Inactive "Bad Image" pop-ups; [application or program].dll issues; google redirects

[xdeadlockxfan]

Hi, I'm new here and I had to post because I'm still having issues with my computer after following this link:https://www.techspot.com/community/topics/updated-4-step-viruses-spyware-malware-removal-preliminary-instructions.58138/
I only downloaded the Malwarebytes' AntiMalware program and have a log below of the first scan. I also downloaded the GMER program and had issues with it. (This is the main reason why I'm posting here because the issue should be resolved after quarantining infected items but it is not; and GMER just unexpectedly shut down on me, and shut down my computer).
The Malware scan also told me (during the scanning process) that I had only 24 infected items; here in the log it does not say. I removed them and restarted my computer, but "Bad Image" pop-ups still appear!
The first two times using GMER in regular normal Windows Vista settings, I had a blue screen error and my computer unexpectedly shut down. After that, I switched to safe mode and tried GMER again, which gave me the log below.
I didn't do the DDS program yet because I wanted to get some input on the whole "Bad Image" issue, which started only last night after trying to open a few corrupted .pdf files, before going any further with diagnostics and repair.
Among the Bad Image issue, I have the google redirect issue, which I've seen quite a bit, and the .dll-program issue, which comes up in the same error message as the "Bad Image" thing.

I have a Windows Vista, Dell Inspiron 1501 Laptop, about four years old.
Here are the logs. Note, I only did AntiMalware and GMER only.

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5298

Windows 6.0.6000
Internet Explorer 7.0.6000.17037

12/11/2010 10:34:18 PM
mbam-log-2010-12-11 (22-34-18).txt

Scan type: Quick scan
Objects scanned: 156907
Time elapsed: 10 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-11 22:13:35
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL040D
Running: t8xihc4g.exe; Driver: C:\Users\Albert\AppData\Local\Temp\ugliqpow.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7402FBC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73FFB9AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73FEA31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73FECBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73FE8AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73FFCF28] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73FE7D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73FE7CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73FE6A64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7407C1D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74007F56] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73FE90CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73FF2179] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73FF21A4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73FF7F1C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73FF7D3E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [740283D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Here's the blue screen error details:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 50
BCP1: 87C00000
BCP2: 00000000
BCP3: A47A4EED
BCP4: 00000000
OS Version: 6_0_6000
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini121110-01.dmp
C:\Users\Albert\AppData\Local\Temp\WER-92453-0.sysdata.xml
C:\Users\Albert\AppData\Local\Temp\WER4992.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
-------------------
Even after the Malware scan and GMER, I still have the "Bad Image" pop-ups coming up. And I wanted some input on the GMER blue screen/shut down thing too. I can imagine it's also tied into the google redirects too- where I click a google link to a wikipedia page and it takes me to a "local" search page (like 7search or something).

Somebody please help me save my computer!

 

[Bobbye]

Welcome to TechSpot! Ah well, you want the cart before the horse! You want me to tell you what's causing the BSOD before checking for a malware cause!

after trying to open a few corrupted .pdf files, before going any further with diagnostics and repair.

It depends on what files were corrupted and why. Regarding the Error Event that you left: that most likely would have come after the cause of the problem driver with the system trying to fix it. You should follow the instructions on the site and look for the Error before the minidump.

It works like this: If you want to check the Event Viewer for any error that corresponds to the time of the BSOD, here's how: Follow these steps and screen shots HERE
(Note: there is a space after this line: "To get started with event viewer, you need to open up the start menu and right click on Computer, then click manage"> please scroll down to where it continues.

There is usually white writing on the blue screen also which would give info.

The file info you left is for a minidump. If you want that checked, please move to the Windows OS forum.
It is not uncommon for GMER to cause a program when invoking the scan. We tell the user to try one of the following:
1. Uncheck Devices-or >
2. Run the scan in Safe mode, which is what you did.

Now- both this Mbam and GMER are clean. It is not reasonable for you to assume just running those scans will fix your problem, so don't hold me hostage! The more information I have, the better I can help you. So please go back to :https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ and do the rest of the steps.

When I see the rest of the logs, I will better be able to guide you.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[xdeadlockxfan]

I'm sorry, but what is BSOD? (I don't know very many technological terms). And what is the minidump thing all about? Could you give me a little run down about what that is and does to my computer?

