[Closed- porn] Granny's computer

[male30ohio]

My Granny's Computer has started running slow over the past few months and now she is having trouble getting online to FaceBook and other sites that she likes to go on. I will be posting the reports shortly after I have finished running all of the initial scans as per the instructions on the how to thread.


David

 

[male30ohio]

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.23.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
David :: HALL [administrator]

Protection: Enabled

4/24/2012 09:45:43 AM
mbam-log-2012-04-24 (09-45-43).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 528905
Time elapsed: 5 hour(s), 43 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[male30ohio]

Sorry, plan on posting rest of requirements as soon as scan done. The 2nd scan, RootKill, has been running for over 20hrs now.

 

[male30ohio]

Still running, 2 1/2 days so far. In the last set of folders now. Will post if and when it finally finishes.

 

[Bobbye]

David, did you mark the thread Active? I don't see Broni helping you. We each mark a thread Active when we pick it up so the other will know the member if being helped.

The 2nd scan, RootKill, has been running for over 20hrs now.

Still running, 2 1/2 days so far. In the last set of folders now. Will post if and when it finally finishes.

Stop the scan! That is not one we have in our preliminary thread.


Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
============================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.

 

[male30ohio]

It just finished and yes it is in, it is the one after MalwerBytes

 

[male30ohio]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-27 14:09:27
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000006a Hitachi_ rev.V54O
Running: f4qxpycw.exe; Driver: C:\Users\David\AppData\Local\Temp\ugtdipod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xAA664F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xAA664FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xAA665080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xAA66511C]

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8964B498]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8964B4AE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8964B484]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 81C44982 5 Bytes JMP 8964B488 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!KeSetEvent + 3F1 81CC5B74 4 Bytes [3C, 4F, 66, AA]
.text ntkrnlpa.exe!KeSetEvent + 621 81CC5DA4 8 Bytes [E4, 4F, 66, AA, 80, 50, 66, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 81CC5E04 4 Bytes JMP E81D7A8A
PAGE ntkrnlpa.exe!NtMapViewOfSection 81E2989A 7 Bytes JMP 8964B49C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 81E29B5D 5 Bytes JMP 8964B4B2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8FC05340, 0x3DB197, 0xE8000020]
? C:\Windows\system32\drivers\mbamswissarmy.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

Edit: Excess GMER entries deleted by Bobbye

 

[male30ohio]

Edit: Excess GMER processes deleted by Bobbye

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\mfevtps.exe[3176] @ C:\Windows\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00D0A4B0] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Windows\system32\mfevtps.exe[3176] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00D0A510] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

 

[male30ohio]

