreak]

Fatdcuk, on Jul 29 2009, 08:44 PM, said:

Ok well nothing bad in the HJT log

ComboFix will dig a bit deeper + it will remove the orphaned service load value for the recently evicted Rootkit.So before we give you the green light would rather wait for that report first.

np if you cant do today just post it up when you get around to it

Well that's great news! I will run the other program when I get back in town.

You rock!!!

[Jesusfreak]

Jesusfreak, on Jul 30 2009, 08:10 PM, said:

Well that's great news! I will run the other program when I get back in town.

You rock!!!

Hi!
I'm back and ready to run ComboFix but when I run it, it says it may be a tainted version. Can you give me the safest location for the file. It says I should download another copy before I run it.

Thanks