Solved Bad Image virus on Dell Windows XP

Quadrinity

Posts: 34   +0
I just got this virus yesterday. I don't claim to be a computer expert, and have been trying to deal with this on my own.
I have AVG - didn't catch it. Downloaded and paid for File Cleaner by Web Minds - apparently not the program I need.
Downloaded Malwarebytes and ran 2 scans.
Here are the results:

Scan #1
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.06.10.06
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Moira :: MOIRA-9AEF92C25 [administrator]
6/10/2013 12:06:38 PM
mbam-log-2013-06-10 (12-06-38).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210320
Time elapsed: 13 minute(s), 55 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 7
HKCR\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\Updater.AmiUpd.1 (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\Updater.AmiUpd (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Dropper) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 1
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
Folders Detected: 1
C:\Documents and Settings\Moira\Application Data\SwvUpdater (PUP.Software.Updater) -> Quarantined and deleted successfully.
Files Detected: 5
C:\Documents and Settings\Moira\Application Data\SwvUpdater\Updater.exe (PUP.Software.Updater) -> Quarantined and deleted successfully.
C:\Downloads\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Moira\Application Data\SwvUpdater\Updater.xml (PUP.Software.Updater) -> Quarantined and deleted successfully.
C:\Documents and Settings\Moira\Application Data\SwvUpdater\status.cfg (PUP.Software.Updater) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AmiUpdXp.job (PUP.Software.Updater) -> Quarantined and deleted successfully.
(end)
Scan #2
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.06.10.06
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Moira :: MOIRA-9AEF92C25 [administrator]
6/10/2013 12:34:51 PM
mbam-log-2013-06-10 (12-34-51).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 371716
Time elapsed: 2 hour(s), 44 minute(s), 15 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\System Volume Information\_restore{F1A1C84E-C5BB-438E-87EF-2B8CB4D50447}\RP415\A0135932.dll (PUP.Adware.MultiPlug) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F1A1C84E-C5BB-438E-87EF-2B8CB4D50447}\RP422\A0145645.dll (PUP.Adware.MultiPlug) -> Quarantined and deleted successfully.
(end)
Spent 2 days on this -still getting Bad Image pop ups all the time.
Help!
 
Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
I updated MBAM and just ran the scan:
Do you want me to wait to do Step 3 - DDS?
Thanks!

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.06.11.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Moira :: MOIRA-9AEF92C25 [administrator]
6/10/2013 8:57:12 PM
mbam-log-2013-06-10 (20-57-12).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211398
Time elapsed: 20 minute(s), 18 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
 
Okay, so I am totally confused.
The Notepad box automatically opened up, and there was no where for me to "make sure everything is checked, and click Remove Selected"
What step did I miss?
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.21.2
Run by Moira at 21:24:02 on 2013-06-10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.830 [GMT -5:00]

