Exe.bad image

Inactive
By deseraligears
Sep 10, 2011
  1. I am constantly gettinmg a pop up bad image warning, when i start up and go on line

    i will attach my Hi jack this note pad, there is one ALCMTR.EXE which I believe was a virus I removed but still am getting the pop up, please see attached


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 6:53:41 PM, on 9/10/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.69\GoogleCrashHandler.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchqu.com/sidebar.html?src=ssb&sysid=406
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchqu.com/sidebar.html?src=ssb&sysid=406
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchqu.com/sidebar.html?src=ssb&sysid=406
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
    O3 - Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - (no file)
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Bluetooth.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\WINDOW~4\Datamngr\datamngr.dll C:\PROGRA~1\WINDOW~4\Datamngr\IEBHO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 9037 bytes

    many Thanks
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I'll be glad to help you, but we don't 'screen' for malware using HijackThis

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    FYI: Alcmtr.exe
    Name: alcmtr
    File Name: ALCMTR.EXE
    Description: Realtek AC97 Audio - Event Monitor. "Spyware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs,
    Location: C:\Windows.
    Status: X

    Like many other suspicious entries< the location of a file can determine it's status:
    If alcmtr.exe is located in the folder C:\Windows\System32 then the security rating is 80% dangerous.. It is a hidden file.
  3. deseraligears

    deseraligears TechSpot Enthusiast Topic Starter Posts: 155

    many thGMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-09-18 15:34:20
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9160314AS rev.0003DEM1
    Running: xknmj4cb.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pgwdifog.sys


    ---- System - GMER 1.0.15 ----

    SSDT F7C20A84 ZwClose
    SSDT F7C20A3E ZwCreateKey
    SSDT F7C20A8E ZwCreateSection
    SSDT F7C20A34 ZwCreateThread
    SSDT F7C20A43 ZwDeleteKey
    SSDT F7C20A4D ZwDeleteValueKey
    SSDT F7C20A7F ZwDuplicateObject
    SSDT F7C20A52 ZwLoadKey
    SSDT F7C20A20 ZwOpenProcess
    SSDT F7C20A25 ZwOpenThread
    SSDT F7C20A5C ZwReplaceKey
    SSDT F7C20A57 ZwRestoreKey
    SSDT F7C20A93 ZwSetContextThread
    SSDT F7C20A48 ZwSetValueKey
    SSDT F7C20A2F ZwTerminateProcess
    anks please see attached
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Do you plan to pasted the rest of the logs? I will review them when I have them all.
  5. deseraligears

    deseraligears TechSpot Enthusiast Topic Starter Posts: 155

    bad image

    I thought that was all I will run again and check that was all that was on the screen !
    thanks
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    The GMER log will say EOF at the end.

    There was only a part of the GMER log left. You will need to run Malwarebytes and DDS (DDS has 2 logs) per the steps here:
    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    Please leave full GMER log, Malwarebytes log and the 2 logs from DDS.
  7. deseraligears

    deseraligears TechSpot Enthusiast Topic Starter Posts: 155

    bad image

    Thanks I will follow directions again
  8. deseraligears

    deseraligears TechSpot Enthusiast Topic Starter Posts: 155

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7790

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    9/24/2011 2:56:53 PM
    mbam-log-2011-09-24 (14-56-53).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 251868
    Time elapsed: 1 hour(s), 50 minute(s), 13 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 40

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005456.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005474.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005492.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005437.scr (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005439.DLL (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005440.DLL (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005441.DLL (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005442.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005443.DLL (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005444.DLL (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005445.DLL (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005446.DLL (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005447.SCR (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005448.DLL (Adware.MyWebSearch) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005449.DLL (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005450.DLL (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005451.EXE (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005452.DLL (PUP.FunWebProducts) -> Not selected for removal.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005453.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005454.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005455.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005457.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005458.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005459.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005460.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005461.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005462.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005463.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005464.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005465.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005466.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005467.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005468.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005470.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005471.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005472.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005473.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005491.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005493.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{f8a70108-b8ab-4079-88f7-ff3fb0e675d8}\RP21\A0005494.DLL (Adware.MyWebSearch) -> Not selected for removal.

