Solved Found trojans; not sure if system is clean

rda · Dec 5, 2011

Hello. Thank you for considering my issue.

I first noticed extra "flashing" of my desktop icons, and then I noticed Explorer (not IE) hanging and sometimes crashing. As I looked into that, I noted that Explorer.exe was trying to make network connections.

I had used Prevx, but after some problems with it interacting badly with other legitimate software, I had removed it. After noting these problems, I tried to install AVG and Zonealarm. I had problems trying to install them, and then trying to remove them, but I think I got rid of them after some hours.

I came across this site, and set out to do the 5 steps. I installed Avira. It came up with several alerts about trojans, which I asked it to fix (hoping that wasn't against the instructions), and then it said I needed to do a scan from the boot CD because of hidden object. I made an Avira boot CD on another computer, and used it to do a long scan. It reported 5 infections and renamed the files involved. One of them was afd.sys, which caused networking to break until I figured out what was going on and got a correct copy of that file.

I notice that two of the files renamed by the boot cd were in a directory that I cannot see from Windows.

While running MalwareBytes, Avira gave another alert and denied access to an .exe file named with two long numbers separated by a colon. I had noticed processes named like this showing up in the task list sometimes, running under SYSTEM.

So, that's the background. Here are the log files. I hope you can help me determine if I still have an infection or not.

Thank you!

Step 2:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8316

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/5/2011 7:08:58 AM
mbam-log-2011-12-05 (07-08-58).txt

Scan type: Quick scan
Objects scanned: 206825
Time elapsed: 23 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent.Gen) -> Value: Shell -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
==============================================

Step 3:
gmer.log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-05 07:22:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19 WDC_WD3000GLFS-01F8U0 rev.03.03V01
Running: 3pgzbyrr.exe; Driver: C:\DOCUME~1\Rich\LOCALS~1\Temp\ugtdrpow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)

---- EOF - GMER 1.0.15 ----

Step 4:
==============================================

DDS.txt:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Rich at 7:29:00 on 2011-12-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2888 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DU Meter4\DUMeterSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Macro Express3\MacExp.exe
C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\PROGRA~1\DU Meter4\DUMeter.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Macro Express3\macedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\eHome\ehmsas.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = https://www.google.com/calendar/render?sourceid=navclient&ie=UTF-8&gsessionid=OK
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DU Meter] c:\program files\du meter4\DUMeter.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\rich\startm~1\programs\startup\karen'~1.lnk - c:\program files\karen's power tools\replicator\PTReplicator.exe
StartupFolder: c:\docume~1\rich\startm~1\programs\startup\wallpa~1.lnk - c:\program files\wallpapertoy\Wallpapertoy.Exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\macroe~1.lnk - c:\program files\macro express3\MacExp.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
Trusted Zone: adobe.com
Trusted Zone: dr-amy.com
Trusted Zone: dyndns.org\wvfcpao
Trusted Zone: eset.com
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: safeway.com\shop
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://71.129.8.190:81/kxhcm10.ocx
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://63.197.105.163/activex/AxisCamControl.cab
DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} - hxxp://76.193.221.170/program/SonySncRz25View.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://66.242.36.104/app/view22RTE.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://upload.smugmug.com/photos/activex/XUpload.ocx
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{73E93CA6-409A-44A0-BB28-49FCDF7B909C} : DhcpNameServer = 192.168.1.1
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 192.168.1.104 HP0018715D273B
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rich\application data\mozilla\firefox\profiles\r8vbe3iw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://dr-amy.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-12-8 32008]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-4 36000]
R1 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-12-8 76696]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-4 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-4 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-12-4 74640]
R2 DUMeterSvc;DU Meter Service;c:\program files\du meter4\DUMeterSvc.exe [2010-9-18 1411616]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-11-9 1248256]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-12-1 119656]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 AM10;Cisco AM10 Driver;c:\windows\system32\drivers\AM10XP.sys [2011-5-17 816672]
S3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\du meter4\DUM_XP32.sys [2010-9-18 16424]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-11-26 14336]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2010-8-24 1104656]
.
=============== Created Last 30 ================
.
2011-12-05 14:37:55 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-05 14:37:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-05 04:57:00 -------- d-----w- C:\ERDNT
2011-12-05 03:40:11 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-05 03:40:11 138112 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-12-04 17:01:51 -------- d-----w- c:\documents and settings\rich\application data\Avira
2011-12-04 16:57:19 -------- d-----w- c:\windows\system32\NtmsData
2011-12-04 16:48:38 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-12-04 16:48:38 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-12-04 16:48:37 -------- d-----w- c:\program files\Avira
2011-12-04 16:48:37 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-12-04 16:31:52 -------- d-----w- c:\documents and settings\rich\application data\CheckPoint
2011-12-04 16:31:19 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
2011-12-04 05:24:47 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-12-04 03:35:05 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-12-03 23:52:30 -------- d-----w- c:\documents and settings\rich\application data\AVG2012
2011-12-03 22:39:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-03 22:39:46 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-12-03 22:26:10 -------- d-sh--w- c:\documents and settings\rich\local settings\application data\a77dc65d
2011-12-02 23:18:25 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-02 23:18:25 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-02 23:18:25 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-02 23:18:25 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-02 23:18:25 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-02 23:18:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-02 23:18:24 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-02 23:18:24 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-12-01 22:24:21 -------- d-----w- c:\program files\iPod
2011-12-01 22:24:00 -------- d-----w- c:\program files\iTunes
2011-12-01 19:47:08 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-12-01 19:46:41 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-12-01 19:46:41 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-12-01 14:50:32 876136 ----a-w- c:\windows\system32\nvhdagenco3220102.dll
2011-12-01 14:50:32 26216 ----a-w- c:\windows\system32\nvhdap32.dll
2011-12-01 14:50:32 119656 ----a-w- c:\windows\system32\drivers\nvhda32.sys
2011-11-30 20:06:19 -------- d-----w- c:\windows\Logs
2011-11-30 19:59:47 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-11-30 19:59:47 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-11-30 19:59:47 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-11-30 19:59:47 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-11-30 19:59:47 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-11-30 19:59:47 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-11-30 19:59:47 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-11-30 19:59:47 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-11-30 19:59:47 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
.
==================== Find3M ====================
.
2011-12-04 00:13:33 149904 ----a-w- c:\windows\system32\nvsvc32.exe
2011-12-02 03:10:55 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-11-14 20:01:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 7:29:57.93 ===============