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by David at 14:10:32 on 2012-04-27
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2815.1093 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgfws.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CISVC.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\System32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG Secure Search\vprot.exe
D:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\David\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Page_URL = hxxp://www.msn.com
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:64909
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111221225819.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {95B7759C-8C7F-4BF1-B163-73684A933233} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {95B7759C-8C7F-4BF1-B163-73684A933233} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Weather] d:\program files\aws\weatherbug\Weather.exe 1
uRun: [INetBooster] c:\program files\oss\internet booster\ISpBos.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [RtHDVCpl] "RtHDVCpl.exe"
mRun: [Conime] %windir%\system32\conime.exe
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\david\appdata\roaming\micros~1\windows\startm~1\programs\startup\mri_di~1\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\mri_disabled\Adobe Reader Speed Launch.lnk.disabled
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
IE: &Search - ?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: convergysworkathome.com\www
Trusted Zone: exodusvipdesk.com
Trusted Zone: live.com\onecare
Trusted Zone: vipdesk.com
Trusted Zone: webex.com\1800flowers
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238190769066
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238190840239
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C958645E-1C07-4A4C-8642-2F28917D5985} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{C958645E-1C07-4A4C-8642-2F28917D5985} : DhcpNameServer = 192.168.2.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\david\appdata\roaming\mozilla\firefox\profiles\zyvcnqme.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\david\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\david\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\david\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-12-6 64512]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-2-19 464176]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-2-19 64880]
R2 avgfws;AVG Firewall;c:\program files\avg\avg2012\avgfws.exe [2011-11-23 2391832]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-5-17 308592]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-3-29 654408]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-19 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-19 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-19 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-19 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-19 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-19 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-19 150856]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\10.2.0\ToolbarUpdater.exe [2012-3-13 918880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-19 57600]
R3 dc3d;USBCCGP filter driver (dc3d);c:\windows\system32\drivers\dc3d.sys [2009-1-15 15360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-3-29 22344]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-9-19 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-19 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-19 338176]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-12-13 30576]
S2 0067931237840811mcinstcleanup;McAfee Application Installer Cleanup (0067931237840811); [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 dualshock3;DUALSHOCK3 Controller HID Minidriver (USB) Beta;c:\windows\system32\drivers\dualshock3.sys [2010-6-25 11392]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-18 21504]
S2 gupdate1c999af8596d130;Google Update Service (gupdate1c999af8596d130);c:\program files\google\update\GoogleUpdate.exe [2009-2-28 133104]
S2 iWinGamesInstaller;iWinGamesInstaller; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-13 253088]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [2010-12-7 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [2010-12-7 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [2010-12-7 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [2010-12-7 25088]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-15 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-28 133104]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-19 87656]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2007-8-31 163328]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-14 15:12:28 -------- d-----w- c:\program files\ESET
2012-04-13 22:26:07 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-04-13 23:06:13 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-03-08 21:31:16 774144 ----a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 14:13:18.22 ===============

 

[male30ohio]

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 7/20/2007 01:54:47 AM
System Uptime: 4/22/2012 02:43:07 AM (132 hours ago)
.
Motherboard: Acer | | EM61SM/EM61PM
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ | Socket M2 | 1000/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 144 GiB total, 82.023 GiB free.
D: is FIXED (NTFS) - 144 GiB total, 126.995 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Port Mouse (IntelliPoint)
Device ID: ACPI\PNP0F13\3&2411E6FE&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Port Mouse (IntelliPoint)
PNP Device ID: ACPI\PNP0F13\3&2411E6FE&0
Service: i8042prt
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acer Assist
Acer Picture Slide DVD
Acer Plug and Record
Acer Registration
Acer ScreenSaver
Acer Zone Main Page
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe AIR
Adobe Digital Editions
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 7.1.0
Adobe Shockwave Player 11
aiofw
aioprnt
aioscnnr
Amazon Kindle For PC
Amazon MP3 Downloader 1.0.12
Amazon MP3 Uploader
AppInventor Setup
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AusLogics Disk Defrag
Avery Wizard 4.0
AVG 2012
AVG PC Tuneup 2011
BCL easyConverter Desktop 1.0
Belkin Setup and Router Monitor
Big Fish Games: Game Manager
Bing Bar
Bonjour
Build-a-lot 3
Business Contact Manager for Outlook 2007 SP2
C4USelfUpdater
CCleaner
center
Compatibility Pack for the 2007 Office system
Computer Requirements 1.0
Concentration (remove only)
Corel PaintShop Photo Pro X3
County Fair
Coupon Printer for Windows
Crypt Cafe (Diner Dash Hometown Hero - Gourmet)
D3DX10
Diner Dash
Diner Dash 2
Diner Dash Seasonal Snack Pack
DivX Converter
DivX Player
DivX Web Player
Download Updater (AOL LLC)
EasyFix Tools v1.0
ESET Online Scanner v3
EVEREST Ultimate Edition v4.00
Eye for Design
Eye for Design (remove only)
Fairway Solitaire
Farm Frenzy Pizza Party
ffdshow [rev 2527] [2008-12-19]
Fitness Dash
Fix-it-up
Free Window Registry Repair
Game of Life - Path to Success
GameHouse
Glary Utilities 2.44.0.1450
Google Chrome
Google Update Helper
Google Updater
Highlight Viewer (Windows Live Toolbar)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ICA
iConcepts Photo Frame
iGridd
IPM_PSP_CL
IPM_PSP_COM
iTunes
Java Auto Updater
Java(TM) 6 Update 30
Junk Mail filter update
KODAK AiO Home Center
ksDIP
LG United Mobile Drivers
LightScribe 1.4.136.1
Logitech QuickCam Software
Mahjongg Dimensions Deluxe (remove only)
Malwarebytes Anti-Malware version 1.61.0.1400
Mania Combo (remove only)
Map Button (Windows Live Toolbar)
Marvell Miniport Driver
McAfee AntiVirus Plus
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Corporation
Microsoft LifeCam
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008 Equifax Addin
Microsoft Office Accounting 2008 Fixed Asset Manager
Microsoft Office Accounting 2008 PayPal Addin
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel Viewer 2003
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Streets & Trips 2008
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Move Networks Media Player for Internet Explorer
Mozilla Firefox 9.0.1 (x86 en-US)
Mozilla Thunderbird (3.0.11)
MP3 Download Manager
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
NTI CD & DVD-Maker
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OpenOffice.org 3.1
OSS Internet Speed Booster 3.0.0.0
OverDrive Media Console
Paradise Beach
Parking Dash
Photo Viewer
Plants vs. Zombies (remove only)
PreReq
PrimoPDF
PSPPContent
PSPPRO_DCRAW
QuickTime
RealArcade
Realtek High Definition Audio Driver
Registry Mechanic 7.0
RegSupreme Pro
ResumeMaker Ultimate
Rhapsody
RivaTuner v2.04
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
Setup
Skype™ 5.5
Smart Menus (Windows Live Toolbar)
Spotify
Spybot - Search & Destroy
Sumatra PDF reader
Supermarket Mania ® 2
Supple
Tradewinds 2
Tradewinds 2 (remove only)
TweetDeck
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2596560)
Vacation Mogul Free Trial
Verizon V CAST Media Manager
Verizon Wireless Download Manager 2.2.8-SNAPSHOT-r11227
VIPdesk Scan Utility
Virtual City (remove only)
Virtual Families
Virtual Families (remove only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC Free Edition 4.1.3
VZAccess Manager
WeatherBug
Windows Installer Clean Up
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live OneCare safety scanner
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
.
==== Event Viewer Messages From Past Week ========
.
4/25/2012 06:43:10 PM, Error: nvstor32 [5] - A parity error was detected on \Device\RaidPort0.
4/24/2012 09:43:45 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
4/21/2012 03:00:13 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
.
==== End Of File ===========================