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-09-24 17:54:01
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9160314AS rev.0003DEM1
    Running: xknmj4cb.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pgwdifog.sys


    ---- System - GMER 1.0.15 ----

    SSDT F7C395FC ZwClose
    SSDT F7C395B6 ZwCreateKey
    SSDT F7C39606 ZwCreateSection
    SSDT F7C395AC ZwCreateThread
    SSDT F7C395BB ZwDeleteKey
    SSDT F7C395C5 ZwDeleteValueKey
    SSDT F7C395F7 ZwDuplicateObject
    SSDT F7C395CA ZwLoadKey
    SSDT F7C39598 ZwOpenProcess
    SSDT F7C3959D ZwOpenThread
    SSDT F7C395D4 ZwReplaceKey
    SSDT F7C395CF ZwRestoreKey
    SSDT F7C3960B ZwSetContextThread
    SSDT F7C395C0 ZwSetValueKey
    SSDT F7C395A7 ZwTerminateProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    ? cuuolv.sys The system cannot find the file specified. !

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_25
    Run by Owner at 21:06:55 on 2011-09-24
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.443 [GMT -4:00]
    .
    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: AVG Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.69\GoogleCrashHandler.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uSearch Page = hxxp://search.live.com
    uSearch Bar = hxxp://www.searchqu.com/sidebar.html?src=ssb&sysid=406
    mDefault_Page_URL = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.searchqu.com/sidebar.html?src=ssb&sysid=406
    mSearchAssistant = hxxp://www.searchqu.com/sidebar.html?src=ssb&sysid=406
    uURLSearchHooks: H - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    TB: {99079a25-328f-4bd4-be04-00955acaa0a7} - No File
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT"&"inst=NzctNzE5ODk5NjkwLUZQOSs2LVRCOSsyLUZMKzktWE8zNisxLUY5TTdDKzUtRjlNMTBCKzItRjlNMisxLUZMMTArMS1UVUcrMy1DSVArMi1ERFQrNjM4MjQtREQxMEYrMS1TVDEwRkFQUCsx"&"prod=55"&"ver=10.0.1392
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{48D18FF4-0D6C-459E-9B65-BA237FA84E92} : DhcpNameServer = 192.168.0.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\window~4\datamngr\datamngr.dll c:\progra~1\window~4\datamngr\IEBHO.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-9-11 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-9-11 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-9-11 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-9-11 66616]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-24 366152]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-24 22216]
    R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2010-3-16 157696]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-3-16 1684736]
    S3 cpuz132;cpuz132;\??\c:\docume~1\greer\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\greer\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-7-29 18432]
    S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-09-24 15:47:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-24 15:47:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-11 18:24:14 -------- d-----w- c:\windows\system32\NtmsData
    2011-09-11 18:23:13 -------- d-----w- c:\documents and settings\owner\application data\Avira
    2011-09-11 14:08:48 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-09-11 14:08:47 -------- d-----w- c:\program files\Avira
    2011-09-11 14:08:47 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2011-09-10 17:32:47 -------- d-----w- c:\program files\Trend Micro
    2011-09-10 09:11:59 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-09-08 14:10:17 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
    2011-09-08 14:10:06 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
    2011-09-01 00:44:05 -------- d-----w- c:\program files\WINDOW~4
    2011-08-31 20:52:35 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-08-31 14:37:18 -------- d-----w- c:\documents and settings\owner\application data\SumatraPDF
    2011-08-31 14:37:05 -------- d-----w- c:\program files\SumatraPDF
    2011-08-31 14:21:07 -------- d-----w- c:\program files\iPod
    2011-08-26 14:45:16 -------- d-----w- c:\documents and settings\all users\PMS
    2011-08-26 14:44:01 -------- d-----w- c:\program files\PS3 Media Server
    .
    ==================== Find3M ====================
    .
    2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-24 12:36:05 20 ----a-w- c:\windows\system32\NLHTMLA.DLL
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-05 22:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-07-05 22:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .
    =UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/16/2010 3:31:25 PM
    System Uptime: 9/24/2011 8:51:50 PM (1 hours ago)
    .
    Motherboard: Dell Inc. | | CN0Y53
    Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | U1 | 1596/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 114.129 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ACPI\CPL0002\2&DABA3FF&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\CPL0002\2&DABA3FF&0
    Service:
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek RTL8102E/RTL8103E Family PCI-E Fast Ethernet NIC
    Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_02F41028&REV_02\4&2803E7C1&0&00E2
    Manufacturer: Realtek Semiconductor Corp.
    Name: Realtek RTL8102E/RTL8103E Family PCI-E Fast Ethernet NIC
    PNP Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_02F41028&REV_02\4&2803E7C1&0&00E2
    Service: RTLE8023xp
    .
    ==== System Restore Points ===================
    .
    RP1: 8/17/2011 8:49:46 PM - System Checkpoint
    RP2: 8/18/2011 1:17:46 AM - Restore Operation
    RP3: 8/19/2011 5:55:26 AM - Installed Windows XP Wdf01009.
    RP4: 8/20/2011 5:55:37 PM - System Checkpoint
    RP5: 8/22/2011 9:01:05 AM - System Checkpoint
    RP6: 8/23/2011 9:57:46 AM - System Checkpoint
    RP7: 8/24/2011 11:53:52 AM - System Checkpoint
    RP8: 8/25/2011 3:00:27 AM - Software Distribution Service 3.0
    RP9: 8/26/2011 7:18:50 AM - System Checkpoint
    RP10: 8/27/2011 3:03:57 PM - System Checkpoint
    RP11: 8/29/2011 2:04:25 AM - System Checkpoint
    RP12: 8/30/2011 7:02:23 AM - System Checkpoint
    RP13: 8/31/2011 10:32:23 AM - Removed Adobe Reader X (10.1.0).
    RP14: 8/31/2011 4:45:41 PM - Installed Ad-Aware
    RP15: 8/31/2011 4:46:15 PM - Installed Ad-Aware
    RP16: 9/3/2011 10:22:50 AM - System Checkpoint
    RP17: 9/3/2011 11:10:20 PM - Removed Skype™ 5.5
    RP18: 9/5/2011 12:38:56 AM - System Checkpoint
    RP19: 9/7/2011 7:30:25 AM - Removed Click to Call with Skype
    RP20: 9/8/2011 4:20:33 AM - Software Distribution Service 3.0
    RP21: 9/8/2011 4:43:12 AM - Removed Ad-Aware
    RP22: 9/9/2011 8:29:51 AM - System Checkpoint
    RP23: 9/10/2011 10:07:26 AM - System Checkpoint
    RP24: 9/10/2011 1:32:45 PM - Installed HiJackThis
    RP25: 9/11/2011 11:17:28 AM - Removed AVG 2011
    RP26: 9/11/2011 11:19:29 AM - Removed AVG 2011
    RP27: 9/14/2011 8:07:15 AM - System Checkpoint
    RP28: 9/15/2011 6:12:49 AM - Software Distribution Service 3.0
    RP29: 9/17/2011 7:41:57 AM - System Checkpoint
    RP30: 9/17/2011 8:31:54 PM - Removed HiJackThis
    RP31: 9/23/2011 6:34:25 AM - System Checkpoint
    RP32: 9/24/2011 6:48:27 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Avira AntiVir Personal - Free Antivirus
    Bonjour
    CCleaner
    Google Chrome
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2570791)
    HP LaserJet P1000 series
    InstallVC90Support
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 25
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MobileMe Control Panel
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NirSoft BlueScreenView
    QuickTime
    Realtek Card Reader
    Realtek High Definition Audio Driver
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553074)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2553073)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2530548)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544521)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2559049)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    SumatraPDF
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Outlook 2007 Junk Email Filter (KB2553110)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    WebFldrs XP
    WIDCOMM Bluetooth Software
    Windows Live ID Sign-in Assistant
    Windows Migration Assistant
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    9/24/2011 6:59:20 AM, error: ipnathlp [30009] - The DHCP allocator encountered a network error while attempting to reply on IP address 240.49.70.102 to a request from a client. The data is the error code.
    9/19/2011 6:11:29 AM, error: ipnathlp [30005] - The DHCP allocator has detected a DHCP server with IP address 192.168.0.1 on the same network as the interface with IP address 192.168.0.108. The allocator has disabled itself on the interface in order to avoid confusing DHCP clients.
    9/18/2011 2:01:57 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    .
    ==== End Of File ===========================
    ============ FINISH: 21:07:51.81 ===============

    this is evrything requested
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay, we have an unwanted search assistant to get rid of. Before we work directly on that, you will need to remove any entries for Fun Web Products. That is part of the gathering from which you got MyWebSearch. At some point, it appears that MWS was removed from being active in the system and remained only in the restore points. But the Fun Web Products, although also showing in the restore points, seem to still be on the system.