Here's the DDS log:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Albert at 13:28:41.24 on Sun 12/12/2010
Internet Explorer: 7.0.6000.17037
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1917.956 [GMT -8:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\lxdqserv.exe
C:\Windows\system32\lxdqcoms.exe
C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Button Manager\BM.exe
C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Albert\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer provided by Dell
uStart Page = hxxp://ww2.cox.com/myconnection/lasvegas/home.cox
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: WinAVI FLVSense: {e8df67a1-b618-4f3f-9e7c-cbe175adef5b} - c:\program files\winavi flv converter\FLVTune.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
dRunOnce: [<NO NAME>]
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpbutt~1.lnk - c:\program files\hp\button manager\BM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\magic-i.lnk - c:\program files\arcsoft\magic-i 3\Magic-i.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\winavi flv converter\FLVTune.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?e=1226548221207&h=1049e3811d711ac3028f03ec502dd18f/&filename=jinstall-6u10-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL cscutil.dll atlqueue.dll

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20101124.001\IDSvix86.sys [2010-11-25 287792]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-10-30 149352]
R2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe -service --> c:\windows\system32\lxdqcoms.exe -service [?]
R2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdqserv.exe [2009-4-28 94208]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-6-6 1245064]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2006-11-2 16896]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-10-4 30192]

=============== Created Last 30 ================

2010-12-12 04:10:37 -------- d-----w- c:\users\albert\appdata\roaming\Malwarebytes
2010-12-12 04:10:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 04:10:27 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-12 04:10:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-12 04:10:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 02:17:13 478720 --sha-w- c:\windows\system32\cscutil.dll
2010-12-10 22:29:47 749832 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2010-12-10 22:26:07 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{4cdfae65-cb0d-40ad-84a8-bdd41283b5db}\mpengine.dll
2010-12-02 05:39:16 17064 ----a-w- c:\windows\system32\lxdqwupd.exe
2010-12-02 05:39:14 102400 ----a-w- c:\windows\system32\lxdqwupd.dll
2010-12-02 05:38:53 348160 ----a-w- c:\windows\system32\LXDQinst.dll
2010-12-02 05:37:28 147968 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lxdqdrpp.dll
2010-12-02 05:37:24 -------- d-----w- c:\program files\Lexmark Z2400 Series
2010-12-02 01:30:11 -------- d-----w- c:\program files\Linksys EasyLink Advisor

==================== Find3M ====================

2010-10-28 03:45:13 0 ----a-w- c:\users\albert\mstsc.exe
2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 13:32:52.36 ===============

-----------------

That's the last log. I've also got some info from a friend about what else to use if the problem doesn't get resolved sometime soon. Any other info you need me to get (like the Event Viewer in correspondence with the BSOD thing) just let me know and I'll get it to you promptly. Thank you so much for your help!

 

[Bobbye]

I had a blue screen error and my computer unexpectedly shut down.

'blue screen' = BSOD= Blue Screen Of Death

I cannot tell you what it does until I know what's causing it.

I've also got some info from a friend about what else to use if the problem doesn't get resolved sometime soon.

The only useful information that would be different is if you reformat/reinstall the operating system instead of trying to troubleshoot the problem. Friends can get you into a lot of trouble with their help- unless the are experienced and right there with you to guide you.

Any other info you need me to get (like the Event Viewer in correspondence with the BSOD thing)

Yes, please do that.

See Post #4 here for some background on Bad Image:http://www.vistax64.com/vista-performance-maintenance/80733-windows-bad-image-error-message.html

 

[xdeadlockxfan]

Okay, I got you. So what is it that I'm supposed to do with the event viewer thing? Am I supposed to get you a log or just see if I can create a task or something? I'm confused. I need to know exactly what you need me to do since I'm not a computer technician and I'm nowhere near it.

 

[Bobbye]

When you get the blue screen, look at the time on the computer clock.
There are screen shots here to help: http://www.windowsvistauserguide.com/event_viewer.htm
(Note; the is a blank white screen below this line: "To get started with event viewer, you need to open up the start menu and right click on Computer, then click manage) scroll down a bit to pick up the images.

Copy any appropriate errors and Paste here (Ctrl V).


NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Errors are time coded.

This does not 'fix' anything- it shows us if there was an error in the system or application that is causing the blue screen.