 

[male30ohio]

Edit: removed unneeded quote.

No No one has started helping me yet.

 

[Bobbye]

I am surprised this system runs at all!

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated*
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated*
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated*
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated*
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated*
SP: Lavasoft Ad-Watch Live! *Enabled/Updated*
FW: McAfee Firewall *Enabled*
FW: AVG Firewall *Disabled*

I'm not sure this will work for multiple programs but you can try. It's what we use to temporarily uninstall AVG before running Combofix:

Download AppRemover and save to the desktop

1. 1. Double click the setup on the desktop> click Next
   2. Select “Remove Security Application”
   3. Let scan finish to determine security apps
   4. A screen like below will appear:
      
      
   5. Click on Next after choice has been made
   6. Check the programs you want to uninstall
   7. After uninstall shows complete, follow online prompts to Exit the program.
   =============================
   Reboot the computer when through.The system is slow because it's dragging 20 trucks! Get the security down and then we'll talk about stopping some of the way too many processes running!
   
   David, this system is 5 years old. Has any maintenance ever been done on it? Have programs that aren't being used be uninstalled? Do temporary internet files and Cookie get deleted? Have unnecessary processes on the Startup Menu been unchecked so they don't start on boot and run in the background?
   
   BTW, the GMER took so long because you did not follow this:
   Warning: Do not check Show All!

 

[male30ohio]

Done, AVG and Ad-Aware were removed. DO I need to remove the McAfee also? The original system is 5 years old but there have been updates done to it, nothing in the past 2 years. She is the only that uses it so we are not that worried about having a great computer for her, just running so she can do her Granny things.