Attach.txt:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/19/2007 12:03:39 AM
System Uptime: 12/5/2011 7:26:18 AM (0 hours ago)
.
Motherboard: Intel Corporation | | DG965WH
Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | LGA 775 | 1864/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 274 GiB total, 38.633 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 1863 GiB total, 344.773 GiB free.
G: is Removable
H: is Removable
I: is Removable
K: is Removable
N: is FIXED (NTFS) - 1863 GiB total, 1258.315 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\AWY0001\4&12686F5B&0
Manufacturer:
Name:
PNP Device ID: ACPI\AWY0001\4&12686F5B&0
Service:
.
==== System Restore Points ===================
.
RP1: 12/4/2011 7:08:52 PM - System Checkpoint
.
==== Installed Programs ======================
.
.
Acrobat.com
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
Adobe Acrobat 9.4.6 - CPSID_83708
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Photoshop Elements 8.0
Adobe Photoshop Lightroom 3.2
Adobe Photoshop.com Inspiration Browser
Adobe Premiere Elements 8.0
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira Free Antivirus
AviSynth 2.5
Bonjour
BreezeBrowser Pro
BufferChm
Canon Utilities Digital Photo Professional 3.7
Canon Utilities EOS Utility
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
CASSiPalm
CDDRV_Installer
Compatibility Pack for the 2007 Office system
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
DENTRIX G2
DENTRIX G2 Required Components
Destinations
Diamond G1000 Trainer v6.01
Director
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
DocProc
DocumentViewer
Downloader Pro
DU Meter
Evernote
Falcon 4.0: Allied Force
FLV Player 2.0 (build 25)
Free Video to iPhone Converter version 2.1
FreeUndelete
GameSpy Arcade
getPlus(R) for Adobe
Google Earth
Google Earth Plug-in
Google SketchUp 8
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Update Helper
Graphing Calculator
HandBrake 0.9.5
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Image Zone 4.7
HP Officejet Pro 8500 A910 Basic Device Software
HP Officejet Pro 8500 A910 Help
HP Software Update
HPSystemDiagnostics
I.R.I.S. OCR
InstantShare
Intel Audio Studio 2.0
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
ISO Recorder
iTunes
Java Auto Updater
Java(TM) 6 Update 23
JDownloader
Karen's Replicator
KhalInstallWrapper
LightScribe 1.4.89.1
Logitech Harmony Remote Software 7
Logitech SetPoint
Macro Express 3
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo
Microsoft IntelliType Pro 6.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Windows Journal Viewer
MobileMe Control Panel
Mole Setup
Mozilla Firefox 8.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
Nero Suite
NIS eTrans 3.0
NVIDIA Display Control Panel
NVIDIA HD Audio Driver 1.2.24.0
NVIDIA Install Application
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.11.0621
OCA Client history tool install
Palm
Palm Outlook Conduits Updater
PanoStandAlone
Pegasus Imaging PICVideo Motion JPEG 4.0
Pegasus Mail
PhotoGallery
PowerStrip 3 (remove only)
PrimoPDF
Punch! Professional Home Design - Platinum
QFolder
QuickBooks
QuickBooks Pro 2011
QuickTime
Radmin Viewer 3.1
Remote Administrator v2.2
Remote Cameras
Remote Control USB Driver
ScannerCopy
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SigmaTel Audio
SkinsHP1
SmartSound Quicktracks for Premiere Elements 8.0
Sonic CinePlayer
Spelling Dictionaries Support For Adobe Reader 8
Star Wars Battlefront
Star Wars Battlefront II
Star Wars Republic Commando
TiVo Desktop 2.8.2
TiVo Photos 2.0
TrayApp
TroopMaster 2009
TurboTax 2008
TurboTax 2008 wcaiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 wcaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 wcaiper
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
TurboTax Premier 2007
Uninstall 1.0.0.1
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
Videora TiVo Converter 0.80
ViewSonic Windows XP Signed Files
VLC media player 1.1.11
Wallpaper Changer for Windows XP
WD Diagnostics
WD Firewire HID Driver
WebFldrs XP
WebReg
WexTech AnswerWorks
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB890629
Windows XP Media Center Edition 2005 KB890760
Windows XP Media Center Edition 2005 KB894553
Windows XP Media Center Edition 2005 KB895198
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR 4.00 beta 3 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
12/4/2011 8:46:38 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
12/4/2011 7:16:36 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service ehSched with arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}
12/4/2011 11:28:15 AM, error: SRService [104] - The System Restore initialization process failed.
12/3/2011 7:46:17 AM, error: Dhcp [1002] - The IP address lease 192.168.1.200 for the Network Card with network address 001676C905F7 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
12/1/2011 8:38:31 AM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/1/2011 11:05:47 AM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
11/30/2011 6:46:19 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Media Center Extender Service service to connect.
11/30/2011 6:46:19 PM, error: Service Control Manager [7000] - The Media Center Extender Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/30/2011 6:23:00 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
11/29/2011 11:30:41 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/29/2011 11:30:31 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gusvc with arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
.
==== End Of File ===========================

Bobbye · Dec 5, 2011

I have deleted your duplicate thread. Sometimes it takes a bit for post to go through.

Welcome to TechSpot! Avira has given that instruction incorrectly and it has been done inappropriately on other systems. Please don't do anything else while I'm helping you unless I instruct you to do so.
=========================================
My Guidelines: please read and follow:

Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
Read my instructions carefully. If you don't understand or have a problem, ask me.
If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
Follow the order of the tasks I give you. Order is crucial in cleaning process.
File sharing programs should be uninstalled or disabled during the cleaning process..
Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.
Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
I would like to make some suggestions to you:

1. there are 24 entries for Turbotax. Consider moving the yearly returns to a CD. That's a lot of information to keep on a system.

The infected entry is Mbam is a (Backdoor.Agent.Gen) We cannot guarantee it has be entirely removed and that the system hasn't been compromised.
---------------------------
2. I highly recommend you remove all of these domains from the Trusted Zone. The security setting is lower in that zone so your system is more vulnerable. Nothing needs to be in the Trusted Zone. It is frequently a marketing tool so that they can send pros past your security and possibly spam:

Trusted Zone: adobe.com
Trusted Zone: dr-amy.com
Trusted Zone: dyndns.org\wvfcpao
Trusted Zone: eset.com
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: safeway.com\shop
Trusted Zone: turbotax.com

3. Strongly recommend you take all of these off of Startup:

StartupFolder: c:\docume~1\rich\startm~1\programs\startup\karen'~1.lnk - c:\program files\karen's power tools\replicator\PTReplicator.exe
StartupFolder: c:\docume~1\rich\startm~1\programs\startup\wallpa~1.lnk - c:\program files\wallpapertoy\Wallpapertoy.Exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\macroe~1.lnk - c:\program files\macro express3\MacExp.exe

===========================================
Please do not act on any alerts from Avira while I'm helping you:
===========================================

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the

on your desktop.
Check 'Yes I accept terms of use.'
Click Start button
Accept any security warnings from your browser.
Uncheck 'Remove found threats'
Check 'Scan archives/
Leave remaining settings as is.
Press the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
When the scan completes, press List of found threats
Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
Push the Back button
Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=============================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

Double click combofix.exe & follow the prompts.
ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
.Click on Yes, to continue scanning for malware
.If Combofix asks you to update the program, allow
.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
.Close any open browsers.
.Double click combofix.exe

& follow the prompts to run.
When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

rda · Dec 5, 2011

Bobbye said:
I have deleted your duplicate thread. Sometimes it takes a bit for post to go through.

