calitech
asked on
Hijack log. 2 viruses AVG can't clean
every time I start my computer AVG is telling me there are infections. I click to remove them and it says it needs to restart to clean them. I restart and they come back.
I have done a scan with Malwarebytes and now I think I will try supperantispyware.
Any help or recommendation would be great. This is an XP machine and I do have the system restore turned off.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:09 PM, on 12/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\AVG\AVG9\avgchsvx.ex e
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
C:\Program Files\AVG\AVG9\avgcsrvx.ex e
C:\WINDOWS\system32\spools v.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGID SAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.ex e
C:\Program Files\TOSHIBA\ConfigFree\C FSvcs.exe
C:\WINDOWS\system32\DVDRAM SV.exe
C:\WINDOWS\system32\lxctco ms.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
C:\WINDOWS\system32\svchos t.exe
c:\TOSHIBA\IVP\swupdate\sw updtmr.exe
C:\Program Files\Intel\Wireless\Bin\Z cfgSvc.exe
C:\PROGRA~1\Intel\Wireless \Bin\1XCon fig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.ex e
C:\PROGRA~1\AVG\AVG9\avgtr ay.exe
C:\Program Files\TOSHIBA\TOSCDSPD\tos cdspd.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\Program Files\AVG\AVG9\avgcsrvx.ex e
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgid smonitor.e xe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\METAMA~1\METAM A~1\METAMA ~2.EXE
C:\Documents and Settings\Evette\Desktop\Hi jackThis.e xe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5 347D756017 C} - C:\Program Files\AVG\AVG9\Toolbar\IET oolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB- 00C04FD644 97} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F- 0090271D4F 88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\PROGRA~1\Yahoo!\Compani on\Install s\cpn1\yt. dll
O2 - BHO: (no name) - {0143C0F5-4661-4EEB-8E72-1 608D413DBE 2} - C:\WINDOWS\system32\ciebxv ys.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7 695ECA0567 0} - C:\PROGRA~1\Yahoo!\Compani on\Install s\cpn1\yt. dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-E DD6AC9525F 0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-B E8AFE6163A B} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4 E65E497C8C 0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2 FC0DE4A789 7} - C:\Program Files\Yahoo!\Common\yiesrv c.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5 347D756017 C} - C:\Program Files\AVG\AVG9\Toolbar\IET oolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d ll
O2 - BHO: (no name) - {AE9266A5-53EE-4595-A1D1-A 3B27EE6C4C 6} - c:\windows\system32\bfvget b.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\5 .4.4525.17 52\swg.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2 CD0E90A88F F} - (no file)
O2 - BHO: MCIEPlugIn Class - {C09C9904-FD44-11D6-A711-0 0105AC8F16 8} - C:\PROGRA~1\METAMA~1\METAM A~1\IEPlug In.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-8 6F7AC24508 1} - C:\PROGRA~1\Yahoo!\Compani on\Install s\cpn1\YTS ingleInsta nce.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-9 05236F6F65 5} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\PROGRA~1\Yahoo!\Compani on\Install s\cpn1\yt. dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-E DD6AC9525F 0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d ll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9 F516DD6982 9} - C:\Program Files\AVG\AVG9\Toolbar\IET oolbar.dll
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\LXC Ttime.dll, _RunDLLEnt ry@16
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dump rep 0 -u
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtr ay.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\tos cdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleTo olbarDynam ic_mui_en_ 60D6097707 281E79.dll /cmsidewik i.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_01\bin \npjpi150_ 01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_01\bin \npjpi150_ 01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2 FC0DE4A789 7} - C:\Program Files\Yahoo!\Common\yiesrv c.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\system32\Shdocv w.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-f a1d4f56a2a b} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsth elper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139941874828
O16 - DPF: {9191F686-7F0A-441D-8A98-2 FE3AC1BD91 3} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F BDDE494F8D 1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-0 67394E91CC 5} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrss tx.dll
O20 - Winlogon Notify: dundopoh - C:\WINDOWS\SYSTEM32\bfvget b.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.ex e
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGID SAgent.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.ex e
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\C FSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAM SV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctco ms.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\sw updtmr.exe
--
End of file - 9099 bytes
I have done a scan with Malwarebytes and now I think I will try supperantispyware.