 

[Bobbye]

Okay, we have a fair amount of work to do> remove some malware, remove some processes, update programs and some additional work.

Some information please:
1. Can you tell me please if your Granny is running a business?
2. Are there any young children at Granny's home.
3. I am concerned that there is a fair amount of programs and processes running that may not be appropriate for this system. Can you give me an idea of her activity level? Is she elderly- as in way over your 30?
===============================================
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HERE and save to the desktop

• Double click combofix.exe
  
  & follow the prompts.
• If prompted for Recovery Console, please allow.
• Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.[/b]
  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• .Close/disable all anti virus and anti malware programs
  (If you need help with this, please see HERE)
• .Close any open browsers.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=================================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
4. Continue with the directions.
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===========================================
I will write some script for you to run through Combofix after I see the log. Please leave the Combofix and Eset scan logs in your next reply.

 

[male30ohio]

1. Can you tell me please if your Granny is running a business? No she is not
2. Are there any young children at Granny's home? No Children
3. I am concerned that there is a fair amount of programs and processes running that may not be appropriate for this system. Can you give me an idea of her activity level? Is she elderly- as in way over your 30? If 91 is elderly than yes. Games, YouTube, FaceBook, stuff like that mainly.

 

[male30ohio]

ComboFix 12-04-28.01 - David 04/28/2012 20:02:37.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2815.1220 [GMT -4:00]
Running from: c:\users\David\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Downloaded Installers
c:\program files\Downloaded Installers\{65D5B9CA-7B04-4604-9D00-4C4D14BA49A3}\setup.msi
c:\program files\LP
c:\users\David\Aaron Dec talk sheets .xls
c:\users\David\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
c:\users\David\AppData\Roaming\.#
c:\users\David\AppData\Roaming\.#\MBX@138C@3A2918.###
c:\users\David\AppData\Roaming\.#\MBX@138C@3A2948.###
c:\users\David\AppData\Roaming\.#\MBX@138C@3A2978.###
c:\users\David\AppData\Roaming\.#\MBX@5E4@3B2908.###
c:\users\David\AppData\Roaming\.#\MBX@5E4@3B2938.###
c:\users\David\AppData\Roaming\.#\MBX@5E4@3B2968.###
c:\users\David\FireTune.exe
c:\windows\iun6002.exe
c:\windows\system32\B1C81C07A0.dll
c:\windows\system32\bdaplgin.ax
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\3ba2a8f4319a342a.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\7bba3499c4df6752.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\cero.rs
c:\windows\system32\CF17833.exe
c:\windows\system32\decebe9_d.dll
c:\windows\system32\divxdec.ax
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\esrb.rs
c:\windows\system32\g711codc.ax
c:\windows\system32\grb.rs
c:\windows\system32\htvcdsvcd70.ax
c:\windows\system32\iac25_32.ax
c:\windows\system32\ir41_32.ax
c:\windows\system32\ivfsrc.ax
c:\windows\system32\ksproxy.ax
c:\windows\system32\kstvtune.ax
c:\windows\system32\Kswdmcap.ax
c:\windows\system32\ksxbar.ax
c:\windows\system32\LcProxy.ax
c:\windows\system32\LcProxy2.ax
c:\windows\system32\Mpeg2Data.ax
c:\windows\system32\Mpeg2Decoder.ax
c:\windows\system32\Mpeg2Parser.ax
c:\windows\system32\mpg2splt.ax
c:\windows\system32\MSDvbNP.ax
c:\windows\system32\MSNP.ax
c:\windows\system32\oflc.rs
c:\windows\system32\pegi-fi.rs
c:\windows\system32\pegi-pt.rs
c:\windows\system32\pegi.rs
c:\windows\system32\pegibbfc.rs
c:\windows\system32\psisrndr.ax
c:\windows\system32\sm56co85.txt
c:\windows\system32\system
c:\windows\system32\usk.rs
c:\windows\system32\vatee.ax
c:\windows\system32\VBICodec.ax
c:\windows\system32\vbisurf.ax
c:\windows\system32\vidcap.ax
c:\windows\system32\WEB.rs
c:\windows\system32\WSTPager.ax
D:\install.exe
D:\resycled
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_iWinGamesInstaller
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-29 )))))))))))))))))))))))))))))))
.
.
2012-04-29 00:24 . 2012-04-29 00:55 -------- d-----w- c:\users\David\AppData\Local\temp
2012-04-29 00:24 . 2012-04-29 00:24 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-04-29 00:24 . 2012-04-29 00:24 -------- d-----w- c:\users\Denise Work\AppData\Local\temp
2012-04-29 00:24 . 2012-04-29 00:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-29 00:24 . 2012-04-29 00:24 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-04-28 12:40 . 2012-04-28 12:40 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\dumps
2012-04-14 15:12 . 2012-04-14 15:12 -------- d-----w- c:\program files\ESET
2012-04-13 22:26 . 2012-04-13 23:06 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-12 22:35 . 2012-04-12 22:35 -------- d-----w- c:\users\Denise Work\AppData\Local\Mozilla
2012-04-12 14:44 . 2012-04-12 14:44 -------- d-----w- c:\users\Denise Work\AppData\Roaming\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-29 00:44 . 2010-06-24 15:33 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-04-13 23:06 . 2011-06-27 01:03 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2010-03-29 11:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-03-08 21:31 . 2008-03-08 21:31 774144 ----a-w- c:\program files\RngInterstitial.dll