FW: AVG Firewall *Enabled*
.
============== Running Processes ================
.
\??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SearchProtect\bin\CltMngSvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Memeo\AutoBackupPro\MemeoBackgroundService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe
\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.canada.com/news/index.html
mStart Page = hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA
uURLSearchHooks: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: BitComet Helper: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg10\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.2.0.5\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: express-files Toolbar: {88AC3CB6-596B-4217-964C-B6757EF9602D} - c:\program files\express-files\prxtbexp2.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.2.0.5\AVG Secure Search_toolbar.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WeatherEye] c:\documents and settings\moira\local settings\application data\theweathernetwork\weathereye\WeatherEye.exe
uRun: [SearchProtect] c:\documents and settings\moira\application data\searchprotect\bin\cltmng.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent
mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Memeo Backup Premium] c:\program files\memeo\autobackuppro\MemeoLauncher2.exe --silent --no_ui
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SearchProtectAll] c:\program files\searchprotect\bin\cltmng.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [SearchProtect] c:\windows\system32\config\systemprofile\application data\searchprotect\bin\cltmng.exe
StartupFolder: c:\docume~1\moira\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\coreld~1.lnk - c:\corel\suite8\programs\DAD8.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio -viewer-\PhAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1370906202875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
TCP: NameServer = 142.165.200.5 142.165.21.5
TCP: Interfaces\{64C1928F-95F8-46A0-A2AE-587A3EC4E093} : DHCPNameServer = 142.165.200.5 142.165.21.5
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\turbotax 2011\ic2011pp.dll
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\turbotax 2012\ic2012pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\15.2.0\ViProtocol.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs= c:\progra~1\browse~1\sprote~1.dll c:\progra~1\websea~1\sprote~1.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA&l=1&q=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - www.yahoo.ca
FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}\plugins\npConduitFirefoxPlugin.dll
FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{88ac3cb6-596b-4217-964c-b6757ef9602d}\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{88ac3cb6-596b-4217-964c-b6757ef9602d}\plugins\npConduitFirefoxPlugin.dll
FF - plugin: c:\documents and settings\moira\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\15.2.0\npsitesafety.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
FF - ExtSQL: 2013-06-01 17:41; {739df940-c5ee-4bab-9d7e-270894ae687a}; c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 255968]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-3 37664]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\searchprotect\bin\CltMngSvc.exe [2013-3-6 93984]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackuppro\MemeoBackgroundService.exe [2010-4-22 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2011-6-1 14088]
R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.2.0\ToolbarUpdater.exe [2013-6-6 1015984]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 Blackberry Device Manager;BlackBerry Device Manager;c:\program files\common files\research in motion\usb drivers\BbDevMgr.exe [2013-1-18 577536]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-6-8 167264]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 cpuz134;cpuz134;\??\e:\apps\pc wizard\pcwiz_x32.sys --> e:\apps\pc wizard\pcwiz_x32.sys [?]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-10-7 21504]
.
=============== File Associations ===============
.
FileExt: .js: jsfile=c:\corel\suite8\programs\ccwin\Cscape.exe
ShellExec: BitComet.exe: open="c:\program files\bitcomet\BitComet.exe"
ShellExec: Cscape.exe: Open=c:\corel\suite8\programs\ccwin\Cscape.exe
.
=============== Created Last 30 ================
.
2013-06-10 17:03:52 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-06-10 17:03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-06-10 16:31:42 -------- d-----w- c:\documents and settings\moira\application data\Foresight Software
2013-06-10 16:31:12 -------- d-----w- c:\documents and settings\all users\application data\Foresight Software
2013-06-10 02:55:17 -------- d-----w- c:\documents and settings\moira\application data\RegistryTool
2013-06-10 02:54:59 -------- d-----w- c:\program files\RegistryTool
2013-06-03 02:20:19 -------- d-----w- c:\program files\common files\XCPCSync.OEM
2013-05-24 02:49:59 -------- d-----w- c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
.
==================== Find3M ====================
.
2013-06-06 18:02:30 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-05-16 02:07:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-16 02:07:53 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28:55 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 10:35:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
============= FINISH: 21:25:43.76 ===============
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.21.2
Run by Moira at 21:24:02 on 2013-06-10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.830 [GMT -5:00]
.
FW: AVG Firewall *Enabled*
.
============== Running Processes ================
.
\??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SearchProtect\bin\CltMngSvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Memeo\AutoBackupPro\MemeoBackgroundService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe
\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.canada.com/news/index.html
mStart Page = hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA
uURLSearchHooks: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: BitComet Helper: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg10\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.2.0.5\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: express-files Toolbar: {88AC3CB6-596B-4217-964C-B6757EF9602D} - c:\program files\express-files\prxtbexp2.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.2.0.5\AVG Secure Search_toolbar.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WeatherEye] c:\documents and settings\moira\local settings\application data\theweathernetwork\weathereye\WeatherEye.exe
uRun: [SearchProtect] c:\documents and settings\moira\application data\searchprotect\bin\cltmng.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent
mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Memeo Backup Premium] c:\program files\memeo\autobackuppro\MemeoLauncher2.exe --silent --no_ui
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SearchProtectAll] c:\program files\searchprotect\bin\cltmng.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [SearchProtect] c:\windows\system32\config\systemprofile\application data\searchprotect\bin\cltmng.exe
StartupFolder: c:\docume~1\moira\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\coreld~1.lnk - c:\corel\suite8\programs\DAD8.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio -viewer-\PhAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1370906202875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
TCP: NameServer = 142.165.200.5 142.165.21.5
TCP: Interfaces\{64C1928F-95F8-46A0-A2AE-587A3EC4E093} : DHCPNameServer = 142.165.200.5 142.165.21.5
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\turbotax 2011\ic2011pp.dll
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\turbotax 2012\ic2012pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\15.2.0\ViProtocol.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs= c:\progra~1\browse~1\sprote~1.dll c:\progra~1\websea~1\sprote~1.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA&l=1&q=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - www.yahoo.ca
FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}\plugins\npConduitFirefoxPlugin.dll
FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{88ac3cb6-596b-4217-964c-b6757ef9602d}\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{88ac3cb6-596b-4217-964c-b6757ef9602d}\plugins\npConduitFirefoxPlugin.dll
FF - plugin: c:\documents and settings\moira\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\15.2.0\npsitesafety.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
FF - ExtSQL: 2013-06-01 17:41; {739df940-c5ee-4bab-9d7e-270894ae687a}; c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 255968]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-3 37664]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\searchprotect\bin\CltMngSvc.exe [2013-3-6 93984]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackuppro\MemeoBackgroundService.exe [2010-4-22 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2011-6-1 14088]
R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.2.0\ToolbarUpdater.exe [2013-6-6 1015984]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 Blackberry Device Manager;BlackBerry Device Manager;c:\program files\common files\research in motion\usb drivers\BbDevMgr.exe [2013-1-18 577536]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-6-8 167264]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 cpuz134;cpuz134;\??\e:\apps\pc wizard\pcwiz_x32.sys --> e:\apps\pc wizard\pcwiz_x32.sys [?]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-10-7 21504]
.
=============== File Associations ===============
.
FileExt: .js: jsfile=c:\corel\suite8\programs\ccwin\Cscape.exe
ShellExec: BitComet.exe: open="c:\program files\bitcomet\BitComet.exe"
ShellExec: Cscape.exe: Open=c:\corel\suite8\programs\ccwin\Cscape.exe
.
=============== Created Last 30 ================
.
2013-06-10 17:03:52 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-06-10 17:03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-06-10 16:31:42 -------- d-----w- c:\documents and settings\moira\application data\Foresight Software
2013-06-10 16:31:12 -------- d-----w- c:\documents and settings\all users\application data\Foresight Software
2013-06-10 02:55:17 -------- d-----w- c:\documents and settings\moira\application data\RegistryTool
2013-06-10 02:54:59 -------- d-----w- c:\program files\RegistryTool
2013-06-03 02:20:19 -------- d-----w- c:\program files\common files\XCPCSync.OEM
2013-05-24 02:49:59 -------- d-----w- c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
.
==================== Find3M ====================
.
2013-06-06 18:02:30 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-05-16 02:07:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-16 02:07:53 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28:55 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 10:35:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
============= FINISH: 21:25:43.76 ===============
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/22/2005 3:37:18 AM
System Uptime: 6/10/2013 5:44:27 PM (4 hours ago)
.
Motherboard: Dell Inc. | |
Processor: Intel(R) Pentium(R) M processor 1.60GHz | Microprocessor | 1596/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 71 GiB total, 4.871 GiB free.
D: is CDROM ()
F: is FIXED (NTFS) - 466 GiB total, 266.778 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ROOT\LEGACY_SASDIFSV\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_SASDIFSV\0000
Service:
.
Class GUID:
Description:
Device ID: ROOT\LEGACY_SASKUTIL\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_SASKUTIL\0000
Service:
.
==== System Restore Points ===================
.
RP392: 3/11/2013 5:44:38 PM - System Checkpoint
RP393: 3/12/2013 6:03:35 PM - System Checkpoint
RP394: 3/12/2013 9:09:03 PM - Software Distribution Service 3.0
RP395: 3/13/2013 5:32:08 PM - Software Distribution Service 3.0
RP396: 3/14/2013 6:38:15 PM - System Checkpoint
RP397: 3/16/2013 5:55:26 PM - System Checkpoint
RP398: 3/17/2013 3:13:19 PM - Software Distribution Service 3.0
RP399: 3/18/2013 4:01:53 PM - System Checkpoint
RP400: 3/18/2013 7:46:03 PM - Software Distribution Service 3.0
RP401: 3/20/2013 6:46:06 PM - System Checkpoint
RP402: 3/23/2013 12:16:50 PM - System Checkpoint
RP403: 3/23/2013 4:49:25 PM - Installed TurboTax 2012.
RP404: 3/24/2013 5:41:41 PM - System Checkpoint
RP405: 3/25/2013 8:31:33 PM - System Checkpoint
RP406: 3/27/2013 6:19:57 PM - System Checkpoint
RP407: 4/1/2013 6:13:11 PM - System Checkpoint
RP408: 4/2/2013 7:17:02 PM - System Checkpoint
RP409: 4/4/2013 5:25:40 PM - System Checkpoint
RP410: 4/6/2013 3:24:47 PM - System Checkpoint
RP411: 4/7/2013 9:53:28 PM - System Checkpoint
RP412: 4/11/2013 9:59:40 PM - System Checkpoint
RP413: 4/11/2013 10:09:30 PM - Software Distribution Service 3.0
RP414: 4/12/2013 10:10:09 PM - System Checkpoint
RP415: 4/19/2013 7:11:36 AM - Installed Java 7 Update 21
RP416: 4/25/2013 6:45:12 PM - System Checkpoint
RP417: 4/27/2013 9:27:37 AM - Installed FileCleaner
RP418: 5/2/2013 5:43:46 PM - System Checkpoint
RP419: 5/3/2013 7:11:15 PM - System Checkpoint
RP420: 5/15/2013 9:41:51 PM - Software Distribution Service 3.0
RP421: 5/25/2013 4:02:47 PM - System Checkpoint
RP422: 6/9/2013 3:25:09 PM - System Checkpoint
RP423: 6/9/2013 9:54:54 PM - Installed RegistryTool
RP424: 6/9/2013 10:08:37 PM - Removed RegistryTool
RP425: 6/10/2013 4:41:08 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.7)
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
AVG 2011
AVG PC Tuneup 2011
AVG Security Toolbar
BitComet 1.31
BlackBerry App World Browser Plugin
BlackBerry Desktop Software 7.1
BlackBerry Device Software v5.0.0 for the BlackBerry 8530 smartphone
Bonjour
Broadcom 440x 10/100 Integrated Controller
BrowseToSave 1.74
Conexant D110 MDC V.9x Modem
Corel WordPerfect Suite 8
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Wireless WLAN Card
express-files Toolbar
FileCleaner
FrostWire 4.21.8
FrostWire 5.5.5
Garmin Communicator Plugin
Garmin Lifetime Updater
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB961118)
Intel RSX 3D
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
iTunes
Java 7 Update 21
Java Auto Updater
Java(TM) 6 Update 31
Kobo
Malwarebytes Anti-Malware version 1.75.0.1300
mCore
mDriver
mDrWiFi
Memeo AutoSync
Memeo Backup Premium
Memeo LifeAgent Explorer Extension
Memeo Share
mHlpDell
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 14
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
mIWA
mLogView
mMHouse
Mozilla Firefox 20.0.1 (x86 en-US)
Mozilla Maintenance Service
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
mWlsSafe
mWMI
mZConfig
PHOTOfunSTUDIO -viewer-
QuickTime
Seagate Dashboard
Search Assistant WebSearch 1.74
Search Protect by conduit
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Shopping InContext
Skype Toolbars
Skype™ 5.10
System Requirements Lab for Intel
TurboTax 2010
TurboTax 2011
TurboTax 2012
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
WeatherEye
WebFldrs XP
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
6/9/2013 4:03:52 PM, error: w29n51 [5010] - Intel(R) PRO/Wireless 2200BG Network Connection : The adapter has returned an invalid value to the driver.
6/9/2013 4:03:51 PM, error: w29n51 [5031] - Intel(R) PRO/Wireless 2200BG Network Connection : The adapter has detected an Adapter Check as a result of some unrecoverable hardware of software error. Please contact your service provider.
6/7/2013 10:15:52 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
6/7/2013 10:14:55 AM, error: Print [23] - Printer Corel Barista failed to initialize because a suitable Corel Barista driver could not be found.
6/5/2013 11:22:03 AM, error: PSched [14103] - QoS [Adapter {88E301D1-4F26-48FC-8F5F-DF514C1652C8}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
6/3/2013 11:25:00 PM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 0012F001609A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
6/10/2013 8:47:12 PM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 0012F001609A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
6/10/2013 12:28:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
.
==== End Of File ===========================
 