    Please go to the Control Panel> Add/ Remove Programs> look for any entries for the following:
    MyWebSearch
    FunWebProducts
    Bandoo
    It doesn't matter if they show as toolbars or programs, each needs to be uninstalled.

    After uninstalling, use Windows Explorer (right click on Start> Explore)> My Computer> Double click on Local Drive (C)> Programs> look for the program folders for any of the above uninstalls and do a right click> Delete on each.
    Then Exit Windows Explorer.
    ==========================================
    FYI: Fun Web Products is where you go to get all those 'fun' /'free' things like 3D cursors, wallpaper, icons, screen savers, Smileys, etc. But they turn out not to be either fun or 'free' because they come bundled with all kinds of trash that takes over a lot on files on a system!

    Some other sites in that family to stay away from are:
    * My Web Search (Smiley Central or FWP product as applicable)
    * My Way Speedbar (Smiley Central or other FWP as applicable)
    * My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
    * My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
    * Search Assistant - My Way

    I think they through if they put the word "my" before the site domain that it would make users all warm and fuzzy! But be advised- instead of being "my", it's more like "theirs"!
    ======================================
    Note about the following: Combofix will not run with AVG. It looks like you may have tries to remove it, but AVG Firewall is still listed: if you get an message about 'can't run with AVG' when you start Combofix, run the following App Removed to fully remove AVG

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ========================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =====================================
    When we are through cleaning, I will have you removed all the old restore points and create a new, clean one. Do not use the System Restore while our cleaning is in progress,
  10. deseraligears

    deseraligears TechSpot Enthusiast Topic Starter Posts: 155

    bad imagn

    thanks for reply working on removal now will advise again thank youx
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please post the logs when ready.
     
  12. deseraligears

    deseraligears TechSpot Enthusiast Topic Starter Posts: 155

    bad image

    Bobby

    That did the trick I will post the log today thanks again your help was appreciated and needed
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You're welcome. Will review logs when posted.
  14. deseraligears

    deseraligears TechSpot Enthusiast Topic Starter Posts: 155

    bad image

    Here is files scanned


    C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005437.scr Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005439.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005440.DLL Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005441.DLL Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005443.DLL Win32/Toolbar.MyWebSearch.B application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005444.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005445.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005446.DLL Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005447.SCR Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005448.DLL Win32/Toolbar.MyWebSearch.G application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005449.DLL Win32/Toolbar.MyWebSearch.D application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005450.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005451.EXE Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005452.DLL Win32/Toolbar.MyWebSearch.P application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005469.DLL Win32/Toolbar.MyWebSearch.I application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP21\A0005494.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{F8A70108-B8AB-4079-88F7-FF3FB0E675D8}\RP34\A0007451.dll Win32/Toolbar.Zugo application
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Nothing new in the Eset log. System Volume are restore points. These are not active in the system. I will have you remove them when we have finished cleaning and set a new, clean one. Instructions were given not to do a System Restore while cleaning.

    Qoobox is where Combofix sends the quarantined files. They will be removed when you uninstall Combofix.