The first time the login had timed out and I didn't think the thread had posted after I logged in again, so I did it over. Thank you for catching that.

Bobbye said:
... Please don't do anything else while I'm helping you unless I instruct you to do so.

Will do.

Bobbye said:
...
1. there are 24 entries for Turbotax. Consider moving the yearly returns to a CD. That's a lot of information to keep on a system.

I moved the data files off a while back. I suspect those entries are left over from old TurboTax installations. Should I remove the programs? I was keeping them around to make it easier to open the old returns if I have to in the future.

Bobbye said:
...
2. I highly recommend you remove all of these domains from the Trusted Zone. ...

OK, I did that. All of those were added in the past because something didn't work, but that was when I ran much tighter IE security settings (for both regular and trusted zones). I should have removed them when I backed off to "regular" settings.

Bobbye said:
3. Strongly recommend you take all of these off of Startup:

Done. I'll need to put at least some of those back at some point as they are tools I depend on.

Bobbye said:
...

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the

on your desktop.

...

I'm using Firefox 8.0.1. The control-click opened http://www.eset.com/us/online-scanner/, but I don't see anything like the image you wrote about on that page, and clicking on the image in your post does nothing. I'm afraid I don't understand what you want me to do. There is a button on the page to run the eset online scanner, but rather than risking a mis-step, I'll ask for further instruction.

Also, having removed those start-up items, shall I reboot before running any scanners?

Thank you!

Bobbye · Dec 5, 2011

Click on the Eset download screen. A new Window will popup for your to get the Installer for Firefox.

"shall I reboot before running any scanners?" ]Yes
You did not have to do them all at this moment. Perhaps I should have made the more clear.

But you should know that you can access any of them through All Programs or shortcuts in the QuickLaunch Toolbar. Why have them all start on boot and run in the background the entire times you're on the internet?

rda · Dec 6, 2011

Hello again.

Eset ran for most of day. It reported about 6 infections on my primary drive, and about 14 more on accessory drives (backups, primarily).

Combfix reported infection by ZeroAccess rootkit. I disabled Avira when I started Combofix, but did not think to disable it again after reboots, which happened twice. I didn't see any reports from Avira. Hopefully it didn't interfere.

Thank you for your assistance!

Here is the ESET log:
============================================
C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\6.0\3\52f0cbc3-4217eb88 a variant of Java/Agent.DW trojan
C:\Program Files\PowerStrip\PStapi.exe probably a variant of Win32/Agent.LWYJTAT trojan
F:\Backups from Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
F:\Backups from Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
F:\Backups from Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
F:\Backups from Office\My Docs\Downloads\cnet_vlc-1_1_11-win32_exe.exe a variant of Win32/InstallCore.D application
F:\From Maxtor 320\Program Files\PowerStrip\PStapi.exe probably a variant of Win32/Agent.LWYJTAT trojan
N:\From Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
N:\From Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
N:\From Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
=========================================