That was for MBAM. You did fine.

redtarget.gif
Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

redtarget.gif
Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

Download Malwarebytes Anti-Rootkit (MBAR) from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

===========================================================
Note: <<<< - very important - please do this step:
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall
(if used)
If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit located in the mbar\plugins folder and reboot.
Verify that your system is now functioning normally.
 
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Moira [Admin rights]
Mode : Remove -- Date : 06/11/2013 18:31:12
| ARK || FAK || MBR |
¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH] WeatherEye.exe -- C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe [7] -> KILLED [TermProc]
[SUSP PATH] cltmng.exe -- C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]
¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : WeatherEye (C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe) [7] -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe) [7] -> DELETED
[RUN][SUSP PATH] HKUS\.DEFAULT[...]\Run : SearchProtect (C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe) -> DELETED
[TASK][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\WINDOWS\TEMP\{E08EF165-469E-4748-A75B-D2C9A5745BAC}.exe --uninstall=1 [x] -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\n.) [x] -> REPLACED (C:\WINDOWS\system32\shell32.dll)
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> REMOVED
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\L --> REMOVED
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHT2080AH +++++
--- User ---
[MBR] 01f1d403070826e5762f3c68781f8fec
[BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 73139 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 149902515 | Size: 3122 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: Seagate FreeAgent GoFlex USB Device +++++
--- User ---
[MBR] b33d5231a718db0b059f59a86c50436f
[BSP] a8a1b53d0a8cc2eca0e247cab74be5ac : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[2]_D_06112013_02d1831.txt >>
RKreport[1]_S_06112013_02d1829.txt ; RKreport[2]_D_06112013_02d1831.txt

Pop Ups for Bad Image ran continuously when I did this scan and Firefox opened up to tigzy.com
 
Sorry - this is Report #1
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Moira [Admin rights]
Mode : Scan -- Date : 06/11/2013 18:29:01
| ARK || FAK || MBR |
¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH] WeatherEye.exe -- C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe [7] -> KILLED [TermProc]
[SUSP PATH] cltmng.exe -- C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]
¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : WeatherEye (C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe) [7] -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe) [7] -> FOUND
[RUN][SUSP PATH] HKUS\.DEFAULT[...]\Run : SearchProtect (C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-725345543-1229272821-839522115-1004[...]\Run : WeatherEye (C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe) [7] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-725345543-1229272821-839522115-1004[...]\Run : SearchProtect (C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe) [7] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-18[...]\Run : SearchProtect (C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe) -> FOUND
[TASK][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\WINDOWS\TEMP\{E08EF165-469E-4748-A75B-D2C9A5745BAC}.exe --uninstall=1 [x] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\n.) [x] -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\U --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\U --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\L --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\L --> FOUND
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHT2080AH +++++
--- User ---
[MBR] 01f1d403070826e5762f3c68781f8fec
[BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 73139 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 149902515 | Size: 3122 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: Seagate FreeAgent GoFlex USB Device +++++
--- User ---
[MBR] b33d5231a718db0b059f59a86c50436f
[BSP] a8a1b53d0a8cc2eca0e247cab74be5ac : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_06112013_02d1829.txt >>
RKreport[1]_S_06112013_02d1829.txt

This is report #2

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Moira [Admin rights]
Mode : Remove -- Date : 06/11/2013 18:31:12
| ARK || FAK || MBR |
¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH] WeatherEye.exe -- C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe [7] -> KILLED [TermProc]
[SUSP PATH] cltmng.exe -- C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]
¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : WeatherEye (C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe) [7] -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe) [7] -> DELETED
[RUN][SUSP PATH] HKUS\.DEFAULT[...]\Run : SearchProtect (C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe) -> DELETED
[TASK][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\WINDOWS\TEMP\{E08EF165-469E-4748-A75B-D2C9A5745BAC}.exe --uninstall=1 [x] -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\n.) [x] -> REPLACED (C:\WINDOWS\system32\shell32.dll)
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> REMOVED
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\L --> REMOVED
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHT2080AH +++++
--- User ---
[MBR] 01f1d403070826e5762f3c68781f8fec
[BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 73139 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 149902515 | Size: 3122 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: Seagate FreeAgent GoFlex USB Device +++++
--- User ---
[MBR] b33d5231a718db0b059f59a86c50436f
[BSP] a8a1b53d0a8cc2eca0e247cab74be5ac : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[2]_D_06112013_02d1831.txt >>
RKreport[1]_S_06112013_02d1829.txt ; RKreport[2]_D_06112013_02d1831.txt
 
So I downloaded MBAR - unzipped it and now I get the following message:

"Probable rootkit activity detected.
Registry Value "AppInit_Dlls" has been found, which may be caused by rootkit activity.