 

[xdeadlockxfan]

Are these what you want? Would you like me to include screen shots? These were found under the Critical section.

Critical 10/25/2010 9:09:51 PM Kernel-Power 41 None
Critical 10/15/2010 7:26:32 PM Kernel-Power 41 None
Critical 9/12/2010 5:03:49 PM Kernel-Power 41 None
Critical 8/25/2010 1:30:59 PM Kernel-Power 41 None
Critical 8/3/2010 4:17:33 PM Kernel-Power 41 None
Critical 7/21/2010 12:31:48 PM Kernel-Power 41 None
Critical 7/18/2010 5:16:44 PM Kernel-Power 41 None
Critical 7/13/2010 7:02:28 PM Kernel-Power 41 None
Critical 7/12/2010 6:30:04 PM Kernel-Power 41 None
Critical 7/11/2010 5:00:47 PM Kernel-Power 41 None
Critical 6/6/2010 10:53:58 AM Kernel-Power 41 None
Critical 4/29/2010 8:14:28 PM Kernel-Power 41 None
Critical 4/17/2010 8:14:44 AM Kernel-Power 41 None

They all show the same error message: The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

If this would help, I don't have a battery in my computer. I have to use an AC power adapter since the battery life declined and my battery (which is stock, came with the computer) won't work anymore. It can't even charge. If I have my laptop on, and close the lid, and accidentally unplug it from the outlet or the adapter, it will shut down.

 

[Bobbye]

If I have my laptop on, and close the lid, and accidentally unplug it from the outlet or the adapter, it will shut down.

When you close the lid, the system goes to sleep or Stand by. If it's unplugged in that mode, it will cause an improper shutdown> depending on the state you left it when closing the top such as the browser up, maybe email also, they did not go through the proper shutdown cycle. Sleep and Standby are low power cycles, so even though you don't have the battery, the machine would normally be able to support either mode is still connected to the power. If you remove the power source, then even reduced power setting are left with no power.

My suggestion would be to make sure you close all active programs and then use the shut down sequence. It's possible that if you do this, then reboot to bring the system up again, it may stop. But you need to makes sure of 2 things:
Make sure the system is shut down correctly brfore you close it.
Stop 'accidentally' disconnecting the power if it's sleeping or in standby.
=========================================
I did find the following in 2 Windows 7 forums: None mentioned the state of the system before closing the lid.>>>>>

Another user- same problem- finally checked this on advice of another user and it fixed the problem:
Re: Kernel-Power 41 (63) error

....... check my audio drivers. I had three, TWO ATI High def audio drivers and one VIA High def audio
My conclusion is that the two ATI's were fighting echother for the information causing the crash, I disabled one and it works PERFECTLY(thus far) game used to crash sometimes at loading, 10 seconds into game play no more then 20 seconds.. I've been playing for about 3 hours now on all high settings, changin the resolution a couple times a minute trying to cause the crash. I'm unable to cause the crash.

CHECK YOUR AUDIO DRIVERS IN DEVICE MANAGER! If you have more than one DISABLE ONE AT A TIME AND TRY TO CAUSE THE CRASH!

Post #4: http://www.techsupportforum.com/mic...t/434613-solved-kernel-power-41-63-error.html
No spelling corrections are made in quoted text.

And another:
How many people here have kernel power failures/event 41
http://social.technet.microsoft.com...f/thread/df192a83-cdd5-4845-80e2-c7cd168d1e91

 

[xdeadlockxfan]

I did find the following in 2 Windows 7 forums: None mentioned the state of the system before closing the lid.>>>>>

Another user- same problem- finally checked this on advice of another user and it fixed the problem:
Re: Kernel-Power 41 (63) error

Post #4: http://www.techsupportforum.com/mic...t/434613-solved-kernel-power-41-63-error.html
No spelling corrections are made in quoted text.

And another:
How many people here have kernel power failures/event 41
http://social.technet.microsoft.com...f/thread/df192a83-cdd5-4845-80e2-c7cd168d1e91

So then are you saying that I may not have any malware infections at all? Or it's just a problem with a driver? What about the bad image pop ups then? How would I stop those? What are you suggesting?