Any help or recommendation would be great. This is an XP machine and I do have the system restore turned off.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:09 PM, on 12/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\AVG\AVG9\avgchsvx.ex
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\E
C:\Program Files\Intel\Wireless\Bin\S
C:\Program Files\AVG\AVG9\avgcsrvx.ex
C:\WINDOWS\system32\spools
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGID
C:\Program Files\AVG\AVG9\avgwdsvc.ex
C:\Program Files\TOSHIBA\ConfigFree\C
C:\WINDOWS\system32\DVDRAM
C:\WINDOWS\system32\lxctco
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\R
C:\WINDOWS\system32\svchos
c:\TOSHIBA\IVP\swupdate\sw
C:\Program Files\Intel\Wireless\Bin\Z
C:\PROGRA~1\Intel\Wireless
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.ex
C:\PROGRA~1\AVG\AVG9\avgtr
C:\Program Files\TOSHIBA\TOSCDSPD\tos
C:\WINDOWS\system32\ctfmon
C:\Program Files\Google\GoogleToolbar
C:\Program Files\AVG\AVG9\avgcsrvx.ex
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgid
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\METAMA~1\METAM
C:\Documents and Settings\Evette\Desktop\Hi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O2 - BHO: (no name) - {0143C0F5-4661-4EEB-8E72-1
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-E
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-B
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: (no name) - {AE9266A5-53EE-4595-A1D1-A
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2
O2 - BHO: MCIEPlugIn Class - {C09C9904-FD44-11D6-A711-0
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-8
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-9
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-E
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dump
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtr
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\tos
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleTo
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {9191F686-7F0A-441D-8A98-2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-0
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrss
O20 - Winlogon Notify: dundopoh - C:\WINDOWS\SYSTEM32\bfvget
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.ex
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGID
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.ex
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\C
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAM
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctco
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\sw
--
End of file - 9099 bytes
What are the files that AVG's trying to delete. Can you reply with the AVG log?
First of all, these files look suspicious:
C:\WINDOWS\system32\ciebxv ys.dll
c:\windows\system32\bfvget b.dll
Go to http://virusscan.jotti.org/en and upload the above files to see what virus you're dealing with.
C:\WINDOWS\system32\ciebxv
c:\windows\system32\bfvget
Go to http://virusscan.jotti.org/en and upload the above files to see what virus you're dealing with.
ASKER
Yep those are the files that AVG is detecting but can't remove
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also try Nod online scan http://www.eset.com/onlinescan/
And run autoruns (dont make any changes within autoruns)
Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn) -which is a few megs in size
Once saved then right click autoruns.arn and rename to autoruns.txt to upload
And run autoruns (dont make any changes within autoruns)
Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn) -which is a few megs in size
Once saved then right click autoruns.arn and rename to autoruns.txt to upload
If the other suggestions don' work, try this:
Run regedit then browse to this key:
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Winlogon \Notify
Right click on it then select permissions.
Select SYSTEM then check Deny.
Click Advanced and check the Replace permissions............... .
Click OK then Yes then OK
Expand the Notify Key and delete the dundopoh Key below it.
Press F5 to make sure it stays gone.
Close regedit and restart the computer in Safe Mode.
Do another virus scan then restart.
Restore the Permissions for SYSTEM in regedit.
Run regedit then browse to this key:
HKEY_LOCAL_MACHINE\SOFTWAR
Right click on it then select permissions.
Select SYSTEM then check Deny.
Click Advanced and check the Replace permissions...............
Click OK then Yes then OK
Expand the Notify Key and delete the dundopoh Key below it.
Press F5 to make sure it stays gone.
Close regedit and restart the computer in Safe Mode.
Do another virus scan then restart.
Restore the Permissions for SYSTEM in regedit.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If the problem persists, then we can use another scanner like OTL or OTS to remove it using a script.
ASKER
Figures I can't download ComboFix. They are having issues.
ASKER
From twitter
Combofix is currently offline until an issue is resolved by the developer.
5:51 AM Dec 13th from web
Combofix is currently offline until an issue is resolved by the developer.
5:51 AM Dec 13th from web
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.