Here is the log.txt from Combofix:
=========================================
ComboFix 11-12-06.01 - Rich 12/06/2011 8:35.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3078 [GMT -8:00]
Running from: c:\documents and settings\Rich\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\3EFB0FE0.TMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Rich\Desktop\msg.txt
c:\documents and settings\Rich\My Documents\~WRL0001.tmp
c:\documents and settings\Rich\My Documents\~WRL0005.tmp
c:\documents and settings\Rich\My Documents\~WRL1783.tmp
c:\documents and settings\Rich\My Documents\~WRL1896.tmp
c:\documents and settings\Rich\My Documents\~WRL1983.tmp
c:\documents and settings\Rich\WINDOWS
c:\windows\$NtUninstallKB40671$
c:\windows\$NtUninstallKB40671$\2278235436
c:\windows\$NtUninstallKB40671$\2810037853\@
c:\windows\$NtUninstallKB40671$\2810037853\L\uaawvnhi
c:\windows\$NtUninstallKB40671$\2810037853\loader.tlb
c:\windows\$NtUninstallKB40671$\2810037853\U\@00000001
c:\windows\$NtUninstallKB40671$\2810037853\U\@000000c0
c:\windows\$NtUninstallKB40671$\2810037853\U\@000000cb
c:\windows\$NtUninstallKB40671$\2810037853\U\@000000cf
c:\windows\$NtUninstallKB40671$\2810037853\U\@80000000
c:\windows\$NtUninstallKB40671$\2810037853\U\@800000c0
c:\windows\$NtUninstallKB40671$\2810037853\U\@800000cb
c:\windows\$NtUninstallKB40671$\2810037853\U\@800000cf
c:\windows\CSC\d6
c:\windows\dasetup.log
c:\windows\EventSystem.log
c:\windows\kb913800.exe
c:\windows\system32\
c:\windows\system32\config\systemprofile\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_a77dc65d
.
.
((((((((((((((((((((((((( Files Created from 2011-11-06 to 2011-12-06 )))))))))))))))))))))))))))))))
.
.
2011-12-05 20:49 . 2011-12-05 20:49 -------- d-----w- c:\program files\ESET
2011-12-05 14:37 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-05 14:37 . 2011-12-05 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-05 04:57 . 2011-12-05 04:57 -------- d-----w- C:\ERDNT
2011-12-05 03:40 . 2008-08-14 10:04 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-05 03:40 . 2008-04-13 19:19 138112 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-12-04 17:01 . 2011-12-04 17:01 -------- d-----w- c:\documents and settings\Rich\Application Data\Avira
2011-12-04 16:57 . 2011-12-05 14:14 -------- d-----w- c:\windows\system32\NtmsData
2011-12-04 16:48 . 2011-10-20 00:56 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-12-04 16:48 . 2011-10-20 00:56 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-12-04 16:48 . 2011-10-20 00:56 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-12-04 16:48 . 2011-12-04 16:48 -------- d-----w- c:\program files\Avira
2011-12-04 16:48 . 2011-12-04 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-12-04 16:31 . 2011-12-04 16:31 -------- d-----w- c:\documents and settings\Rich\Application Data\CheckPoint
2011-12-04 16:31 . 2011-12-04 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint
2011-12-04 05:24 . 2001-08-17 22:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-12-04 03:35 . 2011-12-04 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-12-03 23:52 . 2011-12-03 23:52 -------- d-----w- c:\documents and settings\Rich\Application Data\AVG2012
2011-12-03 22:39 . 2011-12-04 00:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-03 22:39 . 2011-12-04 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-12-03 22:26 . 2011-12-03 22:26 -------- d-sh--w- c:\documents and settings\Rich\Local Settings\Application Data\a77dc65d
2011-12-02 23:18 . 2011-12-02 23:18 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-02 23:18 . 2011-12-02 23:18 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-02 23:18 . 2011-12-02 23:18 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-02 23:18 . 2011-12-02 23:18 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-02 23:18 . 2011-12-02 23:18 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-12-02 23:18 . 2011-12-02 23:18 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-02 23:18 . 2011-12-02 23:18 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-02 23:18 . 2011-12-02 23:18 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-01 22:24 . 2011-12-01 22:24 -------- d-----w- c:\program files\iPod
2011-12-01 22:24 . 2011-12-01 22:26 -------- d-----w- c:\program files\iTunes
2011-12-01 19:47 . 2011-12-01 19:47 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-12-01 19:46 . 2011-12-01 19:47 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-12-01 19:46 . 2011-12-01 19:46 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-12-01 14:50 . 2011-07-07 23:21 26216 ----a-w- c:\windows\system32\nvhdap32.dll
2011-12-01 14:50 . 2011-07-07 23:21 119656 ----a-w- c:\windows\system32\drivers\nvhda32.sys
2011-12-01 14:50 . 2011-07-07 23:21 876136 ----a-w- c:\windows\system32\nvhdagenco3220102.dll
2011-11-30 20:06 . 2011-11-30 20:06 -------- d-----w- c:\windows\Logs
2011-11-30 19:59 . 2011-01-08 03:27 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-11-30 19:59 . 2011-01-08 03:27 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-11-30 19:59 . 2011-01-08 03:27 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-11-30 19:59 . 2011-01-08 03:27 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-11-30 19:59 . 2011-01-08 03:27 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-11-30 19:59 . 2011-01-08 03:27 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-11-30 19:59 . 2011-01-08 03:27 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-11-30 19:59 . 2011-01-08 03:27 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-11-30 19:59 . 2011-01-08 03:27 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-04 00:13 . 2011-01-08 03:58 149904 ----a-w- c:\windows\system32\nvsvc32.exe
2011-12-02 03:10 . 2007-09-21 23:54 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-11-14 20:01 . 2011-05-16 13:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2006-11-26 20:47 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2006-11-26 20:46 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2006-11-26 20:49 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2006-11-26 20:49 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-12-02 23:18 . 2011-12-02 23:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-13 39408]
"DU Meter"="c:\program files\DU Meter4\DUMeter.exe" [2010-08-31 2941984]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-09-30 2215768]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-03 9134080]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-20 258512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
backup=c:\windows\pss\QuickBooks_Standard_21.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Backup Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk
backup=c:\windows\pss\WD Backup Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-23 01:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-27 23:13 61440 ----a-w- c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DtxQuickLaunch.exe]
2006-10-25 17:24 77824 ----a-w- c:\program files\Dentrix\DtxQuickLaunch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-09-13 23:49 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-07-06 22:15 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2008-06-10 20:56 1442888 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-13 07:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
2010-08-25 00:02 437520 ----a-w- c:\program files\TiVo\Desktop\TiVoNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
2010-08-25 00:02 2264336 ----a-w- c:\program files\TiVo\Desktop\TiVoServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
2010-08-25 00:02 608528 ----a-w- c:\program files\TiVo\Desktop\TiVoTransfer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TranscodingService]
2010-08-25 00:02 856336 ----a-w- c:\program files\TiVo\Desktop\Plus\TranscodingService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2007-08-01 04:26 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AdobeActiveFileMonitor5.0"=2 (0x2)
"UPS"=3 (0x3)
"UTSCSI"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"avgwd"=2 (0x2)
"AVGIDSAgent"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Adobe\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Google\Update\GoogleUpdate.exe"= Google Installer
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\qbupdate.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [12/8/2010 10:53 AM 32008]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/4/2011 8:48 AM 36000]
R1 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/14/2007 5:37 PM 27992]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [12/8/2010 9:03 AM 76696]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/4/2011 8:48 AM 86224]
R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter4\DUMeterSvc.exe [9/18/2010 6:12 PM 1411616]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [11/9/2011 10:59 AM 1248256]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/1/2011 6:50 AM 119656]
S3 AM10;Cisco AM10 Driver;c:\windows\system32\drivers\AM10XP.sys [5/17/2011 3:21 PM 816672]
S3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\DU Meter4\DUM_XP32.sys [9/18/2010 6:12 PM 16424]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [11/26/2006 12:50 PM 14336]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [8/24/2010 4:02 PM 1104656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = https://www.google.com/calendar/render?sourceid=navclient&ie=UTF-8&gsessionid=OK
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://71.129.8.190:81/kxhcm10.ocx
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
FF - ProfilePath - c:\documents and settings\Rich\Application Data\Mozilla\Firefox\Profiles\r8vbe3iw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://dr-amy.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
MSConfigStartUp-StxTrayMenu - c:\program files\Seagate\SystemTray\StxMenuMgr.exe
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-06 08:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter4\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3192)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\locator.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\eHome\ehmsas.exe
c:\progra~1\DU Meter4\DUMeter.exe
.
**************************************************************************
.
Completion time: 2011-12-06 08:59:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-06 16:58
ComboFix2.txt 2010-12-12 19:25
.
Pre-Run: 45,403,127,808 bytes free
Post-Run: 45,582,802,944 bytes free
.
- - End Of File - - 6605E3490B386B8FD12A414669008DB5
=========================================

rda · Dec 6, 2011

Startup items

Bobbye said:
Why have them all start on boot and run in the background the entire times you're on the internet?

I suppose this is a little off topic, but since you asked:

I use PTReplicator as part of my backup system. There are likely better tools around today, but I've found this to be reliable for years, and so continue to use it.

MacExp is a macro system that lets me automate common tasks. Remembering to launch it each time I wanted to use a shortcut would severely cut into the shortcut nature of it!

SetPoint makes my Logitech mouse buttons work the way I want.

Wallpaper Changer gives me new background pictures automatically, which I like.

The others were put in by various installers and I likely won't put them back.