Note: press "No" if you're not sure. If the tool crashes or terminates unexpectedly during a system scan, restart the tool and press "Yes" should this message appear again.

Do you want to remove this value a restart the tool ?"

What does this mean? Where is this in the instructions? Do I proceed?
 
Instructions are right on your screen :)
press "No" if you're not sure. If the tool crashes or terminates unexpectedly during a system scan, restart the tool and press "Yes" should this message appear again.
 
This is the MBAR Log:

Malwarebytes Anti-Rootkit BETA 1.06.0.1003
www.malwarebytes.org
Database version: v2013.06.11.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Moira :: MOIRA-9AEF92C25 [administrator]
6/11/2013 6:59:53 PM
mbar-log-2013-06-11 (18-59-53).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: Deep Anti-Rootkit Scan | PUP
Objects scanned: 214583
Time elapsed: 31 minute(s), 33 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 2
c:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc (Trojan.Siredef.C) -> Delete on reboot.
c:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc (Trojan.Siredef.C) -> Delete on reboot.
Files Detected: 0
(No malicious items detected)
Physical Sectors Detected: 0
(No malicious items detected)
(end)
 
This is the system-log:

--------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003
(c) Malwarebytes Corporation 2011-2012
OS version: 5.1.2600 Windows XP Service Pack 3 x86
Account is Administrative
Internet Explorer version: 8.0.6001.18702
Java version: 1.6.0_31
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED
CPU speed: 1.596000 GHz
Memory total: 2138435584, free: 1396137984
Downloaded database version: v2013.06.11.08
Downloaded database version: v2013.05.22.01
Initializing...
------------ Kernel report ------------
06/11/2013 18:59:40
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
PCIIde.sys
\WINDOWS\System32\Drivers\PCIIDEX.SYS
intelide.sys
pcmcia.sys
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
 
This is the MBAR Log after the 2nd scan:

alwarebytes Anti-Rootkit BETA 1.06.0.1003
www.malwarebytes.org
Database version: v2013.06.11.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Moira :: MOIRA-9AEF92C25 [administrator]
6/11/2013 7:33:32 PM
mbar-log-2013-06-11 (19-33-32).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: Deep Anti-Rootkit Scan | PUP
Objects scanned: 214548
Time elapsed: 28 minute(s),
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
Physical Sectors Detected: 0
(No malicious items detected)
(end)
 
This is the MBAR first Log: Malwarebytes Anti-Rootkit BETA 1.06.0.1003 www.malwarebytes.org Database version: v2013.06.11.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Moira :: MOIRA-9AEF92C25 [administrator] 6/11/2013 6:59:53 PM mbar-log-2013-06-11 (18-59-53).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: Deep Anti-Rootkit Scan | PUP Objects scanned: 214583 Time elapsed: 31 minute(s), 33 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 2 c:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc (Trojan.Siredef.C) -> Delete on reboot. c:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc (Trojan.Siredef.C) -> Delete on reboot. Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end)
 