2011-12-21 07:24 . 2011-12-21 23:03 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 18:01 . 2011-02-19 17:36 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="d:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]
"INetBooster"="c:\program files\OSS\Internet Booster\ISpBos.exe" [2004-08-19 282624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 4390912]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-03-13 982880]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-23 928096]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2009-5-26 1778992]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED
Adobe Reader Speed Launch.lnk.disabled [2008-5-18 1957]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^eFax 4.3.lnk]
backup=c:\windows\pss\eFax 4.3.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^David^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
backup=c:\windows\pss\IMVU.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^David^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^VZAccess Manager.lnk]
backup=c:\windows\pss\VZAccess Manager.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-02-02 19:24 3383296 ----a-w- c:\program files\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BYRUA_AGENT]
2011-06-14 04:45 392280 ----a-w- c:\programdata\LGMOBILEAX\BYR_Client\VZWUAAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-29 10:19 133104 ----atw- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-04-04 19:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2011-09-16 22:38 1318552 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-08-22 05:18 6276408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-11-10 06:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-06-20 04:04 13535776 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-06-20 04:04 92704 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpiralFrog]
2007-09-14 12:58 163128 ----a-w- c:\program files\SpiralFrog\Spiralfrog.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-03-23 18:07 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-02-23 01:47 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Sidebar"=c:\program files\Windows Sidebar\sidebar.exe /autoRun
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"DownloadManagerService"="c:\program files\Verizon Wireless Dowloader\dist\servicerunner.exe" /action:startService
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe"
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe"
"EKIJ5000StatusMonitor"=c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 0067931237840811mcinstcleanup;McAfee Application Installer Cleanup (0067931237840811); [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 253088]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 23:06]
.
2012-04-29 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-12-01 01:06]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 14:18]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 14:18]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-190787634-4012676310-1989471191-1000Core.job
- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-29 10:19]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-190787634-4012676310-1989471191-1000UA.job
- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-29 10:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:64909
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: convergysworkathome.com\www
Trusted Zone: exodusvipdesk.com
Trusted Zone: live.com\onecare
Trusted Zone: vipdesk.com
Trusted Zone: webex.com\1800flowers
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C958645E-1C07-4A4C-8642-2F28917D5985}: NameServer = 208.67.222.222,208.67.220.220
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\zyvcnqme.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
ShellIconOverlayIdentifiers-{78AEACE2-91AE-4E8E-841E-F1879238670D} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
AddRemove-{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1 - c:\program files\AVG\AVG PC Tuneup 2011\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-28 20:54
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-190787634-4012676310-1989471191-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:1b,cc,96,ed,9f,1b,f1,1a,0a,03,06,54,64,a6,f4,9f,7e,ab,19,19,63,ec,39,
8e,70,bd,95,8e,c0,6e,a7,07,f7,ff,2a,6e,b0,62,8a,71,5f,86,ec,6a,42,a3,52,10,\
"??"=hex:9a,8c,72,3c,58,ca,95,80,cd,f0,da,d2,b6,d3,8c,df
.
[HKEY_USERS\S-1-5-21-190787634-4012676310-1989471191-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:d7,33,7e,09,c4,db,42,42,bf,0e,fe,6d,63,1d,e0,2e,c9,27,c1,6b,ec,
a6,66,b6,d4,00,d6,59,f7,14,cf,3b,65,f5,78,d9,81,25,8b,a1,de,fe,1d,50,61,6e,\
"rkeysecu"=hex:de,b6,88,f1,4a,ef,9e,a7,7b,a7,e0,ef,c4,ac,6c,b4
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3976)
c:\program files\Logitech\Video\Namespc2.dll
c:\program files\Logitech\Video\AlbuDBps.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\AVG\AVG2012\avgfws.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CISVC.EXE
c:\program files\Kodak\AiO\Center\ekdiscovery.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe
c:\windows\system32\mfevtps.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\windows\System32\tcpsvcs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\NOTEPAD.EXE
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
.
**************************************************************************
.
Completion time: 2012-04-28 21:06:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-29 01:06
.
Pre-Run: 88,477,040,640 bytes free
Post-Run: 88,321,658,880 bytes free
.
- - End Of File - - 54AB58FC7B2BEC5E014ADF35294247F8

