TechSpot

Bad Image virus on Dell Windows XP

Solved
By Quadrinity
Jun 10, 2013
  1. I just got this virus yesterday. I don't claim to be a computer expert, and have been trying to deal with this on my own.
    I have AVG - didn't catch it. Downloaded and paid for File Cleaner by Web Minds - apparently not the program I need.
    Downloaded Malwarebytes and ran 2 scans.
    Here are the results:

    Scan #1
    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org
    Database version: v2013.06.10.06
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Moira :: MOIRA-9AEF92C25 [administrator]
    6/10/2013 12:06:38 PM
    mbam-log-2013-06-10 (12-06-38).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 210320
    Time elapsed: 13 minute(s), 55 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 7
    HKCR\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9} (PUP.Software.Updater) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476} (PUP.Software.Updater) -> Quarantined and deleted successfully.
    HKCR\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67} (PUP.Software.Updater) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96} (PUP.Software.Updater) -> Quarantined and deleted successfully.
    HKCR\Updater.AmiUpd.1 (PUP.Software.Updater) -> Quarantined and deleted successfully.
    HKCR\Updater.AmiUpd (PUP.Software.Updater) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Dropper) -> Quarantined and deleted successfully.
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 1
    HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
    Folders Detected: 1
    C:\Documents and Settings\Moira\Application Data\SwvUpdater (PUP.Software.Updater) -> Quarantined and deleted successfully.
    Files Detected: 5
    C:\Documents and Settings\Moira\Application Data\SwvUpdater\Updater.exe (PUP.Software.Updater) -> Quarantined and deleted successfully.
    C:\Downloads\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Moira\Application Data\SwvUpdater\Updater.xml (PUP.Software.Updater) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Moira\Application Data\SwvUpdater\status.cfg (PUP.Software.Updater) -> Quarantined and deleted successfully.
    C:\WINDOWS\Tasks\AmiUpdXp.job (PUP.Software.Updater) -> Quarantined and deleted successfully.
    (end)
    Scan #2
    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org
    Database version: v2013.06.10.06
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Moira :: MOIRA-9AEF92C25 [administrator]
    6/10/2013 12:34:51 PM
    mbam-log-2013-06-10 (12-34-51).txt
    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 371716
    Time elapsed: 2 hour(s), 44 minute(s), 15 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 2
    C:\System Volume Information\_restore{F1A1C84E-C5BB-438E-87EF-2B8CB4D50447}\RP415\A0135932.dll (PUP.Adware.MultiPlug) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{F1A1C84E-C5BB-438E-87EF-2B8CB4D50447}\RP422\A0145645.dll (PUP.Adware.MultiPlug) -> Quarantined and deleted successfully.
    (end)
    Spent 2 days on this -still getting Bad Image pop ups all the time.
    Help!
     
  2. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    I updated MBAM and just ran the scan:
    Do you want me to wait to do Step 3 - DDS?
    Thanks!

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org
    Database version: v2013.06.11.01
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Moira :: MOIRA-9AEF92C25 [administrator]
    6/10/2013 8:57:12 PM
    mbam-log-2013-06-10 (20-57-12).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 211398
    Time elapsed: 20 minute(s), 18 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
     
  4. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Yes. You have to complete ALL steps.
     
  5. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    Okay, so I am totally confused.
    The Notepad box automatically opened up, and there was no where for me to "make sure everything is checked, and click Remove Selected"
    What step did I miss?
     
  6. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.21.2
    Run by Moira at 21:24:02 on 2013-06-10
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.830 [GMT -5:00]

    FW: AVG Firewall *Enabled*
    .
    ============== Running Processes ================
    .
    \??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgfws.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\SearchProtect\bin\CltMngSvc.exe
    C:\Program Files\Java\jre7\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Memeo\AutoBackupPro\MemeoBackgroundService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
    C:\Program Files\AVG\AVG10\avgam.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    C:\Program Files\AVG Secure Search\vprot.exe
    C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Corel\Suite8\Programs\DAD8.EXE
    C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    \??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
    \??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    \??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\msdtc.exe
    C:\Program Files\BitComet\BitComet.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\WINDOWS\system32\SearchFilterHost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.canada.com/news/index.html
    mStart Page = hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA
    uURLSearchHooks: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
    dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
    BHO: BitComet Helper: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll
    BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
    BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.2.0.5\AVG Secure Search_toolbar.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
    TB: express-files Toolbar: {88AC3CB6-596B-4217-964C-B6757EF9602D} - c:\program files\express-files\prxtbexp2.dll
    TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.2.0.5\AVG Secure Search_toolbar.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [WeatherEye] c:\documents and settings\moira\local settings\application data\theweathernetwork\weathereye\WeatherEye.exe
    uRun: [SearchProtect] c:\documents and settings\moira\application data\searchprotect\bin\cltmng.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent
    mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
    mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [Memeo Backup Premium] c:\program files\memeo\autobackuppro\MemeoLauncher2.exe --silent --no_ui
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SearchProtectAll] c:\program files\searchprotect\bin\cltmng.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRun: [SearchProtect] c:\windows\system32\config\systemprofile\application data\searchprotect\bin\cltmng.exe
    StartupFolder: c:\docume~1\moira\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\coreld~1.lnk - c:\corel\suite8\programs\DAD8.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio -viewer-\PhAutoRun.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
    IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1370906202875
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    TCP: NameServer = 142.165.200.5 142.165.21.5
    TCP: Interfaces\{64C1928F-95F8-46A0-A2AE-587A3EC4E093} : DHCPNameServer = 142.165.200.5 142.165.21.5
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
    Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\turbotax 2011\ic2011pp.dll
    Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\turbotax 2012\ic2012pp.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\15.2.0\ViProtocol.dll
    Notify: igfxcui - igfxsrvc.dll
    AppInit_DLLs= c:\progra~1\browse~1\sprote~1.dll c:\progra~1\websea~1\sprote~1.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA&l=1&q=
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - www.yahoo.ca
    FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}\plugins\np-mswmp.dll
    FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}\plugins\npConduitFirefoxPlugin.dll
    FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{88ac3cb6-596b-4217-964c-b6757ef9602d}\plugins\np-mswmp.dll
    FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{88ac3cb6-596b-4217-964c-b6757ef9602d}\plugins\npConduitFirefoxPlugin.dll
    FF - plugin: c:\documents and settings\moira\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\15.2.0\npsitesafety.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
    FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
    FF - ExtSQL: 2013-06-01 17:41; {739df940-c5ee-4bab-9d7e-270894ae687a}; c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 255968]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-3 37664]
    R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\searchprotect\bin\CltMngSvc.exe [2013-3-6 93984]
    R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackuppro\MemeoBackgroundService.exe [2010-4-22 25824]
    R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2011-6-1 14088]
    R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.2.0\ToolbarUpdater.exe [2013-6-6 1015984]
    R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    R3 Blackberry Device Manager;BlackBerry Device Manager;c:\program files\common files\research in motion\usb drivers\BbDevMgr.exe [2013-1-18 577536]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-6-8 167264]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
    S3 cpuz134;cpuz134;\??\e:\apps\pc wizard\pcwiz_x32.sys --> e:\apps\pc wizard\pcwiz_x32.sys [?]
    S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-10-7 21504]
    .
    =============== File Associations ===============
    .
    FileExt: .js: jsfile=c:\corel\suite8\programs\ccwin\Cscape.exe
    ShellExec: BitComet.exe: open="c:\program files\bitcomet\BitComet.exe"
    ShellExec: Cscape.exe: Open=c:\corel\suite8\programs\ccwin\Cscape.exe
    .
    =============== Created Last 30 ================
    .
    2013-06-10 17:03:52 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-06-10 17:03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-06-10 16:31:42 -------- d-----w- c:\documents and settings\moira\application data\Foresight Software
    2013-06-10 16:31:12 -------- d-----w- c:\documents and settings\all users\application data\Foresight Software
    2013-06-10 02:55:17 -------- d-----w- c:\documents and settings\moira\application data\RegistryTool
    2013-06-10 02:54:59 -------- d-----w- c:\program files\RegistryTool
    2013-06-03 02:20:19 -------- d-----w- c:\program files\common files\XCPCSync.OEM
    2013-05-24 02:49:59 -------- d-----w- c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
    .
    ==================== Find3M ====================
    .
    2013-06-06 18:02:30 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2013-05-16 02:07:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-05-16 02:07:53 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\wininet.dll
    2013-04-16 22:17:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2013-04-16 22:17:14 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2013-04-12 23:28:55 385024 ----a-w- c:\windows\system32\html.iec
    2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
    2013-04-04 10:35:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    .
    ============= FINISH: 21:25:43.76 ===============
     
