Security Tool Virus

R

rogmi

New Member
I have acquired a virus called "Security Tool". I am unable to run Malware Bytes. I have even tried to run it in Safe Mode with no luck. What should I do next?
 
Are you able to run AVG scanner?
Can you take that infected hard drive and put it in another system as a slave drive so that you can run Malwarebytes and get it off the infected drive?
 
Hello:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


How to run a scan with Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware from Here , Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Download and post a log with HiJackThis.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


In your next reply i will need:
  • The ComboFix log
  • The Malwarebytes' log
  • A HiJackThis log
  • An update on how your computer is running
 
Can't run ComboFix. The malware appears to be preventing it. I can't even effect a Ctl-Alt-Dlt. That is being blocked as well.

Everytime I try to do something like this, I get a bubble message "Security Tool Warning".
 
rogmi said:
Can't run ComboFix. The malware appears to be preventing it. I can't even effect a Ctl-Alt-Dlt. That is being blocked as well.

Everytime I try to do something like this, I get a bubble message "Security Tool Warning".
Click to expand...

Try renaming combofix.exe to something.exe
 
Nope. That doesn't work either. It tried to start and then stopped and the bubble message popped up and actually included the mesage that "something.exe is infected with. . ."
 
Are you computer savvy enough to put your hard drive in another system and scan it using a fully updated antivirus such as AVG or any other comparable program? Once the scan finds and deletes the offending files that stops programs from running then you can put the drive back in your own system and scan using Malwarebytes and hijackthis, and then we can go from there.
 
Hopefully, that won't be necessary now. I was able to run Malwarebytes by going into SafeMode and renaming the .exe file as iexplore.

Here is my log from Mawarebytes:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2 (Safe Mode)

10/10/2009 9:13:36 PM
mbam-log-2009-10-10 (21-13-36).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 293073
Time elapsed: 1 hour(s), 26 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\XP_AntiSpyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noretokeh (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\66997340 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\31429625 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01753420 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22167523 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tazajolipe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users.WINDOWS\Application Data\66997340 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\31429625 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\01753420 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\22167523 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users.WINDOWS\Application Data\66997340\66997340.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\66997340\66997340.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\31429625\31429625.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\31429625\31429625.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\01753420\01753420.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\01753420\01753420.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\22167523\22167523.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\22167523\22167523.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\XP_AntiSpyware\htmlayout.dll.vir (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{048ACBAB-CD61-4BE2-9BFF-6639B7D1AB57}\RP1043\A0058526.dll (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{048ACBAB-CD61-4BE2-9BFF-6639B7D1AB57}\RP1043\A0058554.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.DESKTOP\Application Data\qejysege.dll (Trojan.Agent) -> Quarantined and deleted successfully.



and here is my Hijack This log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:07 PM, on 10/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
G:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {23b67599-3ea7-4705-9fb5-a7f8ed0dc483} - juzohudu.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Spyware Fix Downloads\avgssie.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\MAM\iexplore.exe" /runcleanupscript
O4 - HKCU\..\RunOnce: [] OSK.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\Spyware Fix Downloads\avgpp.dll (file missing)
O21 - SSODL: zawirisen - {4d286a7c-fc14-4ccb-98fb-f9c89297750c} - c:\windows\system32\guziwaha.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {4d286a7c-fc14-4ccb-98fb-f9c89297750c} - c:\windows\system32\guziwaha.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\SPYWAR~2\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\SPYWAR~2\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 4709 bytes
 
Okay, a few things to do here.

1. Rerun hijackthis and place a check next to these boxes.

O2 - BHO: (no name) - {23b67599-3ea7-4705-9fb5-a7f8ed0dc483} - juzohudu.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Spyware Fix Downloads\avgssie.dll (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\Spyware Fix Downloads\avgpp.dll (file missing)
O21 - SSODL: zawirisen - {4d286a7c-fc14-4ccb-98fb-f9c89297750c} - c:\windows\system32\guziwaha.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {4d286a7c-fc14-4ccb-98fb-f9c89297750c} - c:\windows\system32\guziwaha.dll (file missing)

Then click on fix checked at the bottom.

2. You are running a very old version of Java. Please go into add/remove programs and uninstall all older versions listed. They can be labeled as Java or J2SE runtime. After uninstalling all older versions go here and download the latest version.

http://www.java.com/en/download/index.jsp

Are you running the latest version of AVG as your virus program? Also, have you retried running combofix after you were able to run malwarebytes?
 
I did the following in this order: (i) ComboFix (see log below), (ii) MBAM (see log below), (iii) deleted and re-installed Java, (iv) downloaded AVG 9.0 Anti-virus (do you recommend?) and (v) ran HiJack This (see log below).

The malware is not popping up, but I am concerned because there is an icon on my desktip that says "Security Tool". It looks like a generic exe file icon, and I am afraid if I touch it that the nasty stuff will re-start. What else should I do? THANKS!!

