Inactive Google redirect

Bobbye · Feb 21, 2011

If you can't run the script to remove the files, you cannot run this to completion. I don't know how you could have downloaded Combofix and run the scan but now get error message related to installing which is not what you're trying to do!

I appreciate the fact that you are trying to help someone fix their system. But are you going to tell them you didn't know what to do so you posted on a free internet computer help board and asked a volunteer to fix it?

Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted
Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
Go to Start > All Programs > Accessories > System Tools
Click "System Restore".
Choose "Create a Restore Point" on the first screen then click "Next".
Give the Restore Point a name> click "Create".
Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

rmhughes0711 · Feb 21, 2011

Well, that was a bit snarky! I'm going to tell them I got it about 80% to completion on my own and then found some help on the internet to get it to almost 95%. I have not had a problem with any of the other steps you gave me and I too find it difficult to believe that this is proving problematic. You never confirmed whether your script in the code box was 18 lines in length. Is that indeed correct?

Bobbye · Feb 21, 2011

What you copied to the post was what I had in the codebox. I can only work with what I see and I don't see any problem with running the script. Are you sure you saved what you copied into Notepad as CFScript.txt and that you saved to the same location as the program, which should have been the desktop?

I was 'snarky' and I apologize. I had just had another member come down on me because the friend whose computer he was 'fixing' hadn't gotten a reply in 12 hours. So I lost it and I am usually a bit more patient than that.

Mea Culpa.

Here's a roundup of the file extensions for Combofix:
1. combofix.exe> setup for the program that was downloaded to the desktop.
2. CFScript.txt> the name given to the copy of the script from Notepad.
3. C:\ComboFix.txt> the name of the directory in the system where the log generated from the CFScript.txt resides.

Just check your spelling once more- one letter off will throw a wrench in the drag and drop.

rmhughes0711 · Feb 22, 2011

No problem on the snarkiness. I do realize that you are a volunteer and do this out of the goodness of your heart and for that I am grateful!!

I did attempt to uninstall ComboFix but I got the same error as I did when I tried to drag the .txt file over. Perhaps the app got corrupt? I ran OTC cleanit and it ran successfully. I am attaching my .txt file to this post for your review. Please let me know if I need to try anything else.

Thanks for your help!

Bobbye · Feb 23, 2011

So you can't uninstall Combofix, you can't run Combofix and you can't run the script through Combofix- is that right? Did you try to do another scan? Give that a try and let's see what happens.

rmhughes0711 · Feb 23, 2011

Latest scan

Here you go. Thanks for your help!!

ComboFix 11-02-23.02 - Linda 02/23/2011 15:16:24.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2037.802 [GMT -5:00]
Running from: c:\users\Linda\Desktop\ComboFix2.exe
AV: COMODO Antivirus *Disabled/Updated* {675CEE69-9702-A524-3989-6D7CC8BF3695}
SP: COMODO Defense+ *Disabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\PCDr\5744\Downloads\687b8984-5b8f-48ca-81b2-53c017b82891.dll

.
((((((((((((((((((((((((( Files Created from 2011-01-23 to 2011-02-23 )))))))))))))))))))))))))))))))
.