 

[xdeadlockxfan]

I did find the following in 2 Windows 7 forums: None mentioned the state of the system before closing the lid.>>>>>

Another user- same problem- finally checked this on advice of another user and it fixed the problem:
Re: Kernel-Power 41 (63) error

Post #4: http://www.techsupportforum.com/mic...t/434613-solved-kernel-power-41-63-error.html
No spelling corrections are made in quoted text.

And another:
How many people here have kernel power failures/event 41
http://social.technet.microsoft.com...f/thread/df192a83-cdd5-4845-80e2-c7cd168d1e91

So then what are you suggesting by this? May I not have a malware infection or virus or something? Then what am I to do about the "bad image" popups?

(Sorry if there's a double post; the first post didn't show up).

 

[xdeadlockxfan]

I just totally realized I forgot to attach the attach.dds log! Here it is.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 10/4/2007 8:28:25 PM
System Uptime: 12/13/2010 5:46:12 PM (3 hours ago)

Motherboard: Dell Inc. | | 0UW744
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-58 | Socket M2/S1G1 | 1900/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 139 GiB total, 53.06 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.166 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11.5
Adobe® Photoshop® Album Starter Edition 3.2
AppCore
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Magic-i 3
ArcSoft VideoImpression 2
ArcSoft WebCam Companion 2
ATI Catalyst Control Center Ex
ATI PCI Express (3GIO) Filter Driver
Audacity 1.2.6
BlackBerry Desktop Software 4.3
Bonjour
Browser Address Error Redirector
ccCommon
Component Framework
Conexant HDA D110 MDC V.92 Modem
Dell Support Center (Support Software)
Dell System Customization Wizard
Dell Wireless WLAN Card
DellSupport
Digital Line Detect
Drivers Install For Linksys Easylink Advisor
EarthLink Setup Files
Games, Music, & Photos Launcher
GIMP 2.4.6
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Guitar Pro 5.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Button Manager
HP Webcam User's Guide
iTunes
Java(TM) 6 Update 10
Lexmark Z2400 Series
Linksys EasyLink Advisor 1.6 (0032)
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Diagnostic Tool
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Power Tab Editor 1.7
Product Documentation Launcher
QuickSet
QuickTime
RollerCoaster Tycoon 2
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio Media Manager
Roxio Update Manager
SigmaTel Audio
Sonic Activation Module
Sony RAW Driver
SPBBC 32bit
Symantec Real Time Storage Protection Component
SymNet
Synaptics Pointing Device Driver
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
User's Guides
Viewpoint Media Player
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinPcap 4.1.1
WinRAR archiver
XP Codec Pack

==== End Of File ===========================

 

[xdeadlockxfan]

Bobbye, I also got a question. What do these logs exactly tell you?

 

[Bobbye]

They tell me what programs you have installed, what processes are running, which drivers and Services are on the system, what security programs you have, hardware info, software info. You log tells me you don't have any restore points, meaning you've either turned them off or removed them- or that a system problem may be causing SR not to run.

If you had given me the other log from DDS, named Attach.txt I would have been able to see Events from the Event Viewer.

I have to determine what should and should not be doing what it's doing, whether an entry is legitimate or not andnandonandonandon.

Feel free to open any of the logs and see what's there!

 

[xdeadlockxfan]

I already posted the attach.txt log. I'll post it again right here.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 10/4/2007 8:28:25 PM
System Uptime: 12/13/2010 5:46:12 PM (3 hours ago)

Motherboard: Dell Inc. | | 0UW744
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-58 | Socket M2/S1G1 | 1900/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 139 GiB total, 53.06 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.166 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11.5
Adobe® Photoshop® Album Starter Edition 3.2
AppCore
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Magic-i 3
ArcSoft VideoImpression 2
ArcSoft WebCam Companion 2
ATI Catalyst Control Center Ex
ATI PCI Express (3GIO) Filter Driver
Audacity 1.2.6
BlackBerry Desktop Software 4.3
Bonjour
Browser Address Error Redirector
ccCommon
Component Framework
Conexant HDA D110 MDC V.92 Modem
Dell Support Center (Support Software)
Dell System Customization Wizard
Dell Wireless WLAN Card
DellSupport
Digital Line Detect
Drivers Install For Linksys Easylink Advisor
EarthLink Setup Files
Games, Music, & Photos Launcher
GIMP 2.4.6
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Guitar Pro 5.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Button Manager
HP Webcam User's Guide
iTunes
Java(TM) 6 Update 10
Lexmark Z2400 Series
Linksys EasyLink Advisor 1.6 (0032)
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Diagnostic Tool
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Power Tab Editor 1.7
Product Documentation Launcher
QuickSet
QuickTime
RollerCoaster Tycoon 2
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio Media Manager
Roxio Update Manager
SigmaTel Audio
Sonic Activation Module
Sony RAW Driver
SPBBC 32bit
Symantec Real Time Storage Protection Component
SymNet
Synaptics Pointing Device Driver
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
User's Guides
Viewpoint Media Player
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinPcap 4.1.1
WinRAR archiver
XP Codec Pack