(1) ComboFix Log

ComboFix 09-10-10.02 - Administrator 10/10/2009 22:34.3.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.384 [GMT -5:00]
Running from: G:\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\berubagu.dll
c:\windows\system32\hijagolu.dll
c:\windows\system32\wuyejaso.dll
.
---- Previous Run -------
.
c:\windows\system32\zarebeba.dll

-- Previous Run --

Infected copy of c:\windows\SYSTEM32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winlogon.exe

--------

.
((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-11 03:30 . 2009-10-11 03:30 -------- d-----w- c:\documents and settings\Owner.DESKTOP\Application Data\Malwarebytes
2009-10-11 02:34 . 2009-10-11 02:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\01338116
2009-10-10 23:52 . 2009-10-10 23:52 -------- d-----w- c:\documents and settings\Administrator.DESKTOP\Application Data\Malwarebytes
2009-10-10 20:23 . 2009-10-10 20:23 -------- d-----w- c:\program files\123
2009-10-10 20:21 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-10 20:21 . 2009-10-10 20:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-10-10 20:21 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-10 20:19 . 2009-10-10 20:19 -------- d-sh--w- c:\documents and settings\Administrator.DESKTOP\PrivacIE
2009-10-10 20:16 . 2009-10-10 20:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-10 20:14 . 2009-10-10 20:14 -------- d-----w- c:\documents and settings\Administrator.DESKTOP\Local Settings\Application Data\Adobe
2009-10-10 20:14 . 2009-10-10 20:14 -------- d-sh--w- c:\documents and settings\Administrator.DESKTOP\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 23:37 . 2008-10-15 02:29 -------- d-----w- c:\program files\coyqhyf
2009-09-20 13:52 . 2007-06-30 00:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ZoomBrowser
2009-09-20 13:48 . 2007-06-30 00:53 -------- d-----w- c:\documents and settings\Owner.DESKTOP\Application Data\ZoomBrowser EX
2008-10-16 02:19 . 2008-10-16 02:19 18096 ----a-w- c:\program files\Common Files\yfihudez.db
2008-10-16 02:19 . 2008-10-16 02:19 11781 ----a-w- c:\program files\Common Files\ledihusas.dl
2008-10-15 02:51 . 2008-10-15 02:51 13552 ----a-w- c:\program files\Common Files\ytykefohig.com
2006-06-01 02:59 . 2006-06-01 02:59 4871843 ----a-w- c:\program files\PartyPokerNetSetup.exe
2006-04-23 02:17 . 2006-04-23 02:17 5113904 ----a-w- c:\program files\Firefox Setup 1.5.0.2.exe
2006-04-16 02:23 . 2006-04-16 02:23 11817800 ----a-w- c:\program files\GoogleEarth.exe
2006-01-28 03:05 . 2006-01-28 03:02 36488456 ----a-w- c:\program files\iTunesSetup.exe
2006-01-21 17:45 . 2006-01-21 17:44 786432 ----a-w- c:\program files\di524_firmware_105.bin
2005-12-25 06:45 . 2005-12-25 06:44 5037072 ----a-w- c:\program files\spybotsd14.exe
2005-08-13 03:37 . 2005-08-13 03:36 7258112 ----a-w- c:\program files\ParadisePokerSetup.exe
2005-08-06 19:03 . 2005-08-06 19:03 1533096 ----a-w- c:\program files\wp6rtf.exe
2005-07-01 22:17 . 2005-07-01 22:17 102607588 ----a-w- c:\program files\dmf4_dc_na_tbyb.exe
2005-06-04 16:59 . 2005-06-04 16:59 2807406 ----a-w- c:\program files\RRDialAccess-3.01-win.exe
2006-05-22 00:45 . 2004-09-20 23:20 60518 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-05-22 00:45 . 2004-09-20 23:20 49248 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-05-22 00:45 . 2004-09-20 23:20 165992 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-07-11 02:34 . 2009-07-11 02:34 1050147 --sha-w- c:\windows\SYSTEM32\baborefe.exe
2009-07-09 02:33 . 2009-07-09 02:33 60928 --sha-w- c:\windows\SYSTEM32\bokuyapo.dll
2009-07-09 02:33 . 2009-07-09 02:33 1050147 --sha-w- c:\windows\SYSTEM32\bomupisu.exe
2009-07-09 02:33 . 2009-07-09 02:33 167424 --sha-w- c:\windows\SYSTEM32\dasayefo.dll
2009-07-10 02:34 . 2009-07-10 02:34 1050659 --sha-w- c:\windows\SYSTEM32\dokakefi.exe
2009-07-09 14:34 . 2009-07-09 14:34 51200 --sha-w- c:\windows\SYSTEM32\juzohudu.dll
2009-07-10 14:34 . 2009-07-10 14:34 1050147 --sha-w- c:\windows\SYSTEM32\juzusite.exe
2009-07-09 14:33 . 2009-07-09 14:33 88576 --sha-w- c:\windows\SYSTEM32\nisusupu.dll
2009-07-09 02:33 . 2009-07-09 02:33 83968 --sha-w- c:\windows\SYSTEM32\sovulide.dll
2009-07-09 14:33 . 2009-07-09 14:33 1050659 --sha-w- c:\windows\SYSTEM32\tijetuno.exe
2009-07-09 14:34 . 2009-07-09 14:34 51200 --sha-w- c:\windows\SYSTEM32\zojolefi.dll
.