Thanks!

Bobbye · Dec 8, 2011

FYI: you were correct- the Eset directions were misleading and confusing. Check my rewrite for me and see if goes better:

For checking purposes only- no need to run

Pease run the Eset online virus scan:
For Internet Explorer:> start here >>

Open the ESETOnlineScan
-------------
Note: If you are using a browser other than Internet Explorer> start here >>
Open Eset Smart Installer
Click on the esetsmartinstaller_enu.exelink and save to the desktop.
Double click on the desktop icon to run.
After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
Continue with the directions.
Check 'Yes I accept terms of use.'
Click Start button
Accept any security warnings from your browser.
Uncheck 'Remove found threats'
Check 'Scan archives/
Leave remaining settings as is.
Press the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
When the scan completes, press List of found threats
Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
Push the Back button
Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
****Let me know if you think confusion has been resolved.
=============================
The questions I ask and the suggestions I make are based on what I see in the logs. I take into account the resources used, the extra internet connections and the security of the system. And I base some of it on my own experiences over the years.

However, unless something is actually malware, whether you take my suggestions is entirely up to you. You do not have to defend their use> it is your system after all!
===================================
For the Eset entries: There are 3 drives with malware: C, F, N

Please download OTMovit by Old Timer and save to your desktop.

Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Files C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\6.0\3\52f0cbc3-4217eb88 C:\Program Files\PowerStrip\PStapi.exe probably a variant of Win32/Agent.LWYJTAT trojan F:\Backups from Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe F:\Backups from Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe F:\Backups from Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe F:\Backups from Office\My Docs\Downloads\cnet_vlc-1_1_11-win32_exe.exe F:\From Maxtor 320\Program Files\PowerStrip\PStapi.exe N:\From Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe N:\From Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe N:\From Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe :Commands [purity] [emptytemp] [start explorer] [Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
---------------------------------------
Interesting to note in the Eset log that some of these entries just got moved around.
Also interesting that I can't find description of either Win32/Agent.JBZVJYN trojan or Win32/Agent.LWYJTAT trojan

variant of Win32/Agent.JBZVJYN trojan: Entries for below are from Dentrix 1, 2 and 3
F:\Backups from Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe
N:\From Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe

a variant of Win32/Agent.LWYJTAT trojan
C:\Program Files\PowerStrip\PStapi.exe
F:\From Maxtor 320\Program Files\PowerStrip\PStapi.ex

Click to expand...

If any of the 3 drives are a flash drive/USB drive, we should disinfect that also.
=======================================
Thanks for checking the Eset instruction rewrite.
Will review Combofix log after lunch.

Bobbye · Dec 8, 2011

The Combofix log is okay except for this entry:

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DtxQuickLaunch.exe]
2006-10-25 17:24 77824 ----a-w- c:\program files\Dentrix\DtxQuickLaunch.exe

I am only concerned because of the malware reported on this program and backup.

rda · Dec 8, 2011

I tried to run OTMovit per your instructions, but I think I may have messed up copying the commands over. I got this message when I tried to run it:

Invalid time flag: Agent. ??? trojan
must be numeric

I wrote it down, but then somehow lost it, so that's my best memory of it. The "???" is a name I can't recall.

Regarding the files on F: and N: are from backups, much of it files that I never actually use/run on this computer. I don't recall "PowerStrip" (which doesn't mean I never installed it, but I'm pretty sure it isn't used now).

I can remove Dentrix from this machine if that would simplify things.

I don't understand what you mean by ESet showing that the files just got moved around? I'll not that I haven't touched any of the files mentioned on N: or F: in months.

Here is the OTMovit log. Should I try again?

All processes killed
Error: Unable to interpret <C:\Program Files\PowerStrip\PStapi.exe probably a variant of Win32/Agent.LWYJTAT trojan> in the current context!
Error: Unable to interpret <F:\Backups from Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
Error: Unable to interpret <F:\Backups from Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
Error: Unable to interpret <F:\Backups from Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
Error: Unable to interpret <F:\Backups from Office\My Docs\Downloads\cnet_vlc-1_1_11-win32_exe.exe > in the current context!
Error: Unable to interpret <F:\From Maxtor 320\Program Files\PowerStrip\PStapi.exe > in the current context!
Error: Unable to interpret <N:\From Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
Error: Unable to interpret <N:\From Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
Error: Unable to interpret <N:\From Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 49152 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41044 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 16786 bytes
->Flash cache emptied: 8105 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 17665 bytes

User: Rich
->Temp folder emptied: 4268467 bytes
->Temporary Internet Files folder emptied: 1031378 bytes
->Java cache emptied: 44549436 bytes
->FireFox cache emptied: 706875302 bytes
->Google Chrome cache emptied: 6870674 bytes
->Flash cache emptied: 65427 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 509859 bytes
%systemroot%\System32 .tmp files removed: 4637201 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21660 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 733.00 mb

OTM by OldTimer - Version 3.1.19.0 log created on 12082011_125810

Files moved on Reboot...

Registry entries deleted on Reboot...

rda · Dec 8, 2011

Bobbye said:
The Combofix log is okay except for this entry:

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DtxQuickLaunch.exe]
2006-10-25 17:24 77824 ----a-w- c:\program files\Dentrix\DtxQuickLaunch.exe

I am only concerned because of the malware reported on this program and backup.

I believe that is normal as it starts a "quick launch" app in the system tray for the Dentrix software. However, I don't use it and would be happy to remove it.

rda · Dec 8, 2011

BTW:

C: is my system drive, as usual.

F: is a large internal drive I use for storing data like photos and videos, and copies of backups from other computers.

N: is a USB drive used exclusively for backup.

I have other USB drives I use for off-site backups and transferring data, but I have been careful to not use any of them while working with you. I intend to ask you what to do about them before plugging them in again

rda · Dec 8, 2011

Bobbye said:
FYI: you were correct- the Eset directions were misleading and confusing. Check my rewrite for me and see if goes better:

For checking purposes only- no need to run

Pease run the Eset online virus scan:
For Internet Explorer:> start here >>

Open the ESETOnlineScan
-------------
Note: If you are using a browser other than Internet Explorer> start here >>

Open Eset Smart Installer

Click on the esetsmartinstaller_enu.exelink and save to the desktop.

Double click on the desktop icon to run.

After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window

Continue with the directions.

Check 'Yes I accept terms of use.'

...

****Let me know if you think confusion has been resolved.
...

I suspect you intend that an IE user NOT click on "Eset Smart Installer" and then run it. If so, you might want to either have an instruction to skip over the installation instructions, or visually separate the two cases (IE and non-IE) by using 2 columns or by putting them into boxes or otherwise offsetting them.