    Please post Combofix log when ready.
  16. deseraligears

    deseraligears TechSpot Enthusiast Topic Starter Posts: 155

    bad image

    combo fix log


    ComboFix 11-10-02.01 - Owner 10/02/2011 13:18:24.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.342 [GMT -4:00]
    Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-02 to 2011-10-02 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-02 15:27 . 2011-10-02 15:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
    2011-09-29 10:36 . 2011-09-30 07:09 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-09-29 10:36 . 2011-09-30 07:09 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-09-29 10:36 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-09-29 10:36 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-09-29 10:36 . 2011-09-29 10:36 -------- d-----w- c:\program files\Avira
    2011-09-29 10:36 . 2011-09-29 10:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-09-29 07:02 . 2011-09-29 07:02 -------- d-----w- c:\program files\ESET
    2011-09-24 15:47 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-24 15:47 . 2011-09-24 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-11 18:24 . 2011-09-11 18:24 -------- d-----w- c:\windows\system32\NtmsData
    2011-09-10 17:32 . 2011-09-10 17:32 -------- d-----w- c:\program files\Trend Micro
    2011-09-10 09:11 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-09-08 14:10 . 2011-09-08 14:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2011-09-08 14:10 . 2011-09-08 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-09 09:12 . 2010-03-06 16:30 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-31 20:52 . 2011-08-31 20:52 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-07-15 13:29 . 2010-03-06 16:34 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
    2011-07-08 14:02 . 2010-03-06 16:35 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-09-29_06.51.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-10-02 12:22 . 2011-10-02 12:22 16384 c:\windows\Temp\Perflib_Perfdata_6bc.dat
    + 2011-09-29 10:36 . 2010-06-17 19:27 28520 c:\windows\system32\drivers\ssmdrv.sys
    + 2010-12-20 14:07 . 2011-09-29 07:00 47369160 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    .
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-29 604776]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Windows Migration Assistant\\MigrationAssistant.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/29/2011 6:36 AM 136360]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/24/2011 11:47 AM 366152]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/24/2011 11:47 AM 22216]
    R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [3/16/2010 9:09 PM 157696]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/16/2010 9:22 PM 1684736]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [7/29/2011 1:23 PM 18432]
    S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2011-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1647877149-682003330-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-08 08:27]
    .
    2011-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1647877149-682003330-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-08 08:27]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.searchqu.com/sidebar.html?src=ssb&sysid=406
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.0.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-02 13:25
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(668)
    c:\windows\system32\igfxdev.dll
    .
    - - - - - - - > 'explorer.exe'(3504)
    c:\windows\system32\btmmhook.dll
    c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
    .
    Completion time: 2011-10-02 13:28:18
    ComboFix-quarantined-files.txt 2011-10-02 17:28
    ComboFix2.txt 2011-09-29 06:54
    .
    Pre-Run: 123,087,572,992 bytes free
    Post-Run: 123,128,967,168 bytes free
    .
    - - End Of File - - 314771107A4854C63343CD13E6041942
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Did you follow my directions in Reply #9 for uninstalling and deleting the program folders?

    I'm a bit confused about your 2 threads. This original one was started 3 weeks ago. Then it appears that you came back 2 weeks later, 1 week ago and started a new thread with the logs requested. That 2nd thread was closed, while I was waiting here for those logs. My apology for that- the threads should have been merged with a note to you to keep all of this same problem together on this thread.

    Are you still getting a bad image notice? If yes, what program or entry brings it up?
    =====================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    KillAll::
    File::
    DDS::
    uStart Page = about:blank
    uSearch Page = hxxp://search.live.com
    uSearch Bar = hxxp://www.searchqu.com/sidebar.html?src=ssb&sysid=406
    uSearchAssistant = hxxp://www.searchqu.com/sidebar.html?src=ssb&sysid=406
    mSearchAssistant = hxxp://www.searchqu.com/sidebar.html?src=ssb&sysid=406
    uURLSearchHooks: H - No File
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    =======================================
    There was an entry in GMER: ? cuuolv.sys The system cannot find the file specified. ! that concerns me because I can't identify it. There is most likely something on the Start Menu requesting this. It could be malware, it could have been removed, but I need to check it: The only ID I could find was having to do with a Soccer team in the Netherlands, but your entry indicates a driver. Does this translation mean anything to you:
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      cuuolv.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  18. deseraligears

    deseraligears TechSpot Enthusiast Topic Starter Posts: 155

    bad image

    Bobby I posted reply and combo fix as directed I no lomger have the problem.,

    Please advise if I should follow the instructions you posted 3 days ago.

    Thanks
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    The Combofix script produced a new log. I have not seen it. There is one file that I have not been able to identify. I advise that you run the System Look, post the results and post the new Combofix log.

    Many time a problem may seem to be resolved, but unless we complete the cleaning, I do not know if all the bad entries have been removed.

    If you prefer to stop at this point:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    ======================================
    My recommendation is to finish.
  20. deseraligears

    deseraligears TechSpot Enthusiast Topic Starter Posts: 155

    bad image

    thanks Bobby for everything again I will run and uninstall as advised and post when completed. Many many Thanks;;
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You're very welcome.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.