------- Sigcheck -------

[-] 2008-10-15 . 40FFC19A8D4875E9E19CECDC76EF9201 . 295424 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
[7] 2004-08-12 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DLLCACHE\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23b67599-3ea7-4705-9fb5-a7f8ed0dc483}]
2009-07-09 14:34 51200 --sha-w- c:\windows\SYSTEM32\juzohudu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="OSK.exe" - c:\windows\SYSTEM32\osk.exe [2004-08-12 215552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-30 185896]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Malwarebytes Anti-Malware (reboot)"="g:\mam\iexplore.exe" [2009-09-10 1312080]
"01338116"="c:\documents and settings\All Users.WINDOWS\Application Data\01338116\01338116.exe" [2009-10-11 1050147]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [10/17/2008 11:00 PM 12936]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [10/17/2008 11:00 PM 97928]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\SPYWAR~2\avgemc.exe --> c:\progra~1\SPYWAR~2\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\SPYWAR~2\avgwdsvc.exe --> c:\progra~1\SPYWAR~2\avgwdsvc.exe [?]
S2 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [10/17/2008 10:59 PM 76040]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ATT-SST_McciTrayApp - c:\program files\ATT-SST\McciTrayApp.exe
SharedTaskScheduler-{9c69692d-1602-4262-aa22-eb506f0aff46} - c:\windows\system32\zarebeba.dll
SSODL-wipolidal-{9c69692d-1602-4262-aa22-eb506f0aff46} - c:\windows\system32\zarebeba.dll
AddRemove-AVG8Uninstall - c:\program files\Spyware Fix Downloads\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 22:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1220945662-1844823847-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f4,76,66,c2,c9,b0,40,4e,b5,81,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f4,76,66,c2,c9,b0,40,4e,b5,81,04,\
.
Completion time: 2009-10-11 22:45
ComboFix-quarantined-files.txt 2009-10-11 03:45

Pre-Run: 85,072,347,136 bytes free
Post-Run: 85,038,743,552 bytes free

147 --- E O F --- 2008-10-24 12:16


(2) MBAM Log

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2 (Safe Mode)

10/11/2009 6:39:28 AM
mbam-log-2009-10-11 (06-39-28).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 292693
Time elapsed: 1 hour(s), 26 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01338116 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users.WINDOWS\Application Data\01338116 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users.WINDOWS\Application Data\01338116\01338116.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\01338116\01338116.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.


(3) Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:00, on 10/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
G:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\MAM\iexplore.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\SPYWAR~2\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\SPYWAR~2\avgwdsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 6451 bytes
 
Please rerun Malwarebytes as you are using really old definitions. Open Malwarebytes and click on the update tab and then click on check for updates. Let it do its update and then rerun a full scan and then post the log back here.

The newest database is 2941 and you are using 2775.

Your hijackthis log looks clean, but go ahead and update malwarebytes and do a full scan. Also have you done a virus scan using the new AVG? AVG 9 is the paid version correct? As far as I know the free version is still only at 8.5. You shouldn't be paying for an antivirus when free works just as well.
 
Okay, I updated MBAM per your suggestion and ran a full scan. It took forever. The log is shown below.

I ran the AVG scan before that and it found and isolated some problems. Thanks, also for the info on the free AVG 8.5. I had downloaded the free trial version of 9.0, and it was easy to move it back to 8.5.

Finally, I ran one last HijackThis (see log below).

THANKS FOR ALL YOUR HELP. . .

It looks like everthing is clean, but the machine seems to be running real slow. New programs open quite slowly. Do you think anything we did during the last day could have resulted in this?

MBAM LOG
Malwarebytes' Anti-Malware 1.41
Database version: 2943
Windows 5.1.2600 Service Pack 2

10/11/2009 19:40:47
mbam-log-2009-10-11 (19-40-47).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 297844
Time elapsed: 5 hour(s), 42 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{048ACBAB-CD61-4BE2-9BFF-6639B7D1AB57}\RP1043\A0058846.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\baborefe.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.DESKTOP\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.DESKTOP\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.


HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:52:38, on 10/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\MAM\iexplore.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\SPYWAR~2\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\SPYWAR~2\avgwdsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 6456 bytes
 
rogmi said:
It looks like everthing is clean, but the machine seems to be running real slow. New programs open quite slowly. Do you think anything we did during the last day could have resulted in this?
Click to expand...

Sometimes when a machine gets infected and its finally clean, there is still a possibility that the damage done(slowness) is irreversible without doing a clean install of the OS. I suspect this to be in your case as well.
 
You must log in or register to reply here.
Back
Top