2011-02-23 20:23 . 2011-02-23 20:23 -------- d-----w- c:\users\Linda\AppData\Local\temp
2011-02-23 20:23 . 2011-02-23 20:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-14 05:27 . 2011-02-14 05:27 -------- d-----w- c:\program files\Common Files\Java
2011-02-14 05:08 . 2011-02-14 05:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-14 05:08 . 2011-02-14 05:25 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-11 15:27 . 2011-02-11 15:27 7168 ----a-w- c:\windows\system32\drivers\utm0mjuw.sys
2011-02-11 15:11 . 2011-02-12 15:23 -------- d-----w- c:\programdata\Kaspersky Lab
2011-02-11 04:29 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2011-02-11 04:00 . 2010-12-18 04:47 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-11 04:00 . 2010-12-18 06:26 129536 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-02-11 04:00 . 2010-12-18 06:22 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-10 06:10 . 2011-02-10 06:11 -------- d-----w- c:\program files\Dell Support Center
2011-02-10 05:59 . 2011-02-10 06:14 -------- d-----w- c:\programdata\PCDr
2011-02-10 05:59 . 2011-02-10 06:01 -------- d-----w- c:\users\Linda\AppData\Roaming\PCDr
2011-02-10 04:30 . 2011-02-10 06:09 -------- d-----w- c:\programdata\SupportSoft
2011-02-10 04:29 . 2011-02-10 06:09 -------- d-----w- c:\program files\Common Files\supportsoft
2011-02-09 21:27 . 2011-02-09 21:27 -------- d-----w- c:\windows\en
2011-02-09 21:26 . 2010-09-23 05:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2011-02-09 21:22 . 2011-02-09 21:41 -------- d-----w- c:\program files\Microsoft
2011-02-09 21:21 . 2009-09-04 22:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-02-09 21:21 . 2009-09-04 22:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-02-09 21:21 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-02-09 21:14 . 2011-02-09 21:14 -------- d-----w- c:\users\Linda\AppData\Local\Windows Live
2011-02-09 21:14 . 2011-02-09 21:14 -------- d-----w- c:\program files\Common Files\Windows Live
2011-02-09 21:13 . 2009-08-04 08:02 754688 ----a-w- c:\windows\system32\webservices.dll
2011-02-09 21:12 . 2011-02-10 18:27 -------- d-----w- c:\program files\Microsoft Silverlight
2011-02-09 20:17 . 2011-02-09 20:17 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2011-02-09 20:11 . 2011-01-06 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-02-09 19:39 . 2011-02-09 19:39 -------- d-----w- c:\programdata\Roaming
2011-02-09 19:38 . 2011-02-09 19:38 56 ----a-w- c:\windows\system32\IHV_Install.bat
2011-02-09 19:38 . 2011-02-09 19:38 -------- d-----w- c:\program files\Cisco
2011-02-09 19:36 . 2011-02-09 19:36 -------- d-----w- c:\programdata\Intel
2011-02-09 19:36 . 2011-02-09 19:36 -------- d-----w- c:\users\Linda\AppData\Roaming\Intel
2011-02-09 06:09 . 2011-02-09 06:09 -------- d-----w- C:\$AVG
2011-02-09 05:33 . 2011-02-02 22:10 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F3E2D36-D77E-4A02-A25F-8C92206C245C}\mpengine.dll
2011-02-09 05:16 . 2011-02-09 05:16 -------- d-----w- c:\users\Linda\AppData\Roaming\AVG10
2011-02-09 05:15 . 2011-02-09 05:15 -------- d--h--w- c:\programdata\Common Files
2011-02-09 04:46 . 2011-02-02 22:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-09 03:49 . 2011-02-09 03:49 -------- d-----w- c:\users\Linda\AppData\Roaming\SUPERAntiSpyware.com
2011-02-09 03:49 . 2011-02-09 03:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-02-09 03:48 . 2011-02-22 00:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-09 03:17 . 2011-02-09 03:17 -------- d-----w- c:\program files\CleanUp!
2011-02-09 02:51 . 2011-02-09 02:51 -------- d-----w- c:\users\Linda\AppData\Roaming\Malwarebytes
2011-02-09 02:51 . 2011-02-09 02:51 -------- d-----w- c:\programdata\Malwarebytes
2011-02-09 02:51 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-09 02:51 . 2011-02-12 15:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-09 02:51 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 22:42 . 2011-02-08 22:42 388096 ----a-r- c:\users\Linda\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-08 22:42 . 2011-02-08 22:42 -------- d-----w- c:\program files\Trend Micro
2011-02-08 21:51 . 2011-02-09 04:55 -------- d-----w- c:\programdata\MFAData
2011-02-08 21:31 . 2011-02-08 21:31 -------- d-----w- c:\users\Linda\AppData\Local\WindowsUpdate
2011-01-31 15:57 . 2011-01-31 15:57 -------- d-----w- c:\program files\iPod
2011-01-31 15:57 . 2011-01-31 15:58 -------- d-----w- c:\program files\iTunes
2011-01-30 19:57 . 2011-01-30 19:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 19:57 . 2011-01-30 19:57 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-06 22:36 . 2011-01-06 22:36 80064 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-06 22:36 . 2011-01-06 22:36 34744 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-06 22:36 . 2011-01-06 22:36 236600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-06 22:36 . 2011-01-06 22:36 17256 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-12-29 06:42 . 2010-12-29 06:42 285480 ----a-w- c:\windows\system32\guard32.dll
2010-12-28 15:55 . 2011-01-12 22:42 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-12 22:42 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-08 18:12 . 2010-09-09 23:22 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 18:11 . 2010-09-09 23:22 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 18:11 . 2010-09-09 23:22 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 18:11 . 2010-09-09 23:22 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 05:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 05:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-22 2423752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-18 2548552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 05:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Linda^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Linda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-08-22 12:06 167368 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-07-30 19:40 16384 ----a-w- c:\dell\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-04-22 06:11 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 01:52 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-04-22 06:11 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 16:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-12-03 05:58 36864 ----a-w- c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-12-21 16:58 184320 ----a-w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-04-22 06:11 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-04-17 04:50 49168 ----a-w- c:\program files\Fingerprint Reader Suite\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-05-10 07:00 857648 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [x]
R3 utm0mjuw;AVZ Kernel Driver;c:\windows\system32\Drivers\utm0mjuw.sys [2011-02-11 7168]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-09-09 691696]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2011-01-06 17256]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-01-06 236600]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-01-02 73728]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-08 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-24 179712]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-04-22 111616]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-02-18 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]