  7. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.21.2
    Run by Moira at 21:24:02 on 2013-06-10
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.830 [GMT -5:00]
    .
    FW: AVG Firewall *Enabled*
    .
    ============== Running Processes ================
    .
    \??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgfws.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\SearchProtect\bin\CltMngSvc.exe
    C:\Program Files\Java\jre7\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Memeo\AutoBackupPro\MemeoBackgroundService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
    C:\Program Files\AVG\AVG10\avgam.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    C:\Program Files\AVG Secure Search\vprot.exe
    C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Corel\Suite8\Programs\DAD8.EXE
    C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    \??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
    \??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    \??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\msdtc.exe
    C:\Program Files\BitComet\BitComet.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\WINDOWS\system32\SearchFilterHost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.canada.com/news/index.html
    mStart Page = hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA
    uURLSearchHooks: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
    dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
    BHO: BitComet Helper: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll
    BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
    BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.2.0.5\AVG Secure Search_toolbar.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
    TB: express-files Toolbar: {88AC3CB6-596B-4217-964C-B6757EF9602D} - c:\program files\express-files\prxtbexp2.dll
    TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.2.0.5\AVG Secure Search_toolbar.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: express-files Toolbar: {88ac3cb6-596b-4217-964c-b6757ef9602d} - c:\program files\express-files\prxtbexp2.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [WeatherEye] c:\documents and settings\moira\local settings\application data\theweathernetwork\weathereye\WeatherEye.exe
    uRun: [SearchProtect] c:\documents and settings\moira\application data\searchprotect\bin\cltmng.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent
    mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
    mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [Memeo Backup Premium] c:\program files\memeo\autobackuppro\MemeoLauncher2.exe --silent --no_ui
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SearchProtectAll] c:\program files\searchprotect\bin\cltmng.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRun: [SearchProtect] c:\windows\system32\config\systemprofile\application data\searchprotect\bin\cltmng.exe
    StartupFolder: c:\docume~1\moira\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\coreld~1.lnk - c:\corel\suite8\programs\DAD8.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio -viewer-\PhAutoRun.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
    IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1370906202875
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    TCP: NameServer = 142.165.200.5 142.165.21.5
    TCP: Interfaces\{64C1928F-95F8-46A0-A2AE-587A3EC4E093} : DHCPNameServer = 142.165.200.5 142.165.21.5
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
    Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\turbotax 2011\ic2011pp.dll
    Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\turbotax 2012\ic2012pp.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\15.2.0\ViProtocol.dll
    Notify: igfxcui - igfxsrvc.dll
    AppInit_DLLs= c:\progra~1\browse~1\sprote~1.dll c:\progra~1\websea~1\sprote~1.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA&l=1&q=
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - www.yahoo.ca
    FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}\plugins\np-mswmp.dll
    FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}\plugins\npConduitFirefoxPlugin.dll
    FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{88ac3cb6-596b-4217-964c-b6757ef9602d}\plugins\np-mswmp.dll
    FF - plugin: c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{88ac3cb6-596b-4217-964c-b6757ef9602d}\plugins\npConduitFirefoxPlugin.dll
    FF - plugin: c:\documents and settings\moira\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\15.2.0\npsitesafety.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
    FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
    FF - ExtSQL: 2013-06-01 17:41; {739df940-c5ee-4bab-9d7e-270894ae687a}; c:\documents and settings\moira\application data\mozilla\firefox\profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 255968]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-3 37664]
    R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\searchprotect\bin\CltMngSvc.exe [2013-3-6 93984]
    R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackuppro\MemeoBackgroundService.exe [2010-4-22 25824]
    R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2011-6-1 14088]
    R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.2.0\ToolbarUpdater.exe [2013-6-6 1015984]
    R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    R3 Blackberry Device Manager;BlackBerry Device Manager;c:\program files\common files\research in motion\usb drivers\BbDevMgr.exe [2013-1-18 577536]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-6-8 167264]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
    S3 cpuz134;cpuz134;\??\e:\apps\pc wizard\pcwiz_x32.sys --> e:\apps\pc wizard\pcwiz_x32.sys [?]
    S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-10-7 21504]
    .
    =============== File Associations ===============
    .
    FileExt: .js: jsfile=c:\corel\suite8\programs\ccwin\Cscape.exe
    ShellExec: BitComet.exe: open="c:\program files\bitcomet\BitComet.exe"
    ShellExec: Cscape.exe: Open=c:\corel\suite8\programs\ccwin\Cscape.exe
    .
    =============== Created Last 30 ================
    .
    2013-06-10 17:03:52 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-06-10 17:03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-06-10 16:31:42 -------- d-----w- c:\documents and settings\moira\application data\Foresight Software
    2013-06-10 16:31:12 -------- d-----w- c:\documents and settings\all users\application data\Foresight Software
    2013-06-10 02:55:17 -------- d-----w- c:\documents and settings\moira\application data\RegistryTool
    2013-06-10 02:54:59 -------- d-----w- c:\program files\RegistryTool
    2013-06-03 02:20:19 -------- d-----w- c:\program files\common files\XCPCSync.OEM
    2013-05-24 02:49:59 -------- d-----w- c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
    .
    ==================== Find3M ====================
    .
    2013-06-06 18:02:30 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2013-05-16 02:07:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-05-16 02:07:53 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\wininet.dll
    2013-04-16 22:17:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2013-04-16 22:17:14 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2013-04-12 23:28:55 385024 ----a-w- c:\windows\system32\html.iec
    2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
    2013-04-04 10:35:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    .
    ============= FINISH: 21:25:43.76 ===============
     