==== End Of File ===========================

So, when can we get started with the malware removal? Do you need any other logs or such?

I have a Dell Inspiron 1501 Laptop, with an AMD Turion 64 X2 processor. It's windows vista... That's all I know, really.

By the way, I've never had any system restores or restore points. I haven't defragmented my hard drives either.

What do you need from the Event Viewer? Warning, Critical, or Error?

 

[xdeadlockxfan]

Not to be rude or impatient or anything... But is anyone going to continue helping me? O.o

 

[Bobbye]

Thank you for bringing the thread back to my attention. Sometimes when it's very busy, I may lose track of a thread.

I note the uInternet Settings,ProxyServer = http=127.0.0.1:50370. It appears that Cox is your ISP. Do they require you set Port 50370? If not, the is likely the cause of the redirection. You may have a single problem such as a malware infection adding the port, then redirecting,

I am not saying any of this because I don't have enough information yet:

So then are you saying that I may not have any malware infections at all? Or it's just a problem with a driver? What about the bad image pop ups then? How would I stop those? What are you suggesting?

Nor do we expect running the steps in the preliminary thread will cure all or any problems:

"Bad Image" issue, which started only last night after trying to open a few corrupted .pdf files, before going any further with diagnostics and repair.
Among the Bad Image issue, I have the google redirect issue, which I've seen quite a bit, and the .dll-program issue, which comes up in the same error message as the "Bad Image" thing.

I don't know yet if the corrupt PDF file is causing the bad image or if there was malware in it that activated when you opened it.

Bad image is basically a technical way of saying the file or entry doesn't 'look' like it's suppose to. There are many different causes for this> some only system related, some caused by malware, or a combination of the two.
=======================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Query- Recovery Console image
  
  
  
  

  WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes it will open a text window. Please paste that log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
========================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

The bad image problem you have is directly related to the corrrupt PDF file you opened. It wou;d be helpful to have some information about the file.

 

[xdeadlockxfan]

I only had google redirects for about a night or so. Cox requires me to set to Port 50370, but after a problem with my LAN settings I stopped connecting manually to the proxy server and checked the box "Automatically detect settings" under Internet Options>Connections>LAN Settings, in IE.

Ran Combofix and everything seems better! No more "bad images!" What I DID find weird though was that I was never prompted about a Windows Recovery Console, although I had so many "Bad Image" pop ups come up because of the program accessing other programs and had to click "OK" so many times. Do I need the WRC?

PDF's came from this site: http://www.kokoweef.com/
They were about the legend of the mine and such.

Here's the Combofix log:

ComboFix 10-12-20.01 - Albert 12/20/2010 12:34:48.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1917.1200 [GMT -8:00]
Running from: c:\users\Albert\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Albert\mstsc.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-20 to 2010-12-20 )))))))))))))))))))))))))))))))
.