2011-02-23 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]

2011-02-23 c:\windows\Tasks\User_Feed_Synchronization-{E25AF0CE-209A-4671-829D-9113D775E90A}.job
- c:\windows\system32\msfeedssync.exe [2011-02-11 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: {92344F64-B6DC-4365-80A0-4EA5E5B7256F} = 156.154.70.22,156.154.71.22
TCP: {9F7F5F0B-B2F9-401B-A173-FB3487657F61} = 156.154.70.22,156.154.71.22
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\users\Linda\AppData\Roaming\Mozilla\Firefox\Profiles\4ib0vqk6.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-23 15:23
Windows 6.0.6002 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\guard32.dll
.
Completion time: 2011-02-23 15:26:30
ComboFix-quarantined-files.txt 2011-02-23 20:26

Pre-Run: 16,949,125,120 bytes free
Post-Run: 16,945,307,648 bytes free

- - End Of File - - 80AF03435BC9355502496BB87F16B78A

Bobbye · Feb 24, 2011

Awesome! I'm setting up new script, but there is a file I can't identify:

Please go to VirSCAN.org FREE on-line scan service:
If busy, you can use one of the following: ( you only need one)
VirusTotal
Jotti

[1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.
Code:
```
c:\windows\system32\Drivers\utm0mjuw.sys
```
[2]. At the upload site, click once inside the window next to Browse.
[3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
[4]. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
[5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
[6]. Paste the contents of the Clipboard in your next reply.

====================================
Also, will you be keeping Comodo security instead of AVG? IF so, you should run the AVG Remover. This eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.
Note:

AVG user settings will be removed.
Virus Vault contents will be removed.
All other items related to AVG installation and use will be removed.
You will be asked during the removal procedure to restart your computer. Please do so.
Make sure there is no open work in process prior toto launching AVG Remover.

Use the appropriate download for your system for the AVG Remover: AVG Remover:32bit
AVG Remover:64 bit
===================================
If any files are left after running the removal, I can include them in the script.

rmhughes0711 · Feb 24, 2011

Here are the results. In addition, I will be using Comodo over AVG. I will uninstall AVG as directed in your post. Please let me know next steps. Thanks for your help!!!