  8. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 7/22/2005 3:37:18 AM
    System Uptime: 6/10/2013 5:44:27 PM (4 hours ago)
    .
    Motherboard: Dell Inc. | |
    Processor: Intel(R) Pentium(R) M processor 1.60GHz | Microprocessor | 1596/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 71 GiB total, 4.871 GiB free.
    D: is CDROM ()
    F: is FIXED (NTFS) - 466 GiB total, 266.778 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_SASDIFSV\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_SASDIFSV\0000
    Service:
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_SASKUTIL\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_SASKUTIL\0000
    Service:
    .
    ==== System Restore Points ===================
    .
    RP392: 3/11/2013 5:44:38 PM - System Checkpoint
    RP393: 3/12/2013 6:03:35 PM - System Checkpoint
    RP394: 3/12/2013 9:09:03 PM - Software Distribution Service 3.0
    RP395: 3/13/2013 5:32:08 PM - Software Distribution Service 3.0
    RP396: 3/14/2013 6:38:15 PM - System Checkpoint
    RP397: 3/16/2013 5:55:26 PM - System Checkpoint
    RP398: 3/17/2013 3:13:19 PM - Software Distribution Service 3.0
    RP399: 3/18/2013 4:01:53 PM - System Checkpoint
    RP400: 3/18/2013 7:46:03 PM - Software Distribution Service 3.0
    RP401: 3/20/2013 6:46:06 PM - System Checkpoint
    RP402: 3/23/2013 12:16:50 PM - System Checkpoint
    RP403: 3/23/2013 4:49:25 PM - Installed TurboTax 2012.
    RP404: 3/24/2013 5:41:41 PM - System Checkpoint
    RP405: 3/25/2013 8:31:33 PM - System Checkpoint
    RP406: 3/27/2013 6:19:57 PM - System Checkpoint
    RP407: 4/1/2013 6:13:11 PM - System Checkpoint
    RP408: 4/2/2013 7:17:02 PM - System Checkpoint
    RP409: 4/4/2013 5:25:40 PM - System Checkpoint
    RP410: 4/6/2013 3:24:47 PM - System Checkpoint
    RP411: 4/7/2013 9:53:28 PM - System Checkpoint
    RP412: 4/11/2013 9:59:40 PM - System Checkpoint
    RP413: 4/11/2013 10:09:30 PM - Software Distribution Service 3.0
    RP414: 4/12/2013 10:10:09 PM - System Checkpoint
    RP415: 4/19/2013 7:11:36 AM - Installed Java 7 Update 21
    RP416: 4/25/2013 6:45:12 PM - System Checkpoint
    RP417: 4/27/2013 9:27:37 AM - Installed FileCleaner
    RP418: 5/2/2013 5:43:46 PM - System Checkpoint
    RP419: 5/3/2013 7:11:15 PM - System Checkpoint
    RP420: 5/15/2013 9:41:51 PM - Software Distribution Service 3.0
    RP421: 5/25/2013 4:02:47 PM - System Checkpoint
    RP422: 6/9/2013 3:25:09 PM - System Checkpoint
    RP423: 6/9/2013 9:54:54 PM - Installed RegistryTool
    RP424: 6/9/2013 10:08:37 PM - Removed RegistryTool
    RP425: 6/10/2013 4:41:08 PM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.7)
    ALPS Touch Pad Driver
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft Software Suite
    AVG 2011
    AVG PC Tuneup 2011
    AVG Security Toolbar
    BitComet 1.31
    BlackBerry App World Browser Plugin
    BlackBerry Desktop Software 7.1
    BlackBerry Device Software v5.0.0 for the BlackBerry 8530 smartphone
    Bonjour
    Broadcom 440x 10/100 Integrated Controller
    BrowseToSave 1.74
    Conexant D110 MDC V.9x Modem
    Corel WordPerfect Suite 8
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Dell Wireless WLAN Card
    express-files Toolbar
    FileCleaner
    FrostWire 4.21.8
    FrostWire 5.5.5
    Garmin Communicator Plugin
    Garmin Lifetime Updater
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB2756822)
    Hotfix for Windows XP (KB2779562)
    Hotfix for Windows XP (KB961118)
    Intel RSX 3D
    Intel(R) Graphics Media Accelerator Driver for Mobile
    Intel(R) PROSet/Wireless Software
    iTunes
    Java 7 Update 21
    Java Auto Updater
    Java(TM) 6 Update 31
    Kobo
    Malwarebytes Anti-Malware version 1.75.0.1300
    mCore
    mDriver
    mDrWiFi
    Memeo AutoSync
    Memeo Backup Premium
    Memeo LifeAgent Explorer Extension
    Memeo Share
    mHlpDell
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 14
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    mIWA
    mLogView
    mMHouse
    Mozilla Firefox 20.0.1 (x86 en-US)
    Mozilla Maintenance Service
    mPfMgr
    mPfWiz
    mProSafe
    mSCfg
    mSSO
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser
    mWlsSafe
    mWMI
    mZConfig
    PHOTOfunSTUDIO -viewer-
    QuickTime
    Seagate Dashboard
    Search Assistant WebSearch 1.74
    Search Protect by conduit
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
    Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB2744842)
    Security Update for Windows Internet Explorer 8 (KB2761465)
    Security Update for Windows Internet Explorer 8 (KB2792100)
    Security Update for Windows Internet Explorer 8 (KB2797052)
    Security Update for Windows Internet Explorer 8 (KB2799329)
    Security Update for Windows Internet Explorer 8 (KB2809289)
    Security Update for Windows Internet Explorer 8 (KB2817183)
    Security Update for Windows Internet Explorer 8 (KB2829530)
    Security Update for Windows Internet Explorer 8 (KB2847204)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2655992)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2691442)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB2698365)
    Security Update for Windows XP (KB2705219)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB2712808)
    Security Update for Windows XP (KB2718523)
    Security Update for Windows XP (KB2719985)
    Security Update for Windows XP (KB2723135)
    Security Update for Windows XP (KB2724197)
    Security Update for Windows XP (KB2727528)
    Security Update for Windows XP (KB2731847)
    Security Update for Windows XP (KB2753842-v2)
    Security Update for Windows XP (KB2753842)
    Security Update for Windows XP (KB2757638)
    Security Update for Windows XP (KB2758857)
    Security Update for Windows XP (KB2761226)
    Security Update for Windows XP (KB2770660)
    Security Update for Windows XP (KB2778344)
    Security Update for Windows XP (KB2779030)
    Security Update for Windows XP (KB2780091)
    Security Update for Windows XP (KB2799494)
    Security Update for Windows XP (KB2802968)
    Security Update for Windows XP (KB2807986)
    Security Update for Windows XP (KB2808735)
    Security Update for Windows XP (KB2813170)
    Security Update for Windows XP (KB2813345)
    Security Update for Windows XP (KB2820197)
    Security Update for Windows XP (KB2820917)
    Security Update for Windows XP (KB2829361)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Shopping InContext
    Skype Toolbars
    Skype™ 5.10
    System Requirements Lab for Intel
    TurboTax 2010
    TurboTax 2011
    TurboTax 2012
    Unity Web Player
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB2661254-v2)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB2736233)
    Update for Windows XP (KB2749655)
    WeatherEye
    WebFldrs XP
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/9/2013 4:03:52 PM, error: w29n51 [5010] - Intel(R) PRO/Wireless 2200BG Network Connection : The adapter has returned an invalid value to the driver.
    6/9/2013 4:03:51 PM, error: w29n51 [5031] - Intel(R) PRO/Wireless 2200BG Network Connection : The adapter has detected an Adapter Check as a result of some unrecoverable hardware of software error. Please contact your service provider.
    6/7/2013 10:15:52 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    6/7/2013 10:14:55 AM, error: Print [23] - Printer Corel Barista failed to initialize because a suitable Corel Barista driver could not be found.
    6/5/2013 11:22:03 AM, error: PSched [14103] - QoS [Adapter {88E301D1-4F26-48FC-8F5F-DF514C1652C8}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
    6/3/2013 11:25:00 PM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 0012F001609A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    6/10/2013 8:47:12 PM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 0012F001609A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    6/10/2013 12:28:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
    .
    ==== End Of File ===========================
     