This is the system-log: --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.06.0.1003 (c) Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_31 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED CPU speed: 1.596000 GHz Memory total: 2138435584, free: 1396137984 Downloaded database version: v2013.06.11.08 Downloaded database version: v2013.05.22.01 Initializing... ------------ Kernel report ------------ 06/11/2013 18:59:40 ------------ Loaded modules ----------- \WINDOWS\system32\ntkrnlpa.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys ohci1394.sys \WINDOWS\system32\DRIVERS\1394BUS.SYS compbatt.sys \WINDOWS\system32\DRIVERS\BATTC.SYS PCIIde.sys \WINDOWS\System32\Drivers\PCIIDEX.SYS intelide.sys pcmcia.sys MountMgr.sys ftdisk.sys PartMgr.sys VolSnap.sys atapi.sys disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltmgr.sys sr.sys KSecDD.sys WudfPf.sys Ntfs.sys NDIS.sys Mup.sys avgrkx86.sys AVGIDSEH.Sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\DRIVERS\ialmnt5.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\bcm4sbxp.sys \SystemRoot\system32\DRIVERS\nic1394.sys \SystemRoot\system32\DRIVERS\sdbus.sys \SystemRoot\system32\DRIVERS\w29n51.sys \SystemRoot\system32\drivers\STAC97.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\DRIVERS\HSFHWICH.sys \SystemRoot\system32\DRIVERS\HSF_DP.sys \SystemRoot\system32\DRIVERS\HSF_CNXT.sys \SystemRoot\System32\Drivers\Modem.SYS \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\Apfiltr.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\avgfwdx.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\System32\Drivers\RootMdm.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\RimSerial.sys \SystemRoot\system32\DRIVERS\WDFLDR.SYS \SystemRoot\System32\Drivers\wdf01000.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\avgmfx86.sys \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \??\C:\WINDOWS\system32\drivers\avgtpx86.sys \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\system32\DRIVERS\avgtdix.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\arp1394.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \SystemRoot\system32\DRIVERS\avgldx86.sys \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\Cdfs.SYS \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_WMILIB.SYS \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\ialmdnt5.dll \SystemRoot\System32\ialmrnt5.dll \SystemRoot\System32\ialmdev5.DLL \SystemRoot\System32\ialmdd5.DLL \SystemRoot\System32\ATMFD.DLL \SystemRoot\system32\DRIVERS\AegisP.sys \SystemRoot\system32\DRIVERS\s24trans.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\mrxdav.sys \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\system32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\mdmxsdk.sys \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys \SystemRoot\System32\Drivers\HTTP.sys \SystemRoot\system32\DRIVERS\asyncmac.sys \SystemRoot\system32\drivers\kmixer.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys \WINDOWS\system32\ntdll.dll ----------- End ----------- Done! >> Upper Device Name: \Device\Harddisk1\DR4 Upper Device Object: 0xffffffff8a8e38a0 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000093\ Lower Device Object: 0xffffffff8a7ba030 Lower Device Driver Name: \Driver\USBSTOR\ >> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8aa64ab8 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\ Lower Device Object: 0xffffffff8aa6f940 Lower Device Driver Name: \Driver\atapi\ >> Device number: 0, partition: 2 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff8aa64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8aad52a8, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8aa64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8aa6f940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes >> Device number: 0, partition: 2 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\system32\drivers... >> Device number: 0, partition: 2 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: D0F4738C Partition information: Partition 0 type is Other (0xde) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 112392 Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 112455 Numsec = 149790060 Partition file system is NTFS Partition is bootable Partition 2 type is Other (0xdb) Partition is NOT ACTIVE. Partition starts at LBA: 149902515 Numsec = 6393870 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 80026361856 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)... Done! Physical Sector Size: 512 Drive: 1, DevicePointer: 0xffffffff8a8e38a0, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8a8e84f8, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8a8e38a0, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8a7ba030, DeviceName: \Device\00000093\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 Drive 1 Scanning MBR on drive 1... Inspecting partition table: MBR Signature: 55AA Disk Signature: 3D1432A6 Partition information: Partition 0 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 976768002 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 500107861504 bytes Sector size: 512 bytes Done! Read File: File "c:\documents and settings\all users\application data\avg10\chjw\22947d2d947d0497.dat:aa06516e-8576-4d21-a06a-851832df2073" is sparse (flags = 32768) Infected: HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Hijack.Trojan.Siredef.C] Infected: c:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc --> [Trojan.Siredef.C] Infected: c:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc --> [Trojan.Siredef.C] Scan finished Creating System Restore point... Cleaning up... Executing an action fixdamage.exe... Success! Queuing an action fixdamage.exe Removal successful. No system shutdown is required. ======================================= Removal queue found; removal started Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_112455_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_r.mbam... Removal finished --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.06.0.1003 (c) Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_31 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED CPU speed: 1.596000 GHz Memory total: 2138435584, free: 1350393856 Initializing... ------------ Kernel report ------------ 06/11/2013 19:33:20 ------------ Loaded modules ----------- \WINDOWS\system32\ntkrnlpa.