 

[male30ohio]

C:\Program Files\Mozilla Firefox\extensions\{D7FEF78F-AFAA-4F9C-A2F7-4706F5F1E1DB}\chrome\zumie.jar Win32/Adware.OneStep application
C:\Users\David\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\101015211326149.rsc multiple threats

 

[Bobbye]

I will tell you why I asked those questions. First, for the Eset entries:

Please download OTMovit by Old Timerand save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\Program Files\Mozilla Firefox\extensions\{D7FEF78F-AFAA-4F9C-A2F7-4706F5F1E1DB}\chrome\zumie.jar 
  C:\Users\David\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\101015211326149.rsc 
  :Commands
  [purity]
  [emptytemp]
  [emptyjavacache]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
c:\windows\system32\CISVC.EXE
c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
Folder::
c:\users\David\AppData\Local\temp
c:\windows\system32\config\systemprofile\AppData\Local\temp
c:\users\Denise Work\AppData\Local\temp
c:\users\Default\AppData\Local\temp
c:\users\Administrator\AppData\Local\temp
c:\windows\system32\config\systemprofile\AppData\Local\dumps
c:\program files\avg\avg2012\avgssie.dll
c:\program files\microsoft\bingbar\BingExt.dll"
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {95B7759C-8C7F-4BF1-B163-73684A933233} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
D:\Program Files\AWS\WeatherBug\Weather.exe
uRun: [Weather] d:\program files\aws\weatherbug\Weather.exe 1
mRun: [Conime] %windir%\system32\conime.exe
uInternet Settings,ProxyServer = http=127.0.0.1:64909
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
IE: &Search - ?p=ZJfox000
Trusted Zone: convergysworkathome.com\www
Trusted Zone: exodusvipdesk.com
Trusted Zone: live.com\onecare
Trusted Zone: vipdesk.com
Trusted Zone: webex.com\1800flowers
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"=-
"vProt"=-
"ROC_roc_dec12"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-
RegNull::
[HKEY_USERS\S-1-5-21-190787634-4012676310-1989471191-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:1b,cc,96,ed,9f,1b,f1,1a,0a,03,06,54,64,a6,f4,9f,7e,ab,19,19,63,ec,39,
8e,70,bd,95,8e,c0,6e,a7,07,f7,ff,2a,6e,b0,62,8a,71,5f,86,ec,6a,42,a3,52,10,\
"??"=hex:9a,8c,72,3c,58,ca,95,80,cd,f0,da,d2,b6,d3,8c,df
Clearjavacache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
==================
Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=====================================
Download Security Check by screen317 and save to the desktop

• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt please
• Post the contents of that document.