  9. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    That was for MBAM. You did fine.

    [​IMG] Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

    ===========================================================
    Note: <<<< - very important - please do this step:
    If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
    Internet access
    Windows Update
    Windows Firewall
    (if used)
    If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit located in the mbar\plugins folder and reboot.
    Verify that your system is now functioning normally.
     
  10. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Moira [Admin rights]
    Mode : Remove -- Date : 06/11/2013 18:31:12
    | ARK || FAK || MBR |
    ¤¤¤ Bad processes : 2 ¤¤¤
    [SUSP PATH] WeatherEye.exe -- C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe [7] -> KILLED [TermProc]
    [SUSP PATH] cltmng.exe -- C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]
    ¤¤¤ Registry Entries : 6 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : WeatherEye (C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe) [7] -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe) [7] -> DELETED
    [RUN][SUSP PATH] HKUS\.DEFAULT[...]\Run : SearchProtect (C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe) -> DELETED
    [TASK][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\WINDOWS\TEMP\{E08EF165-469E-4748-A75B-D2C9A5745BAC}.exe --uninstall=1 [x] -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\n.) [x] -> REPLACED (C:\WINDOWS\system32\shell32.dll)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> REMOVED
    [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\L --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\L --> REMOVED
    ¤¤¤ Driver : [LOADED] ¤¤¤
    ¤¤¤ Infection : ZeroAccess ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts
    127.0.0.1 localhost

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: FUJITSU MHT2080AH +++++
    --- User ---
    [MBR] 01f1d403070826e5762f3c68781f8fec
    [BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 73139 Mo
    2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 149902515 | Size: 3122 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    +++++ PhysicalDrive1: Seagate FreeAgent GoFlex USB Device +++++
    --- User ---
    [MBR] b33d5231a718db0b059f59a86c50436f
    [BSP] a8a1b53d0a8cc2eca0e247cab74be5ac : Empty MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[2]_D_06112013_02d1831.txt >>
    RKreport[1]_S_06112013_02d1829.txt ; RKreport[2]_D_06112013_02d1831.txt

    Pop Ups for Bad Image ran continuously when I did this scan and Firefox opened up to tigzy.com
     
  11. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    Sorry - this is Report #1
    RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Moira [Admin rights]
    Mode : Scan -- Date : 06/11/2013 18:29:01
    | ARK || FAK || MBR |
    ¤¤¤ Bad processes : 2 ¤¤¤
    [SUSP PATH] WeatherEye.exe -- C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe [7] -> KILLED [TermProc]
    [SUSP PATH] cltmng.exe -- C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]
    ¤¤¤ Registry Entries : 9 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : WeatherEye (C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe) [7] -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe) [7] -> FOUND
    [RUN][SUSP PATH] HKUS\.DEFAULT[...]\Run : SearchProtect (C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-725345543-1229272821-839522115-1004[...]\Run : WeatherEye (C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe) [7] -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-725345543-1229272821-839522115-1004[...]\Run : SearchProtect (C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe) [7] -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-18[...]\Run : SearchProtect (C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe) -> FOUND
    [TASK][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\WINDOWS\TEMP\{E08EF165-469E-4748-A75B-D2C9A5745BAC}.exe --uninstall=1 [x] -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\n.) [x] -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> FOUND
    [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> FOUND
    [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\U --> FOUND
    [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\U --> FOUND
    [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\L --> FOUND
    [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\L --> FOUND
    ¤¤¤ Driver : [LOADED] ¤¤¤
    ¤¤¤ Infection : ZeroAccess ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts
    127.0.0.1 localhost

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: FUJITSU MHT2080AH +++++
    --- User ---
    [MBR] 01f1d403070826e5762f3c68781f8fec
    [BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 73139 Mo
    2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 149902515 | Size: 3122 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    +++++ PhysicalDrive1: Seagate FreeAgent GoFlex USB Device +++++
    --- User ---
    [MBR] b33d5231a718db0b059f59a86c50436f
    [BSP] a8a1b53d0a8cc2eca0e247cab74be5ac : Empty MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[1]_S_06112013_02d1829.txt >>
    RKreport[1]_S_06112013_02d1829.txt