VirSCAN.org Scanned Report :
Scanned time : 2009/06/05 00:31:50 (EDT)
Scanner results: 79% Scanner(s) (30/38) found malware!
File Name : 1.html
File Size : 4037 byte
File Type : Sendmail frozen configuration - version body bgcolor=
MD5 : 4a2514195555a43458b4e087d29124be
SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c
Online report : http://virscan.org/report/e8541b64f8b1bb1cbd8e955aa9dfd4d2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090604013225 2009-06-04 2.05 Virus.Win32.Killmbr.D!IK
AhnLab V3 2009.06.05.00 2009.06.05 2009-06-05 0.74 Win-Trojan/Dialer.712704.B
AntiVir 8.2.0.180 7.1.4.59 2009-06-04 0.55 KIT/GhostDial.1
Antiy 2.0.18 20090604.2498051 2009-06-04 0.15 Trojan/Win32.Dialer.gvg
Arcavir 2009 200906041608 2009-06-04 0.39 Dialer.Bib
Authentium 5.1.1 200906041652 2009-06-04 1.18 W32/Trojan2.DOJN (Exact)
AVAST! 4.7.4 090604-0 2009-06-04 0.05 Win32

ialer-1314 [Trj]
AVG 8.5.286 270.12.53/2155 2009-06-05 0.37 Dialer.KNV
BitDefender 7.81008.3335505 7.25811 2009-06-05 0.75 Trojan.Generic.1004008
CA (VET) 9.0.0.143 31.6.6539 2009-06-05 9.17 -
ClamAV 0.95.1 9421 2009-06-05 0.18 Dialer-3765
Comodo 3.9 1259 2009-06-04 0.74 ApplicUnwnt.Win32.PornTool.Agent.fi
CP Secure 1.1.0.715 2009.06.03 2009-06-03 9.97 -
Dr.Web 4.44.0.9170 2009.06.05 2009-06-05 4.85 BackDoor.Pigeon.12989
F-Prot 4.4.4.56 20090604 2009-06-04 1.15 W32/Trojan2.DOJN (exact)
F-Secure 5.51.6100 2009.06.05.03 2009-06-05 5.79 -
Fortinet 2.81-3.117 10.466 2009-06-04 0.35 Suspicious
GData 19.5615/19.353 20090605 2009-06-05 4.39 Win32

ialer-1313 [Trj] [Engine:B]
ViRobot 20090604 2009.06.04 2009-06-04 0.42 -
Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.11 Virus.Win32.Killmbr.D
JiangMin 11.0.706 2009.06.03 2009-06-03 2.07 Trojan/Dialer.gnc
Kaspersky 5.5.10 2009.06.05 2009-06-05 0.08 not-a-virus

orn-Dialer.Win32.Agent.fi
KingSoft 2009.2.5.15 2009.6.4.21 2009-06-04 0.51 Win32.Hack.ReSSDT.c.716800
McAfee 5.3.00 5636 2009-06-04 2.97 BackDoor-DSQ
Microsoft 1.4701 2009.06.04 2009-06-04 4.29 Backdoor:Win32/Farfli.J
mks_vir 2.01 2009.06.05 2009-06-05 3.35 -
Norman 6.01.05 6.01.00 2009-06-02 4.01 W32/Dialer.DHRP
Panda 9.05.01 2009.06.04 2009-06-04 1.86 -
Trend Micro 8.700-1004 6.170.08 2009-06-04 0.06 TROJ_DIAL.RHB
Quick Heal 10.00 2009.06.05 2009-06-05 1.37 -
Rising 20.0 21.32.34.00 2009-06-04 0.99 Backdoor.Win32.Drwolf.axh
Sophos 2.87.1 4.42 2009-06-05 2.44 Mal/Whybo-A
Sunbelt 5170 5170 2009-06-04 0.94 Porn-Dialer.Win32.Agent.fi
Symantec 1.3.0.24 20090604.002 2009-06-04 0.06 -
nProtect 20090604.01 4070376 2009-06-04 5.23 Trojan/W32.Dialer.712704
The Hacker 6.3.4.3 v00340 2009-06-04 0.63 Trojan/Dialer.Agent.fi
VBA32 3.12.10.6 20090604.1412 2009-06-04 1.96 Porn-Dialer.Win32.Agent.fi
VirusBuster 4.5.11.10 10.107.2/1575686 2009-06-04 1.90 Dialer.Agent.IFEU

Bobbye · Feb 24, 2011

Well, that's not good! Your friend has a Backdoor Trojan and Porn Dialer on the system.