====================================
Please leve logs for OTM, Combofix script, Security Scan, CK Scanner in next reply.
====================================

She is the only that uses it

Unless her name is David Aron, she is neither the only user or the primary user. There is business software, There is a keylogger only fit for small children.
IF she is being given this compoter now for her enjoyment, I suggest you reformat, then reinstall, putting only those programs she will use back on it.

 

[male30ohio]

All processes killed
========== FILES ==========
C:\Program Files\Mozilla Firefox\extensions\{D7FEF78F-AFAA-4F9C-A2F7-4706F5F1E1DB}\chrome\zumie.jar moved successfully.
C:\Users\David\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\101015211326149.rsc moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78924 bytes
->Java cache emptied: 69919 bytes
->FireFox cache emptied: 24506799 bytes
->Flash cache emptied: 602 bytes

User: All Users

User: David
->Temp folder emptied: 1253 bytes
->Temporary Internet Files folder emptied: 235023146 bytes
->Java cache emptied: 3187947 bytes
->FireFox cache emptied: 132233710 bytes
->Google Chrome cache emptied: 426984480 bytes
->Apple Safari cache emptied: 0 bytes
->Opera cache emptied: 25490763 bytes
->Flash cache emptied: 234583 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56545 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Denise Work
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 571460 bytes
->FireFox cache emptied: 32583231 bytes
->Flash cache emptied: 1504 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 30238 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 99975 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 320 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 840.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 04292012_130158

Files moved on Reboot...

Registry entries deleted on Reboot...

 

[male30ohio]

Not sure where David Aron comes from. My first name is David. My Granny has used this computer and had it for a few years now. The business software is probably on there from when my sister was working from home on it last year. Unfortunetly I don't have the Windows Disc to do a reinstall.

 

[male30ohio]