2010-12-20 20:28 . 2010-12-20 20:30 -------- d-----w- C:\32788R22FWJFW
2010-12-17 23:11 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81A344F4-CD2A-4902-9CBB-9D74CB3626BC}\mpengine.dll
2010-12-15 01:38 . 2010-12-20 03:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-15 01:38 . 2010-12-19 21:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\users\Albert\AppData\Roaming\Malwarebytes
2010-12-12 04:10 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\programdata\Malwarebytes
2010-12-12 04:10 . 2010-12-12 04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-12 04:10 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-11 02:17 . 2010-12-11 02:17 478720 --sha-w- c:\windows\system32\cscutil.dll
2010-12-10 22:29 . 2010-12-10 22:29 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-12-02 05:39 . 2008-02-27 23:09 17064 ----a-w- c:\windows\system32\lxdqwupd.exe
2010-12-02 05:39 . 2007-11-21 14:39 102400 ----a-w- c:\windows\system32\lxdqwupd.dll
2010-12-02 05:38 . 2007-11-28 23:09 348160 ----a-w- c:\windows\system32\LXDQinst.dll
2010-12-02 05:37 . 2009-08-13 20:02 147968 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxdqdrpp.dll
2010-12-02 05:37 . 2010-12-02 05:46 -------- d-----w- c:\program files\Lexmark Z2400 Series
2010-12-02 01:30 . 2010-12-02 01:34 -------- d-----w- c:\program files\Linksys EasyLink Advisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 18:41 . 2009-10-04 17:44 222080 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-4 50688]
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2010-4-9 266240]
Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2010-4-9 530944]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-10-4 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1281210887-1614234157-3903570788-1000]
"EnableNotificationsRef"=dword:00000001

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-31 23888]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-17 30192]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20101215.001\IDSvix86.sys [2010-09-15 287792]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe [2008-02-27 594600]
S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdqserv.exe [2009-04-28 94208]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-01-27 50704]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2006-11-02 16896]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-12-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Albert.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2008-02-07 14:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ww2.cox.com/myconnection/lasvegas/home.cox
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-20 12:42
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP000000708C4E573586EB6A78 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-20 12:48:06
ComboFix-quarantined-files.txt 2010-12-20 20:47

Pre-Run: 62,309,982,208 bytes free
Post-Run: 62,312,402,944 bytes free

- - End Of File - - D5A589C531142C38BD54FDD0E447868F


I tried running ESET but after I clicked "Start" a pop up window came up and it couldn't show a picture nor start the scan.

 

[Bobbye]

I'm sorry for the posting problems you've had. There has been a glitch on the board that we're tring to chase down. Your Combofix log looks good- just a couple of things:

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.

File::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please try to run this online virus scan: Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
===================================
Follow with Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

I'll check the logs and if no removals are needed, I'll have you remove the cleaning tools.

 

[xdeadlockxfan]

Okay, I was able to see the thread provided through the PM you sent me. I'll be sure to follow your instructions tomorrow when I have more time.

Thanks!

 

[Bobbye]

Good! Hopefully that issue won't recur. Leave logs when ready.

 

[xdeadlockxfan]

Here is the Combofix log: ComboFix 10-12-25.02 - Albert 12/25/2010 23:08:24.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1917.1168 [GMT -8:00]
Running from: c:\users\Albert\Desktop\ComboFix.exe
Command switches used :: c:\users\Albert\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-11-26 to 2010-12-26 )))))))))))))))))))))))))))))))
.

2010-12-26 07:15 . 2010-12-26 07:15 -------- d-----w- c:\users\Albert\AppData\Local\temp
2010-12-26 07:15 . 2010-12-26 07:15 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2010-12-26 07:15 . 2010-12-26 07:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-25 20:52 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A166F29A-AC1B-44C3-88DE-C55811F873BA}\mpengine.dll
2010-12-21 04:42 . 2010-12-21 04:42 -------- d-----w- c:\programdata\DivX
2010-12-15 01:38 . 2010-12-20 03:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-15 01:38 . 2010-12-19 21:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\users\Albert\AppData\Roaming\Malwarebytes
2010-12-12 04:10 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\programdata\Malwarebytes
2010-12-12 04:10 . 2010-12-12 04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-12 04:10 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-11 02:17 . 2010-12-11 02:17 478720 --sha-w- c:\windows\system32\cscutil.dll
2010-12-10 22:29 . 2010-12-10 22:29 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-12-02 05:39 . 2008-02-27 23:09 17064 ----a-w- c:\windows\system32\lxdqwupd.exe
2010-12-02 05:39 . 2007-11-21 14:39 102400 ----a-w- c:\windows\system32\lxdqwupd.dll
2010-12-02 05:38 . 2007-11-28 23:09 348160 ----a-w- c:\windows\system32\LXDQinst.dll
2010-12-02 05:37 . 2009-08-13 20:02 147968 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxdqdrpp.dll
2010-12-02 05:37 . 2010-12-02 05:46 -------- d-----w- c:\program files\Lexmark Z2400 Series
2010-12-02 01:30 . 2010-12-02 01:34 -------- d-----w- c:\program files\Linksys EasyLink Advisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 18:41 . 2009-10-04 17:44 222080 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-4 50688]
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2010-4-9 266240]
Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2010-4-9 530944]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-10-4 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1281210887-1614234157-3903570788-1000]
"EnableNotificationsRef"=dword:00000001