Please update and rerun the Eset scan.
I can remove the one entry that was identified, but there has to be more to the malware.

rmhughes0711 · Feb 25, 2011

Somehow I'm not surprised by your findings! I re-ran the scan and it found no threats. The log is below. Please advise on next steps. Thanks for your help!

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

Bobbye · Feb 26, 2011

Do you have the full Eset log? I haven't removed the porn dialer/backdoor so I am curious as to where it went!

rmhughes0711 · Feb 28, 2011

That was the only thing in the log. I am aso attaching a screen print for your review. Let me know what you think.

Bobbye · Feb 28, 2011

Sorry, but I don't open files with .doc file extensions. If there is nothing in the scan, that's okay. I would like you to try this scan:

Run Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click Accept and the web scanner will begin to load
If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
You will be prompted to install an ActiveX component from Kaspersky, click Install
If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT and then Scan Settings
In the scan settings make that the following are selected:
[o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
[o] Scan Options: Scan Archives> Scan Mail Bases
Click OK
Now under select a target to scan:
[o] Select My Computer
The program will start to scan your system.
Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

rmhughes0711 · Feb 28, 2011

I get the following error when trying to load the updares. Whaat license has expired? Any thoughts?

Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: License has expired]

Bobbye · Feb 28, 2011

That is usually caused by an incorrect time or date setting:

Right click on the Time in the Notification Area> Adjust Date/Time> Make sure the Date is Correct and the Time in the box is correct> Time Zone tab> Make sure the Time Zone is correct for your part of the world> Check 'Adjust for Daylight Savings Time'> Internet Time tab> Check 'Automatically sync with the Internet Time Server'> click on 'Update now> Wait for setting to be checked then close.

Note: If you get an error when internet time is checked, let me know and I'll find the navy military server which works well.[/b]

rmhughes0711 · Feb 28, 2011

I verified the proper time, changed to time.nist.gov, and updated the time. I then tried to run the scan again but got the same error about an expired license. What next?

Bobbye · Mar 1, 2011

I went back and reviewed all the logs. You still have Kaspersky on the system:

"So you need to remove Kaspersky because you shouldn't have more than 1 AV." (02-11 15:11:36>> - c:\progra~2\Kaspersky Lab.
2011-02-12 15:23 -------- d-----w- c:\programdata\Kaspersky Lab

Download the archive kavremover.zip.

Unpack the archive (for example, using WinZip)
Double click on kavremover.exe
Enter the code from the picture. If you cannot read the code from the picture, click on the button next to the picture to generate a new code
[o] The screen will display the products detected.
[o] You can also select Remove all known products.
Click on the button Remove
Wait until a dialog window appears to inform you that the product was successfully removed
Click OK

Images courtesy Kaspersky

Reboot the computer.

Now try the online scan.

rmhughes0711 · Mar 2, 2011

I followed the directions sent, rebooted, and re-ran the scan however I still get the error when trying to use the on-line scanner. Suggestions? Thanks for your help!

Bobbye · Mar 2, 2011

The redirects have stopped> is that correct? you had a problem running the script in Combofix, but eventually were able to do it. You have not been able to run either of the online scans. You started with AVG, which you had to remove for Combofix. You asked for AV recommendations and I suggested Avast or Avira. You decided to go with Comodo Internet Security.