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys ohci1394.sys \WINDOWS\system32\DRIVERS\1394BUS.SYS compbatt.sys \WINDOWS\system32\DRIVERS\BATTC.SYS PCIIde.sys \WINDOWS\System32\Drivers\PCIIDEX.SYS intelide.sys pcmcia.sys MountMgr.sys ftdisk.sys PartMgr.sys VolSnap.sys atapi.sys disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltmgr.sys sr.sys KSecDD.sys WudfPf.sys Ntfs.sys NDIS.sys Mup.sys avgrkx86.sys AVGIDSEH.Sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\DRIVERS\ialmnt5.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\bcm4sbxp.sys \SystemRoot\system32\DRIVERS\nic1394.sys \SystemRoot\system32\DRIVERS\sdbus.sys \SystemRoot\system32\DRIVERS\w29n51.sys \SystemRoot\system32\drivers\STAC97.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\DRIVERS\HSFHWICH.sys \SystemRoot\system32\DRIVERS\HSF_DP.sys \SystemRoot\system32\DRIVERS\HSF_CNXT.sys \SystemRoot\System32\Drivers\Modem.SYS \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\Apfiltr.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\avgfwdx.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\System32\Drivers\RootMdm.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\RimSerial.sys \SystemRoot\system32\DRIVERS\WDFLDR.SYS \SystemRoot\System32\Drivers\wdf01000.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\avgmfx86.sys \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \??\C:\WINDOWS\system32\drivers\avgtpx86.sys \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\system32\DRIVERS\avgtdix.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\arp1394.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \SystemRoot\system32\DRIVERS\avgldx86.sys \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\Cdfs.SYS \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_WMILIB.SYS \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\ialmdnt5.dll \SystemRoot\System32\ialmrnt5.dll \SystemRoot\System32\ialmdev5.DLL \SystemRoot\System32\ialmdd5.DLL \SystemRoot\System32\ATMFD.DLL \SystemRoot\system32\DRIVERS\AegisP.sys \SystemRoot\system32\DRIVERS\s24trans.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\mrxdav.sys \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\system32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\mdmxsdk.sys \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys \SystemRoot\System32\Drivers\HTTP.sys \SystemRoot\system32\DRIVERS\asyncmac.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \SystemRoot\system32\DRIVERS\ipnat.sys \SystemRoot\system32\drivers\kmixer.sys \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys \WINDOWS\system32\ntdll.dll ----------- End ----------- Done! >> Upper Device Name: \Device\Harddisk1\DR4 Upper Device Object: 0xffffffff8a8e38a0 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000093\ Lower Device Object: 0xffffffff8a7ba030 Lower Device Driver Name: \Driver\USBSTOR\ >> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8aa64ab8 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\ Lower Device Object: 0xffffffff8aa6f940 Lower Device Driver Name: \Driver\atapi\ >> Device number: 0, partition: 2 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff8aa64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8aad52a8, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8aa64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8aa6f940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes >> Device number: 0, partition: 2 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\system32\drivers... >> Device number: 0, partition: 2 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: D0F4738C Partition information: Partition 0 type is Other (0xde) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 112392 Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 112455 Numsec = 149790060 Partition file system is NTFS Partition is bootable Partition 2 type is Other (0xdb) Partition is NOT ACTIVE. Partition starts at LBA: 149902515 Numsec = 6393870 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 80026361856 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)... Done! Physical Sector Size: 512 Drive: 1, DevicePointer: 0xffffffff8a8e38a0, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8a8e84f8, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8a8e38a0, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8a7ba030, DeviceName: \Device\00000093\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 Drive 1 Scanning MBR on drive 1... Inspecting partition table: MBR Signature: 55AA Disk Signature: 3D1432A6 Partition information: Partition 0 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 976768002 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 500107861504 bytes Sector size: 512 bytes Done! Read File: File "c:\documents and settings\all users\application data\avg10\chjw\22947d2d947d0497.dat:aa06516e-8576-4d21-a06a-851832df2073" is sparse (flags = 32768) Scan finished ======================================= Removal queue found; removal started Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_112455_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_r.mbam... Removal finished
 