    This is report #2

    RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Moira [Admin rights]
    Mode : Remove -- Date : 06/11/2013 18:31:12
    | ARK || FAK || MBR |
    ¤¤¤ Bad processes : 2 ¤¤¤
    [SUSP PATH] WeatherEye.exe -- C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe [7] -> KILLED [TermProc]
    [SUSP PATH] cltmng.exe -- C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]
    ¤¤¤ Registry Entries : 6 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : WeatherEye (C:\Documents and Settings\Moira\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe) [7] -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Moira\Application Data\SearchProtect\bin\cltmng.exe) [7] -> DELETED
    [RUN][SUSP PATH] HKUS\.DEFAULT[...]\Run : SearchProtect (C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe) -> DELETED
    [TASK][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\WINDOWS\TEMP\{E08EF165-469E-4748-A75B-D2C9A5745BAC}.exe --uninstall=1 [x] -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\n.) [x] -> REPLACED (C:\WINDOWS\system32\shell32.dll)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> REMOVED
    [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\@ [-] --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc\L --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc\L --> REMOVED
    ¤¤¤ Driver : [LOADED] ¤¤¤
    ¤¤¤ Infection : ZeroAccess ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts
    127.0.0.1 localhost

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: FUJITSU MHT2080AH +++++
    --- User ---
    [MBR] 01f1d403070826e5762f3c68781f8fec
    [BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 73139 Mo
    2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 149902515 | Size: 3122 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    +++++ PhysicalDrive1: Seagate FreeAgent GoFlex USB Device +++++
    --- User ---
    [MBR] b33d5231a718db0b059f59a86c50436f
    [BSP] a8a1b53d0a8cc2eca0e247cab74be5ac : Empty MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[2]_D_06112013_02d1831.txt >>
    RKreport[1]_S_06112013_02d1829.txt ; RKreport[2]_D_06112013_02d1831.txt
     
     
  12. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    So I downloaded MBAR - unzipped it and now I get the following message:

    "Probable rootkit activity detected.
    Registry Value "AppInit_Dlls" has been found, which may be caused by rootkit activity.

    Note: press "No" if you're not sure. If the tool crashes or terminates unexpectedly during a system scan, restart the tool and press "Yes" should this message appear again.

    Do you want to remove this value a restart the tool ?"

    What does this mean? Where is this in the instructions? Do I proceed?
     
  13. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Instructions are right on your screen :)
     
  14. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    This is the MBAR Log:

    Malwarebytes Anti-Rootkit BETA 1.06.0.1003
    www.malwarebytes.org
    Database version: v2013.06.11.08
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Moira :: MOIRA-9AEF92C25 [administrator]
    6/11/2013 6:59:53 PM
    mbar-log-2013-06-11 (18-59-53).txt
    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
    Scan options disabled: Deep Anti-Rootkit Scan | PUP
    Objects scanned: 214583
    Time elapsed: 31 minute(s), 33 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 1
    HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot.
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 2
    c:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc (Trojan.Siredef.C) -> Delete on reboot.
    c:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc (Trojan.Siredef.C) -> Delete on reboot.
    Files Detected: 0
    (No malicious items detected)
    Physical Sectors Detected: 0
    (No malicious items detected)
    (end)
     
  15. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    This is the system-log:

    --------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.06.0.1003
    (c) Malwarebytes Corporation 2011-2012
    OS version: 5.1.2600 Windows XP Service Pack 3 x86
    Account is Administrative
    Internet Explorer version: 8.0.6001.18702
    Java version: 1.6.0_31
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 1.596000 GHz
    Memory total: 2138435584, free: 1396137984
    Downloaded database version: v2013.06.11.08
    Downloaded database version: v2013.05.22.01
    Initializing...
    ------------ Kernel report ------------
    06/11/2013 18:59:40
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    ACPI.sys
    \WINDOWS\system32\DRIVERS\WMILIB.SYS
    pci.sys
    isapnp.sys
    ohci1394.sys
    \WINDOWS\system32\DRIVERS\1394BUS.SYS
    compbatt.sys
    \WINDOWS\system32\DRIVERS\BATTC.SYS
    PCIIde.sys
    \WINDOWS\System32\Drivers\PCIIDEX.SYS
    intelide.sys
    pcmcia.sys
    MountMgr.sys
    ftdisk.sys
    PartMgr.sys
    VolSnap.sys
    atapi.sys
     
  16. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    This is the MBAR Log after the 2nd scan:

    alwarebytes Anti-Rootkit BETA 1.06.0.1003
    www.malwarebytes.org
    Database version: v2013.06.11.08
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Moira :: MOIRA-9AEF92C25 [administrator]
    6/11/2013 7:33:32 PM
    mbar-log-2013-06-11 (19-33-32).txt
    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
    Scan options disabled: Deep Anti-Rootkit Scan | PUP
    Objects scanned: 214548
    Time elapsed: 28 minute(s),
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    Physical Sectors Detected: 0
    (No malicious items detected)
    (end)
     
  17. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    System-log is incomplete and you should have more than one.
    Please repost.
     
  18. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    This is the MBAR first Log: Malwarebytes Anti-Rootkit BETA 1.06.0.1003 www.malwarebytes.org Database version: v2013.06.11.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Moira :: MOIRA-9AEF92C25 [administrator] 6/11/2013 6:59:53 PM mbar-log-2013-06-11 (18-59-53).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: Deep Anti-Rootkit Scan | PUP Objects scanned: 214583 Time elapsed: 31 minute(s), 33 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 2 c:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc (Trojan.Siredef.C) -> Delete on reboot. c:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc (Trojan.Siredef.C) -> Delete on reboot. Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end)
     