But something like this could work:

If you use Internet Explorer:

Open the ESETOnlineScan
Skip to "Continue here"

If you are using a browser other than Internet Explorer

Open Eset Smart Installer
Click on the esetsmartinstaller_enu.exelink and save to the desktop.
Double click on the desktop icon to run.
After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window

Continue here:

Check 'Yes...

I hope that helps.

I'm sorry if I sounded defensive before; that was not my intent. I thought you had wanted to know why I chose to run those programs as start-ups, so I was trying to answer. Certainly no offense taken on my part. I appreciate all your suggestions and advice!

Bobbye · Dec 8, 2011

Sorry- that was my mistake- I forgot to remove the malware name off of one of the files:

Please download OTMovit by Old Timer and save to your desktop.

Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Files 
C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\6.0\3\52f0cbc3-4217eb88 
C:\Program Files\PowerStrip\PStapi.exe 
F:\Backups from Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe 
F:\Backups from Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe 
F:\Backups from Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe 
F:\Backups from Office\My Docs\Downloads\cnet_vlc-1_1_11-win32_exe.exe 
F:\From Maxtor 320\Program Files\PowerStrip\PStapi.exe 
N:\From Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe 
N:\From Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe 
N:\From Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

That should run okay. You may see "can't find" on all of the other entries if they were removed. It was just on one.
===================================
You're going to have to disinfect the USB drive because you backed up infected files
Please disinfect all movable drives

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
Thank you for suggestions for Eset scan- instructions look to be easier to follow.

I am very security minded and I see logs from systems over and over that have vulnerabilities. I anticipate malware many times because I recognize many of the potential sources. I am also 'lean resource' minded, because I see so many people who are running a gazillion processes and can't understand why their system is slow!

I tend to be pushy at times and lose track that, after all, it is the responsibility of the owner to decide what to run and when.

rda · Dec 8, 2011

OTMovit seemed to run without difficulty this time.

N: is a USB drive that is always attached. I'm running flash_disinfector on it now.

Would it be OK to wait until we're confident the main system is all cleaned up before doing the flash_disinfector on the drives I haven't had attached?

THANK YOU!!!

Here is the OVMovit log:

All processes killed
========== FILES ==========
File/Folder C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\6.0\3\52f0cbc3-4217eb88 not found.
C:\Program Files\PowerStrip\PStapi.exe moved successfully.
F:\Backups from Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
F:\Backups from Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
F:\Backups from Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
F:\Backups from Office\My Docs\Downloads\cnet_vlc-1_1_11-win32_exe.exe moved successfully.
F:\From Maxtor 320\Program Files\PowerStrip\PStapi.exe moved successfully.
N:\From Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
N:\From Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
N:\From Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 16786 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Rich
->Temp folder emptied: 12777 bytes
->Temporary Internet Files folder emptied: 33300 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 112328458 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1250 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7568 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 107.00 mb

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Rich
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb

OTM by OldTimer - Version 3.1.19.0 log created on 12082011_145921

Files moved on Reboot...

Registry entries deleted on Reboot...

rda · Dec 9, 2011

A couple more observations:

The desktop refreshes (icons redraw) more often than I recall happening in the past when I open and close Explorer windows, or sometimes when I just open folders within Explorer.

Some processes still go to 50% (odd that it seems to stay right at 50%) CPU, and the associated applications run very slowly. They don't always do it the same. However, I've noticed that apps that have to do with display, like BreezeBrowser, PhotoShop, and LightRoom seem much more likely to experience this problem.

Since I put in a new graphics card (GeForce GTX 570) not long before I started noticing these problems, it could be a driver issue instead of malware. Of course, I've promised to not change drivers, etc., until you're done with me, so I haven't tried anything yet. I did try to install the latest driver updates when I put the card in. However, I had problems at first because the previous drivers did not seem to uninstall fully, and I still have an "unknown device" that appeared in Device Manager when the card went in.

Anyway, I'm hoping to get some photo editing done over the next couple of days, so I'm crossing my fingers that we are close to either solving this, or turning me loose from the malware demons to try to fix the problem.

Thanks!

Bobbye · Dec 10, 2011

Since you have mentioned 2 possible symptoms of this malware, let's check it out:

Combfix reported infection by ZeroAccess rootkit.
Avira gave another alert and denied access to an .exe file named with two long numbers separated by a colon

Determine if you are infected with Zero.Access

1. Open the Task Manager by pressing Ctrl + Shift + Esc on your keyboard or by right-clicking the Start Menu bar and selecting Task Manager.

2. Be sure that "Show processes from all users" is selected at the bottom left-hand corner of the window. Click "Image Name" to sort this column alphabetically and then look at the top of the list.

3. If you are infected with the Zero.Access rootkit, you will see a running process such as "1077238835:3433286335.exe" (example only; your computer may display different numbers).
=======================================

I noticed Explorer (not IE) hanging and sometimes crashing

Unexplained crashes of Windows Explorer can occur if you have hidden files and folders visible:
Check Control Panel> Folder Options> View tab> be sure "Show hidden files and folders" is Unchecked> be sure "Hide protected system files and folders"-(Recommended) is Checked> Apply> OK.
=======================================
Please explain each of the following more clearly:

I noted that Explorer.exe was trying to make network connections.

How/What are you noticing this?

"flashing" of my desktop icons

----------------------------------
Some malware can change your desktop background to a solid black color. If that has been happening intermittently, Go to the Control Panel> Display> Desktop> reset the background.

rda · Dec 10, 2011

Bobbye said:
Since you have mentioned 2 possible symptoms of this malware, let's check it out:

Determine if you are infected with Zero.Access
...

3. If you are infected with the Zero.Access rootkit, you will see a running process such as "1077238835:3433286335.exe" ...

I definitely noticed processes named like that in Task Manager before we started cleaning things up, but not since I started working with you, though I can't pin down the exact time they went away. There are none right now.

Bobbye said:
Unexplained crashes of Windows Explorer can occur if you have hidden files and folders visible:
Check Control Panel> Folder Options> View tab> be sure "Show hidden files and folders" is Unchecked> be sure "Hide protected system files and folders"-(Recommended) is Checked> Apply> OK.

Explorer was crashing before you started helping me, but I haven't had an Explorer crash since we started.

Bobbye said:
Please explain each of the following more clearly:

rda said:

I noted that Explorer.exe was trying to make network connections.

Click to expand...

Not to sound like a broken record, but I haven't seen this happening since we started cleaning up. What I noticed before was that Windows Firewall reported that Explorer was trying to connect to IP addresses I did not recognize. I was not doing anything with Explorer (or any other program) that I thought might cause a need for such connections, so I attempted to block them, and that got me started thinking I had an infection.