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-31 23888]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-17 30192]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20101215.001\IDSvix86.sys [2010-09-15 287792]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe [2008-02-27 594600]
S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdqserv.exe [2009-04-28 94208]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-01-27 50704]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2006-11-02 16896]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-12-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Albert.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2008-02-07 14:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ww2.cox.com/myconnection/lasvegas/home.cox
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-25 23:15
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-25 23:18:55
ComboFix-quarantined-files.txt 2010-12-26 07:18
ComboFix2.txt 2010-12-20 20:48

Pre-Run: 62,179,807,232 bytes free
Post-Run: 62,410,293,248 bytes free

- - End Of File - - DBC76A5BD3B56027A26EED7C1FD7D2EA



I received an error message from Kaspersky Online Scanner: Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: Anti-virus database was updated after license expiry]

I don't have time at the moment to do the HijackThis information. I will do it soon though. What do I do about the online scanner?

 

[Bobbye]

I'd still like to get an online scan. I went back over the logs- maybe I missed it, but I usually have you run an Eset online virus scan. If that doesn't work for any reason, then I suggest the Kaspersky scan.


Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

As far as I know, from what you say, the problems of the bad image have been resolved. Is there any other area of concern about malware?

I do want to bring your attention to a couple of things: according to the list of installed programs, all of the following are installed separately for Norton security:
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Symantec Real Time Storage Protection Component
SymNet (SymNet is a component of the Firewall application installed with Norton products.)
Some of us complain about the Norton 'bloat'- something to consider.

You also have the following loading from the Registry> do you use either of these?
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

Your logs are free of malware so far.

 

[xdeadlockxfan]

Here's the online ESET scan log. It worked this time.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=1998bb39964f2f449cfacd9fb13dcbea
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-29 01:06:41
# local_time=2010-12-28 05:06:41 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=6.0.6000 NT
# compatibility_mode=3584 16777191 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 130186874 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=150266
# found=1
# cleaned=0
# scan_time=5455
C:\Users\Albert\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\25d09bb3-16c47571 Java/TrojanDownloader.OpenStream.NAC trojan (unable to clean) 00000000000000000000000000000000 I


My "bad image" pop ups are completely gone. I'm not concerned about anything else. Unless you see anything else that needs attention.

Norton is a bit... weird. I am using the remainder of my subscription but not using anymore after this year. I have approximately 50 days left of it. I figure I'll just download something that you recommend (preferably free AV software).

The registry keys? I'm assuming those are codes you plug in so you can get the chance to register your product. As far as I know, I don't use them. But how can I make sure? Is this important?

ESET did find one infected file, still after doing combofix. Where do we go from here? Almost done, I assume!

 

[Bobbye]

Good. Glad to see Eset. The entry is easy to remove. I'll have you do it directly first, then run it through OTMoveIt to make sure it's gone:

To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  There are three options on this window to clear the cache.Check all.
• . Delete Files
• .View Applications
• .View Applets
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
=========================================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  :Files  
  C:\Users\Albert\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\25d09bb3-16c47571
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
IF you do not use the Dell Support Center, it can be uninstalled in Add/Remove Programs.
The program folder can be deleted using Windows Explorer: Windows key + E> Compouter. Local Drive> Programs. You must sign in under the Administrative Account. And if you get message about 'no right to access', let me know and I'll run you through taking ownership.
===============================================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
============================================
Suggestion for free, good antivirus program> choose only one:
Avira Free
[o]Avast Home

 

[xdeadlockxfan]

When I delete the temporary files under Java, I'm also prompted for deleting "trace and log files" too. Should I leave this checked or unchecked?

Do you still want me to do the HiJackThis instructions? I haven't downloaded the program nor used it for anything yet, I forgot about it.

Now, I'll get to the scans and stuff soon. I'm on vacation and just trying to keep the thread alive before dying and not becoming unable to get my computer free of malware and stuff. But I promise I will do the scans!