  19. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    This is the system-log: --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.06.0.1003 (c) Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_31 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED CPU speed: 1.596000 GHz Memory total: 2138435584, free: 1396137984 Downloaded database version: v2013.06.11.08 Downloaded database version: v2013.05.22.01 Initializing... ------------ Kernel report ------------ 06/11/2013 18:59:40 ------------ Loaded modules ----------- \WINDOWS\system32\ntkrnlpa.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys ohci1394.sys \WINDOWS\system32\DRIVERS\1394BUS.SYS compbatt.sys \WINDOWS\system32\DRIVERS\BATTC.SYS PCIIde.sys \WINDOWS\System32\Drivers\PCIIDEX.SYS intelide.sys pcmcia.sys MountMgr.sys ftdisk.sys PartMgr.sys VolSnap.sys atapi.sys disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltmgr.sys sr.sys KSecDD.sys WudfPf.sys Ntfs.sys NDIS.sys Mup.sys avgrkx86.sys AVGIDSEH.Sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\DRIVERS\ialmnt5.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\bcm4sbxp.sys \SystemRoot\system32\DRIVERS\nic1394.sys \SystemRoot\system32\DRIVERS\sdbus.sys \SystemRoot\system32\DRIVERS\w29n51.sys \SystemRoot\system32\drivers\STAC97.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\DRIVERS\HSFHWICH.sys \SystemRoot\system32\DRIVERS\HSF_DP.sys \SystemRoot\system32\DRIVERS\HSF_CNXT.sys \SystemRoot\System32\Drivers\Modem.SYS \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\Apfiltr.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\avgfwdx.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\System32\Drivers\RootMdm.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\RimSerial.sys \SystemRoot\system32\DRIVERS\WDFLDR.SYS \SystemRoot\System32\Drivers\wdf01000.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\avgmfx86.sys \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \??\C:\WINDOWS\system32\drivers\avgtpx86.sys \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\system32\DRIVERS\avgtdix.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\arp1394.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \SystemRoot\system32\DRIVERS\avgldx86.sys \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\Cdfs.SYS \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_WMILIB.SYS \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\ialmdnt5.dll \SystemRoot\System32\ialmrnt5.dll \SystemRoot\System32\ialmdev5.DLL \SystemRoot\System32\ialmdd5.DLL \SystemRoot\System32\ATMFD.DLL \SystemRoot\system32\DRIVERS\AegisP.sys \SystemRoot\system32\DRIVERS\s24trans.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\mrxdav.sys \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\system32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\mdmxsdk.sys \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys \SystemRoot\System32\Drivers\HTTP.sys \SystemRoot\system32\DRIVERS\asyncmac.sys \SystemRoot\system32\drivers\kmixer.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys \WINDOWS\system32\ntdll.dll ----------- End ----------- Done! >> Upper Device Name: \Device\Harddisk1\DR4 Upper Device Object: 0xffffffff8a8e38a0 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000093\ Lower Device Object: 0xffffffff8a7ba030 Lower Device Driver Name: \Driver\USBSTOR\ >> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8aa64ab8 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\ Lower Device Object: 0xffffffff8aa6f940 Lower Device Driver Name: \Driver\atapi\ >> Device number: 0, partition: 2 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff8aa64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8aad52a8, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8aa64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8aa6f940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes >> Device number: 0, partition: 2 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\system32\drivers... >> Device number: 0, partition: 2 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: D0F4738C Partition information: Partition 0 type is Other (0xde) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 112392 Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 112455 Numsec = 149790060 Partition file system is NTFS Partition is bootable Partition 2 type is Other (0xdb) Partition is NOT ACTIVE. Partition starts at LBA: 149902515 Numsec = 6393870 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 80026361856 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)... Done! Physical Sector Size: 512 Drive: 1, DevicePointer: 0xffffffff8a8e38a0, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8a8e84f8, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8a8e38a0, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8a7ba030, DeviceName: \Device\00000093\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 Drive 1 Scanning MBR on drive 1... Inspecting partition table: MBR Signature: 55AA Disk Signature: 3D1432A6 Partition information: Partition 0 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 976768002 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 500107861504 bytes Sector size: 512 bytes Done! Read File: File "c:\documents and settings\all users\application data\avg10\chjw\22947d2d947d0497.dat:aa06516e-8576-4d21-a06a-851832df2073" is sparse (flags = 32768) Infected: HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Hijack.Trojan.Siredef.C] Infected: c:\RECYCLER\S-1-5-18\$f7a85870c31c53f4de916c4160caf2dc --> [Trojan.Siredef.C] Infected: c:\RECYCLER\S-1-5-21-725345543-1229272821-839522115-1004\$f7a85870c31c53f4de916c4160caf2dc --> [Trojan.Siredef.C] Scan finished Creating System Restore point... Cleaning up... Executing an action fixdamage.exe... Success! Queuing an action fixdamage.exe Removal successful. No system shutdown is required. ======================================= Removal queue found; removal started Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_112455_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_r.mbam... Removal finished --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.06.0.1003 (c) Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_31 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED CPU speed: 1.596000 GHz Memory total: 2138435584, free: 1350393856 Initializing... ------------ Kernel report ------------ 06/11/2013 19:33:20 ------------ Loaded modules ----------- \WINDOWS\system32\ntkrnlpa.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys ohci1394.sys \WINDOWS\system32\DRIVERS\1394BUS.SYS compbatt.sys \WINDOWS\system32\DRIVERS\BATTC.SYS PCIIde.sys \WINDOWS\System32\Drivers\PCIIDEX.SYS intelide.sys pcmcia.sys MountMgr.sys ftdisk.sys PartMgr.sys VolSnap.sys atapi.sys disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltmgr.sys sr.sys KSecDD.sys WudfPf.sys Ntfs.sys NDIS.sys Mup.sys avgrkx86.sys AVGIDSEH.Sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\DRIVERS\ialmnt5.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\bcm4sbxp.sys \SystemRoot\system32\DRIVERS\nic1394.sys \SystemRoot\system32\DRIVERS\sdbus.sys \SystemRoot\system32\DRIVERS\w29n51.sys \SystemRoot\system32\drivers\STAC97.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\DRIVERS\HSFHWICH.sys \SystemRoot\system32\DRIVERS\HSF_DP.sys \SystemRoot\system32\DRIVERS\HSF_CNXT.sys \SystemRoot\System32\Drivers\Modem.SYS \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\Apfiltr.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\avgfwdx.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\System32\Drivers\RootMdm.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\RimSerial.sys \SystemRoot\system32\DRIVERS\WDFLDR.SYS \SystemRoot\System32\Drivers\wdf01000.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\avgmfx86.sys \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \??\C:\WINDOWS\system32\drivers\avgtpx86.sys \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\system32\DRIVERS\avgtdix.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\arp1394.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \SystemRoot\system32\DRIVERS\avgldx86.sys \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\Cdfs.SYS \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_WMILIB.SYS \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\ialmdnt5.dll \SystemRoot\System32\ialmrnt5.dll \SystemRoot\System32\ialmdev5.DLL \SystemRoot\System32\ialmdd5.DLL \SystemRoot\System32\ATMFD.DLL \SystemRoot\system32\DRIVERS\AegisP.sys \SystemRoot\system32\DRIVERS\s24trans.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\mrxdav.sys \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\system32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\mdmxsdk.sys \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys \SystemRoot\System32\Drivers\HTTP.sys \SystemRoot\system32\DRIVERS\asyncmac.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \SystemRoot\system32\DRIVERS\ipnat.sys \SystemRoot\system32\drivers\kmixer.sys \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys \WINDOWS\system32\ntdll.dll ----------- End ----------- Done! >> Upper Device Name: \Device\Harddisk1\DR4 Upper Device Object: 0xffffffff8a8e38a0 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000093\ Lower Device Object: 0xffffffff8a7ba030 Lower Device Driver Name: \Driver\USBSTOR\ >> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8aa64ab8 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\ Lower Device Object: 0xffffffff8aa6f940 Lower Device Driver Name: \Driver\atapi\ >> Device number: 0, partition: 2 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff8aa64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8aad52a8, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8aa64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8aa6f940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes >> Device number: 0, partition: 2 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\system32\drivers... >> Device number: 0, partition: 2 >> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: D0F4738C Partition information: Partition 0 type is Other (0xde) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 112392 Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 112455 Numsec = 149790060 Partition file system is NTFS Partition is bootable Partition 2 type is Other (0xdb) Partition is NOT ACTIVE. Partition starts at LBA: 149902515 Numsec = 6393870 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 80026361856 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)... Done! Physical Sector Size: 512 Drive: 1, DevicePointer: 0xffffffff8a8e38a0, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8a8e84f8, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8a8e38a0, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8a7ba030, DeviceName: \Device\00000093\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 Drive 1 Scanning MBR on drive 1... Inspecting partition table: MBR Signature: 55AA Disk Signature: 3D1432A6 Partition information: Partition 0 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 976768002 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 500107861504 bytes Sector size: 512 bytes Done! Read File: File "c:\documents and settings\all users\application data\avg10\chjw\22947d2d947d0497.dat:aa06516e-8576-4d21-a06a-851832df2073" is sparse (flags = 32768) Scan finished ======================================= Removal queue found; removal started Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_112455_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_i.mbam... Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_r.mbam... Removal finished
     