This is the second MBAR Log after the second scan: Malwarebytes Anti-Rootkit BETA 1.06.0.1003 www.malwarebytes.org Database version: v2013.06.11.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Moira :: MOIRA-9AEF92C25 [administrator] 6/11/2013 7:33:32 PM mbar-log-2013-06-11 (19-33-32).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: Deep Anti-Rootkit Scan | PUP Objects scanned: 214548 Time elapsed: 28 minute(s), Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end)
 
redtarget.gif
Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

redtarget.gif
Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
So, I have AVG Internet Security 2011 ver. 10.0.1432.
You are telling me to delete it with AppRemover and then we will reinstall later?
I have a licence # for this version of AVG, how will I be able to resintall the 2011 versions with this same licence #?
I am concerned that by deleting AVG I will be stuck paying for a newer version of it.
Thanks!
 
Can I now re-install AVG?

Here's the log from Cobofix:


ComboFix 13-06-12.01 - Moira 06/12/2013 18:24:41.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1332 [GMT -5:00]
Running from: c:\documents and settings\Moira\Desktop\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
c:\windows\EventSystem.log
c:\windows\system32\roboot.exe
c:\windows\winhelp.ini
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\SSEyaarch-NNewTaab
c:\documents and settings\All Users\Application Data\SSEyaarch-NNewTaab\51461cd156b65.tlb
c:\documents and settings\All Users\Application Data\SSEyaarch-NNewTaab\settings.ini
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Moira\Application Data\PriceGong
c:\documents and settings\Moira\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\17672.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\2085.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\22249.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\2256.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\2620.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\4436.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\4489.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\I.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Moira\Application Data\PriceGong\Data\z.txt
C:\install.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\0d9416ab3d8fbf3a.fb
c:\windows\system32\Cache\0dbbc8b07811e75d.fb
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\5ba97b0e5611ee1d.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\73b895551a1e90ae.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\b0853efdc692de39.fb
c:\windows\system32\Cache\bbb1e7346d9a4c71.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\d8c7b83cc2962142.fb
c:\windows\system32\Cache\d9d79cedd8055ad0.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\e8b1c7a84abc6d93.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\Cache\ff112ce7af4d4e83.fb
c:\windows\system32\SETE2.tmp
c:\windows\system32\SETE7.tmp
F:\Autorun.inf
F:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-05-12 to 2013-06-12 )))))))))))))))))))))))))))))))
.
.
2013-06-12 23:14 . 2013-06-12 23:14 -------- d-----w- c:\windows\LastGood
2013-06-12 23:05 . 2013-06-12 23:05 -------- d-----w- c:\documents and settings\Moira\Application Data\TuneUp Software
2013-06-11 23:59 . 2013-06-12 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-06-10 17:03 . 2013-04-04 19:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-06-10 17:03 . 2013-06-10 17:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-06-10 16:31 . 2013-06-10 16:31 -------- d-----w- c:\documents and settings\Moira\Application Data\Foresight Software
2013-06-10 16:31 . 2013-06-10 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Foresight Software
2013-06-10 02:55 . 2013-06-10 03:03 -------- d-----w- c:\documents and settings\Moira\Application Data\RegistryTool
2013-06-10 02:54 . 2013-06-10 03:08 -------- d-----w- c:\program files\RegistryTool
2013-06-03 02:20 . 2013-06-03 02:26 -------- d-----w- c:\program files\Common Files\XCPCSync.OEM
2013-05-24 02:49 . 2013-05-24 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 00:07 . 2012-04-16 12:15 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 00:07 . 2011-05-25 12:16 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-07 22:30 . 2004-08-04 00:56 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2004-08-04 00:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 22:30 . 2004-08-04 00:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-05-07 21:53 . 2004-08-03 22:59 385024 ----a-w- c:\windows\system32\html.iec
2013-05-03 01:26 . 2004-08-03 23:20 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2004-08-03 22:59 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 01:31 . 2004-08-03 23:17 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 10:35 . 2013-04-19 12:14 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-17 23:01 . 2013-04-17 23:00 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88ac3cb6-596b-4217-964c-b6757ef9602d}"= "c:\program files\express-files\prxtbexp2.dll" [2013-05-20 231712]
.
[HKEY_CLASSES_ROOT\clsid\{88ac3cb6-596b-4217-964c-b6757ef9602d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{88ac3cb6-596b-4217-964c-b6757ef9602d}]
2013-05-20 09:21 231712 ----a-w- c:\program files\express-files\prxtbexp2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88ac3cb6-596b-4217-964c-b6757ef9602d}"= "c:\program files\express-files\prxtbexp2.dll" [2013-05-20 231712]
.
[HKEY_CLASSES_ROOT\clsid\{88ac3cb6-596b-4217-964c-b6757ef9602d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88AC3CB6-596B-4217-964C-B6757EF9602D}"= "c:\program files\express-files\prxtbexp2.dll" [2013-05-20 231712]
.
[HKEY_CLASSES_ROOT\clsid\{88ac3cb6-596b-4217-964c-b6757ef9602d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-01-16 717696]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-09 39408]
"SearchProtect"="c:\documents and settings\Moira\Application Data\SearchProtect\bin\cltmng.exe" [2013-05-08 2852640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2010-04-16 144608]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2013-01-17 267792]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"Memeo Backup Premium"="c:\program files\Memeo\AutoBackupPro\MemeoLauncher2.exe" [2010-04-23 136416]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-06-04 1466760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"SearchProtectAll"="c:\program files\SearchProtect\bin\cltmng.exe" [2013-05-08 2852640]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-15 152392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-unins...2LUNJQTEwKzItRDM4MUwrNg&prod=94&ver=10.0.1432" [?]
.
c:\documents and settings\Moira\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2010-1-21 226176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Corel Desktop Application Director 8.LNK - c:\corel\Suite8\Programs\DAD8.EXE [2011-6-8 202240]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2011-6-23 40960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15739:TCP"= 15739:TCP:BitComet 15739 TCP
"15739:UDP"= 15739:UDP:BitComet 15739 UDP
.
R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\SearchProtect\bin\CltMngSvc.exe [3/6/2013 7:36 AM 93984]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackupPro\MemeoBackgroundService.exe [4/22/2010 7:49 PM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 11:42 AM 14088]
R4 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
R4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
R4 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys --> c:\windows\system32\DRIVERS\avgtdix.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S3 Blackberry Device Manager;BlackBerry Device Manager;c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [1/18/2013 5:10 PM 577536]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 1:58 PM 11336]
S3 cpuz134;cpuz134;\??\e:\apps\PC Wizard\pcwiz_x32.sys --> e:\apps\PC Wizard\pcwiz_x32.sys [?]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [10/7/2011 12:52 PM 21504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Avgldx86
*Deregistered* - avgtp
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 00:07]
.
2013-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 13:24]
.
2013-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 13:24]
.
2013-06-12 c:\windows\Tasks\User_Feed_Synchronization-{7F0BECA1-A2DF-4E7E-AB94-3CC74FB35C1E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.canada.com/news/index.html
mStart Page = hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
TCP: DhcpNameServer = 142.165.200.5 142.165.21.5
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\TurboTax 2011\ic2011pp.dll
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\TurboTax 2012\ic2012pp.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB
FF - ProfilePath - c:\documents and settings\Moira\Application Data\Mozilla\Firefox\Profiles\v0hi8m7e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA&l=1&q=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - www.yahoo.ca
FF - ExtSQL: 2013-06-01 17:41; {739df940-c5ee-4bab-9d7e-270894ae687a}; c:\documents and settings\Moira\Application Data\Mozilla\Firefox\Profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-10 - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-12 18:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1372)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2013-06-12 18:37:02
ComboFix-quarantined-files.txt 2013-06-12 23:36
.
Pre-Run: 6,150,197,248 bytes free
Post-Run: 6,139,240,448 bytes free
.
- - End Of File - - 88E16020DEFA17FA7270B23FB221DE34
8F558EB6672622401DA993E1E865C861
 
Looks good.

How is computer doing?

You can reinstall AVG now.

redtarget.gif
Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

redtarget.gif
Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

redtarget.gif
Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Back