Bobbye said:
How/What are you noticing this?

rda said:

"flashing" of my desktop icons

Click to expand...

It does not happen every time, but, for instance, I just now closed an Explorer window. The window closed, and all the icons on my Desktop (I have too many...) repainted. It seems to happen when I'm opening and closing folders with Explorer, but not consistently, and when I try to reproduce it by doing the same action again right away, it never seems to do it again.

I have no reason to specifically believe this is malware, but I don't recall this behavior in the past. In the past, I would notice the icons repaint after I changed a setting or something, but I don't recall it happening just from closing a window or opening a folder.

Bobbye said:
Some malware can change your desktop background to a solid black color. ...

I have not seen that happening. My background images are not changing; only the icons for the files on the DeskTop

Thank you!!!

Bobbye · Dec 10, 2011

Your use of the word Explorer alone is confusing and technically not correct.

There is Windows Explorer which is the file manager for the system. Think of it as exploring Windows.

There is Internet Explorer which is the browser you use to access the internet. Think of it as exploring the internet.

Either can crash. You need to be specific when you refer to "hang": what is not happening when you refer to hang? An application can hang either loading or shutting down. Is it that your desktop isn't loading correctly?? either a delay or something missing??

How are the icons "changing"? Do you mean they disappear, then come back? What are you doing when this happens? Have the icons changed when they come back?

"I just now closed an Explorer window." What Window?
"..... Windows Firewall reported that Explorer (What Explorer?) was trying to connect to IP addresses I did not recognize."

You have all of these domains in the Trusted Zone:
Trusted Zone: adobe.com
Trusted Zone: dr-amy.com
Trusted Zone: dyndns.org\wvfcpao
Trusted Zone: eset.com
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: safeway.com\shop
Trusted Zone: turbotax.com
Do you know all their IPs? Could a process in one of these be trying to access the internet?

You have also authorized all of the following to pass through the firewall. You don't need to list these separately. There are ports in firewalls for incoming and outgoing programs and apps. You would only list any that for some reason would not use the assigned port.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]

"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Adobe\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Google\Update\GoogleUpdate.exe"= Google Installer
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\qbupdate.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.

You have processes set to auto-update Java, Adobe, Google Update Helper
QTTask.exe" -atboottime, iTunesHelper, HP Software Update.
This means that every day, all day, they will be contacting the internet to see if there is an update. It may be months between updates.

Open the Task Manager> how many processes are running> look lower left: 30-40 would be a good number. I suspect your will read about 60.

I tell you these things because the more you have running-and you have an excess of processes starting on boot, the more chance you have for crashes, freezes and strange IPs trying to access the internet.

And there could be an issue with RAM. If something freezes or crashes and you have to reboot to get started gain, it could be that the available RAM has been used and so the system will crash or freeze. Rebooting restores some of the RAM and the cycle begins again.

How much RAM do you have?

rda · Dec 10, 2011

Bobbye said:
Your use of the word Explorer alone is confusing and technically not correct.

There is Windows Explorer which is the file manager for the system. Think of it as exploring Windows.

There is Internet Explorer which is the browser you use to access the internet. Think of it as exploring the internet.

Either can crash.

I thought I clarified that early on when I wrote "Explorer (not Internet Explorer)", but with all the threads you are likely following that is a detail that would be easy to drop. I will try to be more explicit. Wherever I have written "explorer" by itself, I am referring to "Windows Explorer", the program used to view listings of files and manipulate files and directories, and which I believe is also responsible for the task bar and much of the "desktop".

According to Windows Firewall, it was "explorer.exe" (which I believe is the program that implements Windows Explorer) that was trying to access the internet. I haven't seen that warning since starting working with you.

I do NOT use Internet Explorer, and have not for some time. I use Firefox 8.0.1.

Bobbye said:
You need to be specific when you refer to "hang": what is not happening when you refer to hang? An application can hang either loading or shutting down. Is it that your desktop isn't loading correctly?? either a delay or something missing??

By "hang" I mean that an application stops responding to input in the normal way. In the case of Windows Explorer, clicking on files would stop working in the Windows Explorer windows, the task bar would become non-responsive, and sometimes clicking the "X" in the Windows Explorer windows would result in a dialog saying "The program is not responding" and sometimes nothing. Generally, I would have to reboot, or kill the explorer.exe process with Task Manager to recover. That has not happened since I began following your instructions.

Bobbye said:
How are the icons "changing"? Do you mean they disappear, then come back? What are you doing when this happens? Have the icons changed when they come back?

It looks the same as if I click on the desktop and then hit F5, which seems to redraw all the icons. Nothing moves, or changes. It just seems odd that it refreshes when I open or close directories in Windows Explorer (without making any change).

Bobbye said:
"I just now closed an Explorer window." What Window?

It was a Windows Explorer window that I was using to look at files in a directory. I'm sorry I do not recall which directory. However, the behavior does not happen with just one directory. After a fresh reboot, I just opened a Windows Explorer window using <Windows>-E then clicked on the C: drive and saw the refresh behavior. After I closed that window and did the same thing again, there was no refresh behavior.

Bobbye;1116449 "..... Windows Firewall reported that Explorer [b said:
(What[/b] Explorer?) was trying to connect to IP addresses I did not recognize."

You have all of these domains in the Trusted Zone:
Trusted Zone: adobe.com
Trusted Zone: dr-amy.com
Trusted Zone: dyndns.org\wvfcpao
Trusted Zone: eset.com
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: safeway.com\shop
Trusted Zone: turbotax.com
Do you know all their IPs? Could a process in one of these be trying to access the internet?

Firewall reported that "explorer.exe" was trying to access the internet (to be sure we're talking about the same thing, this happened BEFORE any clean-up work and has not been seen since.)

Those zones were in my trusted list for a long time before (when I used to use Internet Explorer) and never seemed to cause explorer.exe to do anything in the past, but I really don't know if they have anything to do with the problems at hand.

Note that I did get rid of them already, per your earlier advice.

Bobbye said:
You have also authorized all of the following to pass through the firewall. You don't need to list these separately. There are ports in firewalls for incoming and outgoing programs and apps. You would only list any that for some reason would not use the assigned port.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]

I don't know much about how that list got made. I didn't specifically add them in, except perhaps by saying "yes" when Firewall said they wanted to use the internet, shortly after installing the programs. If Firewall said some program I installed months ago suddenly wanted to use the internet, I would be suspicious and not allow it. Other than the couple of times with explorer.exe, that hasn't happened.