  20. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    This is the second MBAR Log after the second scan: Malwarebytes Anti-Rootkit BETA 1.06.0.1003 www.malwarebytes.org Database version: v2013.06.11.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Moira :: MOIRA-9AEF92C25 [administrator] 6/11/2013 7:33:32 PM mbar-log-2013-06-11 (19-33-32).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: Deep Anti-Rootkit Scan | PUP Objects scanned: 214548 Time elapsed: 28 minute(s), Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end)
     
  21. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    [​IMG] Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    [​IMG] Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  22. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    So, I have AVG Internet Security 2011 ver. 10.0.1432.
    You are telling me to delete it with AppRemover and then we will reinstall later?
    I have a licence # for this version of AVG, how will I be able to resintall the 2011 versions with this same licence #?
    I am concerned that by deleting AVG I will be stuck paying for a newer version of it.
    Thanks!
     
  23. Broni

    Broni Malware Annihilator Posts: 46,868   +254

  24. Quadrinity

    Quadrinity TS Rookie Topic Starter Posts: 34

    Can I now re-install AVG?

    Here's the log from Cobofix:


    ComboFix 13-06-12.01 - Moira 06/12/2013 18:24:41.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1332 [GMT -5:00]
    Running from: c:\documents and settings\Moira\Desktop\ComboFix.exe
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Thumbs.db
    c:\windows\EventSystem.log
    c:\windows\system32\roboot.exe
    c:\windows\winhelp.ini
    .
    ---- Previous Run -------
    .
    c:\documents and settings\All Users\Application Data\SSEyaarch-NNewTaab
    c:\documents and settings\All Users\Application Data\SSEyaarch-NNewTaab\51461cd156b65.tlb
    c:\documents and settings\All Users\Application Data\SSEyaarch-NNewTaab\settings.ini
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Moira\Application Data\PriceGong
    c:\documents and settings\Moira\Application Data\PriceGong\Data\1.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\17672.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\2085.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\22249.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\2256.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\2620.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\4436.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\4489.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\a.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\b.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\c.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\d.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\e.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\f.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\g.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\h.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\I.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\j.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\k.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\l.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\m.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\n.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\o.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\p.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\q.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\r.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\s.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\t.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\u.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\v.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\w.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\wlu.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\x.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\y.txt
    c:\documents and settings\Moira\Application Data\PriceGong\Data\z.txt
    C:\install.exe
    c:\windows\system32\Cache
    c:\windows\system32\Cache\0d9416ab3d8fbf3a.fb
    c:\windows\system32\Cache\0dbbc8b07811e75d.fb
    c:\windows\system32\Cache\26c630d098e22dd5.fb
    c:\windows\system32\Cache\272512937d9e61a4.fb
    c:\windows\system32\Cache\287204568329e189.fb
    c:\windows\system32\Cache\28bc8f716fd76a47.fb
    c:\windows\system32\Cache\2c53092c95605355.fb
    c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
    c:\windows\system32\Cache\32c84fe32bb74d60.fb
    c:\windows\system32\Cache\3917078cb68ec657.fb
    c:\windows\system32\Cache\590ba23ce359fd0c.fb
    c:\windows\system32\Cache\5ba97b0e5611ee1d.fb
    c:\windows\system32\Cache\610289e025a3ee9a.fb
    c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
    c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
    c:\windows\system32\Cache\6d03dad1035885d3.fb
    c:\windows\system32\Cache\73b895551a1e90ae.fb
    c:\windows\system32\Cache\95f567698be8a182.fb
    c:\windows\system32\Cache\a8556537add6dfc5.fb
    c:\windows\system32\Cache\ad10a52aff5e038d.fb
    c:\windows\system32\Cache\b0853efdc692de39.fb
    c:\windows\system32\Cache\bbb1e7346d9a4c71.fb
    c:\windows\system32\Cache\c1fa887b03019701.fb
    c:\windows\system32\Cache\c4d28dca2e7648be.fb
    c:\windows\system32\Cache\d201ef9910cd39de.fb
    c:\windows\system32\Cache\d2e94710a5708128.fb
    c:\windows\system32\Cache\d79b9dfe81484ec4.fb
    c:\windows\system32\Cache\d8c7b83cc2962142.fb
    c:\windows\system32\Cache\d9d79cedd8055ad0.fb
    c:\windows\system32\Cache\e0de16f883bea794.fb
    c:\windows\system32\Cache\e8b1c7a84abc6d93.fb
    c:\windows\system32\Cache\f998975c9cc711ee.fb
    c:\windows\system32\Cache\ff112ce7af4d4e83.fb
    c:\windows\system32\SETE2.tmp
    c:\windows\system32\SETE7.tmp
    F:\Autorun.inf
    F:\Setup.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-05-12 to 2013-06-12 )))))))))))))))))))))))))))))))
    .
    .
    2013-06-12 23:14 . 2013-06-12 23:14 -------- d-----w- c:\windows\LastGood
    2013-06-12 23:05 . 2013-06-12 23:05 -------- d-----w- c:\documents and settings\Moira\Application Data\TuneUp Software
    2013-06-11 23:59 . 2013-06-12 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
    2013-06-10 17:03 . 2013-04-04 19:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-06-10 17:03 . 2013-06-10 17:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-06-10 16:31 . 2013-06-10 16:31 -------- d-----w- c:\documents and settings\Moira\Application Data\Foresight Software
    2013-06-10 16:31 . 2013-06-10 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Foresight Software
    2013-06-10 02:55 . 2013-06-10 03:03 -------- d-----w- c:\documents and settings\Moira\Application Data\RegistryTool
    2013-06-10 02:54 . 2013-06-10 03:08 -------- d-----w- c:\program files\RegistryTool