ComboFix 12-04-29.02 - David 04/29/2012 13:32:46.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2815.1431 [GMT -4:00]
Running from: c:\users\David\Desktop\ComboFix.exe
Command switches used :: c:\users\David\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe"
"c:\windows\system32\CISVC.EXE"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
c:\users\Administrator\AppData\Local\temp
c:\users\David\AppData\Local\temp
c:\users\David\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
c:\users\David\AppData\Local\temp\qtsingleapp-Belkin-e8c-1-lockfile
c:\users\Default\AppData\Local\temp
c:\users\Denise Work\AppData\Local\temp
c:\windows\system32\config\systemprofile\AppData\Local\dumps
c:\windows\system32\config\systemprofile\AppData\Local\dumps\avgmfapx.exe_129800904285220000.exh
c:\windows\system32\config\systemprofile\AppData\Local\dumps\avgmfapx.exe_129800904285220000_F.dmp
c:\windows\system32\config\systemprofile\AppData\Local\dumps\avgmfapx.exe_129800904285220000_M.dmp
c:\windows\system32\config\systemprofile\AppData\Local\dumps\reports.db
c:\windows\system32\config\systemprofile\AppData\Local\temp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_vToolbarUpdater10.2.0
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-29 )))))))))))))))))))))))))))))))
.
.
2012-04-29 18:22 . 2012-04-29 18:22 -------- d-----w- c:\users\David\AppData\Local\Temp
2012-04-29 17:01 . 2012-04-29 17:01 -------- dc----w- C:\_OTM
2012-04-14 15:12 . 2012-04-14 15:12 -------- d-----w- c:\program files\ESET
2012-04-13 22:26 . 2012-04-13 23:06 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-12 22:35 . 2012-04-12 22:35 -------- d-----w- c:\users\Denise Work\AppData\Local\Mozilla
2012-04-12 14:44 . 2012-04-12 14:44 -------- d-----w- c:\users\Denise Work\AppData\Roaming\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-29 17:57 . 2010-06-24 15:33 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-04-13 23:06 . 2011-06-27 01:03 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2010-03-29 11:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-03-08 21:31 . 2008-03-08 21:31 774144 ----a-w- c:\program files\RngInterstitial.dll
2011-12-21 07:24 . 2011-12-21 23:03 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 18:01 . 2011-02-19 17:36 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"INetBooster"="c:\program files\OSS\Internet Booster\ISpBos.exe" [2004-08-19 282624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 4390912]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-03-13 982880]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-23 928096]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2009-5-26 1778992]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^eFax 4.3.lnk]
backup=c:\windows\pss\eFax 4.3.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^David^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
backup=c:\windows\pss\IMVU.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^David^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^VZAccess Manager.lnk]
backup=c:\windows\pss\VZAccess Manager.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-02-02 19:24 3383296 ----a-w- c:\program files\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BYRUA_AGENT]
2011-06-14 04:45 392280 ----a-w- c:\programdata\LGMOBILEAX\BYR_Client\VZWUAAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-29 10:19 133104 ----atw- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-04-04 19:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2011-09-16 22:38 1318552 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-08-22 05:18 6276408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-11-10 06:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-06-20 04:04 13535776 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-06-20 04:04 92704 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpiralFrog]
2007-09-14 12:58 163128 ----a-w- c:\program files\SpiralFrog\Spiralfrog.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-03-23 18:07 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-02-23 01:47 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Sidebar"=c:\program files\Windows Sidebar\sidebar.exe /autoRun
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"DownloadManagerService"="c:\program files\Verizon Wireless Dowloader\dist\servicerunner.exe" /action:startService
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe"
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe"
"EKIJ5000StatusMonitor"=c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 0067931237840811mcinstcleanup;McAfee Application Installer Cleanup (0067931237840811); [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 253088]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 23:06]
.
2012-04-29 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-12-01 01:06]
.
2012-04-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-28 18:10]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 14:18]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 14:18]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-190787634-4012676310-1989471191-1000Core.job
- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-29 10:19]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-190787634-4012676310-1989471191-1000UA.job
- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-29 10:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:64909
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: convergysworkathome.com\www
Trusted Zone: exodusvipdesk.com
Trusted Zone: live.com\onecare
Trusted Zone: vipdesk.com
Trusted Zone: webex.com\1800flowers
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C958645E-1C07-4A4C-8642-2F28917D5985}: NameServer = 208.67.222.222,208.67.220.220
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\zyvcnqme.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-29 14:20
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\AVG\AVG2012\avgfws.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CISVC.EXE
c:\program files\Kodak\AiO\Center\ekdiscovery.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe
c:\windows\system32\mfevtps.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\windows\System32\tcpsvcs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\RtHDVCpl.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2012-04-29 14:30:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-29 18:30
ComboFix2.txt 2012-04-29 01:06
.
Pre-Run: 89,444,233,216 bytes free
Post-Run: 89,445,912,576 bytes free
.
- - End Of File - - 41E93AB56B3335A86A847B5A4801336C

 

[male30ohio]

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\bitlord\torrents\3dsexvilla_cracked.torrent
c:\program files\bitlord\torrents\kates playground - white mesh [by inthecrack].torrent
c:\program files\bitlord\torrents\lovely lizzy set 1-5 [by inthecrack].torrent
c:\program files\bitlord\torrents\lovely lizzy set 11-15 [by inthecrack].torrent
c:\program files\bitlord\torrents\lovely lizzy set 16-20 [by inthecrack].torrent
c:\program files\bitlord\torrents\lovely lizzy set 6-10 [by inthecrack].torrent
scanner sequence 3.FN.11.ICLBCG
----- EOF -----

 

[male30ohio]

Results of screen317's Security Check version 0.99.32
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
McAfee AntiVirus Plus
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
RegSupreme Pro
CCleaner
Java(TM) 6 Update 30
Java version out of date!
Adobe Flash Player 11.2.202.233
Mozilla Firefox (9.0.1)
Mozilla Thunderbird 3.0.11 Thunderbird out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
``````````End of Log````````````

 

[Bobbye]

BitLord, a torrent downloader-file-sharing program- has been used to download porn.

This thread is closed.