Bobbye said:
You have processes set to auto-update Java, Adobe, Google Update Helper
QTTask.exe" -atboottime, iTunesHelper, HP Software Update.
This means that every day, all day, they will be contacting the internet to see if there is an update. It may be months between updates.

Yes, it is very annoying that many programs these days seem to install their own updaters, and it is very hard to figure out if they are doing good things, like applying useful security fixes, or just sucking up resources, or worse. Sometimes I make an effort to turn them off, but life is short and some of them are pretty persistent.

Bobbye said:
Open the Task Manager> how many processes are running> look lower left: 30-40 would be a good number. I suspect your will read about 60.

Here they are (about 40, including the cmd, firefox, and my mail reader):

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 244 K
smss.exe 476 Console 0 436 K
csrss.exe 548 Console 0 4,268 K
winlogon.exe 580 Console 0 1,272 K
services.exe 624 Console 0 4,304 K
lsass.exe 648 Console 0 1,660 K
nvsvc32.exe 828 Console 0 6,404 K
svchost.exe 908 Console 0 5,316 K
svchost.exe 956 Console 0 4,468 K
svchost.exe 1024 Console 0 26,696 K
svchost.exe 1076 Console 0 3,504 K
svchost.exe 1164 Console 0 3,800 K
svchost.exe 1240 Console 0 3,108 K
spoolsv.exe 1344 Console 0 8,092 K
sched.exe 1380 Console 0 1,656 K
svchost.exe 1444 Console 0 3,992 K
avguard.exe 1532 Console 0 14,712 K
mDNSResponder.exe 1552 Console 0 3,112 K
DUMeterSvc.exe 1588 Console 0 5,896 K
QBCFMonitorService.exe 1864 Console 0 10,528 K
explorer.exe 2036 Console 0 29,904 K
QBIDPService.exe 336 Console 0 9,524 K
locator.exe 1224 Console 0 2,824 K
svchost.exe 1312 Console 0 3,948 K
svchost.exe 1392 Console 0 5,956 K
rundll32.exe 440 Console 0 5,828 K
ehtray.exe 1452 Console 0 1,868 K
avgnt.exe 1988 Console 0 3,056 K
GoogleToolbarNotifier.exe 2096 Console 0 1,668 K
DUMeter.exe 2164 Console 0 3,120 K
ctfmon.exe 2148 Console 0 3,760 K
winpm-32.exe 3064 Console 0 3,288 K
avshadow.exe 3532 Console 0 2,696 K
ehmsas.exe 4068 Console 0 2,968 K
firefox.exe 2056 Console 0 179,384 K
alg.exe 2136 Console 0 3,348 K
wuauclt.exe 3820 Console 0 4,152 K
taskmgr.exe 2472 Console 0 5,000 K
cmd.exe 3020 Console 0 2,756 K
tasklist.exe 404 Console 0 4,628 K
wmiprvse.exe 188 Console 0 5,960 K

I did cut back on the auto-starts per your earlier advice.

Bobbye said:
I tell you these things because the more you have running-and you have an excess of processes starting on boot, the more chance you have for crashes, freezes and strange IPs trying to access the internet.

And there could be an issue with RAM. If something freezes or crashes and you have to reboot to get started gain, it could be that the available RAM has been used and so the system will crash or freeze. Rebooting restores some of the RAM and the cycle begins again.

How much RAM do you have?

I have 4GB installed, which is the least I can have and max out XP, according to the computer company.

I have actually had very few system-wide freezes and crashes over the last few years. In fact, the system crashed today (BSoD) as I tried to bring it awake from a standby mode, and that's the first BSoD I can recall on this computer.

Having said all that, let me note that, as of right now, the only symptoms that continue are:

- Unexplained desktop refreshes detailed above
- Some applications, especially those that deal with images (PhotoShop, LightRooom, BreezeBrowser, VLC, and even Word in documents with lots of pictures) see to sometimes slow WAY down. When I look in Task Manager, they are using 50% or more CPU, but seem to be doing nothing.
- The one-off BSoD today.

All of those could be either nothing (the refreshes) or symptoms of driver or hardware problems with my new graphics card. I really don't know.

Would it help the diagnostic process if I either reinstalled the drivers for the new card, or removed them and the card and reinstalled the old card?

I need to ask a question. I'm getting behind on my work. Is it safe to carefully move the following kinds of data (non-executable) files to another system to work on before we declare this system safe?

quickbooks data files
Word documents
Excel documents
photos (jpegs, camera raw, PhotoShop)
movies (avi, mpg, flv)
Favorites for Firefox

I would use a USB drive that had Flash_Disinfector run on it and bring them into a Windows 7 account with limited privilege.

Thanks again for your patience and assistance

Bobbye · Dec 11, 2011

All 3 of the drive had infected entries: C, F, N
Disinfect all

The Q&A with quotes between us is getting too time consuming:

Please say Windows Explorer when you mean Windows Explorer.
Please say Internet Explorer when you mean Internet Explorer.

You can't expect me to remember when 'rda' says 'Explorer' he/she 'means' Windows Explorer> please use the correct terminology.

About the processes given entry through the firewall: If you install a new program and it requires internet access, the first time you run it, you will be asked if you want to allow it to connect. You must be sure to allow it then, but do not give it server rights. Those programs would not be listed if you simply allowed the connection the first time.

'Auto-starts' are controlled on the Startup Menu and/or Services.
Auto-updaters are within the programs themselves. If you allow it, there will most likely be a separate process for it. They can all be controlled. I have 4 processes on my Startup menu and only the AV is allowed to auto-update.

I have brought your attention to several things to help get unnecessary processes off of the system. For all you said you had moved them, you don't use them, they are 'left over', then you ask if your should remove them. The answer is yes.'

Your descriptions of slow downs, refreshing, then of having 4GB of RAM suggests that one or more of the RAM chips may be bad. I would encourage you to start a new thread in the "Windows BSOD, Freezing, Restarting Help"> https://www.techspot.com/vb/menu46.html forum and approach the problem as being system related, not malware related..They can also help you check the drivers and look for Errors in the Event Viewer that might explain some of the things that are happening. I don't see evidence of any malware remaining.
======================================
Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted
Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
Go to Start > All Programs > Accessories > System Tools
Click "System Restore".
Choose "Create a Restore Point" on the first screen then click "Next".
Give the Restore Point a name> click "Create".
Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

rda · Dec 15, 2011

Thank you for your help.

Goodbye.

Bobbye · Dec 16, 2011

You're welcome. Good luck with the system problem- possibly related to the graphics card.

Solved Found trojans; not sure if system is clean

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 13 +0

Posts: 16,313 +36

Posts: 16,313 +36

Posts: 13 +0

Posts: 13 +0

Posts: 13 +0

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Similar threads