    2013-06-03 02:20 . 2013-06-03 02:26 -------- d-----w- c:\program files\Common Files\XCPCSync.OEM
    2013-05-24 02:49 . 2013-05-24 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-06-12 00:07 . 2012-04-16 12:15 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-06-12 00:07 . 2011-05-25 12:16 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-05-07 22:30 . 2004-08-04 00:56 920064 ----a-w- c:\windows\system32\wininet.dll
    2013-05-07 22:30 . 2004-08-04 00:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2013-05-07 22:30 . 2004-08-04 00:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2013-05-07 21:53 . 2004-08-03 22:59 385024 ----a-w- c:\windows\system32\html.iec
    2013-05-03 01:26 . 2004-08-03 23:20 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-05-03 00:38 . 2004-08-03 22:59 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-04-10 01:31 . 2004-08-03 23:17 1876352 ----a-w- c:\windows\system32\win32k.sys
    2013-04-04 10:35 . 2013-04-19 12:14 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2013-04-17 23:01 . 2013-04-17 23:00 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{88ac3cb6-596b-4217-964c-b6757ef9602d}"= "c:\program files\express-files\prxtbexp2.dll" [2013-05-20 231712]
    .
    [HKEY_CLASSES_ROOT\clsid\{88ac3cb6-596b-4217-964c-b6757ef9602d}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{88ac3cb6-596b-4217-964c-b6757ef9602d}]
    2013-05-20 09:21 231712 ----a-w- c:\program files\express-files\prxtbexp2.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{88ac3cb6-596b-4217-964c-b6757ef9602d}"= "c:\program files\express-files\prxtbexp2.dll" [2013-05-20 231712]
    .
    [HKEY_CLASSES_ROOT\clsid\{88ac3cb6-596b-4217-964c-b6757ef9602d}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{88AC3CB6-596B-4217-964C-B6757EF9602D}"= "c:\program files\express-files\prxtbexp2.dll" [2013-05-20 231712]
    .
    [HKEY_CLASSES_ROOT\clsid\{88ac3cb6-596b-4217-964c-b6757ef9602d}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-01-16 717696]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-09 39408]
    "SearchProtect"="c:\documents and settings\Moira\Application Data\SearchProtect\bin\cltmng.exe" [2013-05-08 2852640]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2010-04-16 144608]
    "Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2013-01-17 267792]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
    "Memeo Backup Premium"="c:\program files\Memeo\AutoBackupPro\MemeoLauncher2.exe" [2010-04-23 136416]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
    "Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-06-04 1466760]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
    "SearchProtectAll"="c:\program files\SearchProtect\bin\cltmng.exe" [2013-05-08 2852640]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-15 152392]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-unins...2LUNJQTEwKzItRDM4MUwrNg&prod=94&ver=10.0.1432" [?]
    .
    c:\documents and settings\Moira\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2010-1-21 226176]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Corel Desktop Application Director 8.LNK - c:\corel\Suite8\Programs\DAD8.EXE [2011-6-8 202240]
    PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2011-6-23 40960]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\BitComet\\BitComet.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "15739:TCP"= 15739:TCP:BitComet 15739 TCP
    "15739:UDP"= 15739:UDP:BitComet 15739 UDP
    .
    R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\SearchProtect\bin\CltMngSvc.exe [3/6/2013 7:36 AM 93984]
    R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackupPro\MemeoBackgroundService.exe [4/22/2010 7:49 PM 25824]
    R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 11:42 AM 14088]
    R4 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
    R4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
    R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
    R4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
    R4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
    R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
    R4 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys --> c:\windows\system32\DRIVERS\avgtdix.sys [?]
    S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
    S3 Blackberry Device Manager;BlackBerry Device Manager;c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [1/18/2013 5:10 PM 577536]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 1:58 PM 11336]
    S3 cpuz134;cpuz134;\??\e:\apps\PC Wizard\pcwiz_x32.sys --> e:\apps\PC Wizard\pcwiz_x32.sys [?]
    S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [10/7/2011 12:52 PM 21504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - Avgldx86
    *Deregistered* - avgtp
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 00:07]
    .
    2013-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2013-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 13:24]
    .
    2013-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 13:24]
    .
    2013-06-12 c:\windows\Tasks\User_Feed_Synchronization-{7F0BECA1-A2DF-4E7E-AB94-3CC74FB35C1E}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.canada.com/news/index.html
    mStart Page = hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA
    uInternet Settings,ProxyOverride = *.local
    IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
    IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
    TCP: DhcpNameServer = 142.165.200.5 142.165.21.5
    Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\TurboTax 2011\ic2011pp.dll
    Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\TurboTax 2012\ic2012pp.dll
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB
    FF - ProfilePath - c:\documents and settings\Moira\Application Data\Mozilla\Firefox\Profiles\v0hi8m7e.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://websearch.pu-results.info/?pid=726&r=2013/03/17&hid=276928473&lg=EN&cc=CA&l=1&q=
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - www.yahoo.ca
    FF - ExtSQL: 2013-06-01 17:41; {739df940-c5ee-4bab-9d7e-270894ae687a}; c:\documents and settings\Moira\Application Data\Mozilla\Firefox\Profiles\v0hi8m7e.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    Toolbar-10 - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-06-12 18:34
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1372)
    c:\windows\System32\BCMLogon.dll
    .
    Completion time: 2013-06-12 18:37:02
    ComboFix-quarantined-files.txt 2013-06-12 23:36
    .
    Pre-Run: 6,150,197,248 bytes free
    Post-Run: 6,139,240,448 bytes free
    .
    - - End Of File - - 88E16020DEFA17FA7270B23FB221DE34
    8F558EB6672622401DA993E1E865C861
     
  25. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Looks good.

    How is computer doing?

    You can reinstall AVG now.

    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    [​IMG] Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.