The last log however, has had entries from multiple AV programs, even after you ran the AVG remover. I am going to remove all AV entries except Comodo:

Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

Code:

KillAll::
File::
c:\windows\system32\DRIVERS\AVGIDSEH.Sys
c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe
c:\windows\system32\DRIVERS\AVGIDSDriver.Sys
c:\windows\system32\DRIVERS\AVGIDSFilter.Sys
c:\windows\system32\DRIVERS\AVGIDSShim.Sys
Folder::
c:\programdata\Kaspersky Lab
C:\$AVG
c:\users\Linda\AppData\Roaming\AVG10
c:\programdata\Common Files
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=-
Driver::
AVGIDSEH
AVG Security Toolbar Service
AVGIDSDriver
AVGIDSFilter
AVGIDSShim

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
===================
Follow Method 1 on this site to run the Error Checking in Vista> check both boxes on the screen that comes up. This will force you to reboot for the checking to start. Let it finish, system will reboot when through: http://www.vistax64.com/tutorials/67612-check-disk-chkdsk.html
====================
Try either of the online virus scans when through.

rmhughes0711 · Mar 2, 2011

Here's the log. Will perform "method 1" next.

ComboFix 11-03-02.01 - Linda 03/02/2011 22:57:07.3.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2037.996 [GMT -5:00]
Running from: c:\users\Linda\Desktop\ComboFix2.exe
Command switches used :: c:\users\Linda\Desktop\CFScript.txt
AV: COMODO Antivirus *Disabled/Updated* {675CEE69-9702-A524-3989-6D7CC8BF3695}
SP: COMODO Defense+ *Disabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FILE ::
"c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe"
"c:\windows\system32\DRIVERS\AVGIDSDriver.Sys"
"c:\windows\system32\DRIVERS\AVGIDSEH.Sys"
"c:\windows\system32\DRIVERS\AVGIDSFilter.Sys"
"c:\windows\system32\DRIVERS\AVGIDSShim.Sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\$AVG
c:\$avg\$VAULT\V_00000001.fil
c:\$avg\$VAULT\V_00000003.fil
c:\$avg\$VAULT\V_00000004.fil
c:\$avg\$VAULT\vvfolder.idx
c:\programdata\Common Files
c:\programdata\Common Files\F994B190-6FE2-E80D-7F55-E81B2A213971.dat
c:\programdata\PCDr\5744\Downloads\ceb06396-ae9d-42b7-a00f-867e3e8710fd.dll
c:\programdata\PCDr\5744\Downloads\fb37c43e-fc6b-476d-8936-e95ecdba3cf7.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVGIDSDRIVER
-------\Legacy_AVGIDSEH
-------\Legacy_AVGIDSFILTER
-------\Legacy_AVGIDSSHIM
-------\Service_AVG Security Toolbar Service
-------\Service_AVGIDSDriver
-------\Service_AVGIDSEH
-------\Service_AVGIDSFilter
-------\Service_AVGIDSShim

((((((((((((((((((((((((( Files Created from 2011-02-03 to 2011-03-03 )))))))))))))))))))))))))))))))
.

2011-03-03 04:04 . 2011-03-03 04:15 -------- d-----w- c:\users\Linda\AppData\Local\temp
2011-03-03 04:04 . 2011-03-03 04:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-01 19:12 . 2011-03-01 19:13 -------- d-----w- C:\kleaner.tmp
2011-02-28 16:00 . 2011-02-28 16:00 -------- d-----w- c:\windows\Sun
2011-02-20 03:48 . 2011-02-20 03:48 -------- d-----w- C:\VritualRoot
2011-02-18 17:38 . 2011-03-03 04:05 661088 ----a-w- c:\windows\system32\drivers\sfi.dat
2011-02-18 17:35 . 2011-02-18 17:35 -------- d-----w- c:\program files\COMODO
2011-02-18 17:34 . 2011-02-18 17:40 -------- d-----w- c:\programdata\Comodo
2011-02-15 16:16 . 2011-02-15 16:16 -------- d-----w- c:\program files\Common Files\Adobe
2011-02-14 05:27 . 2011-02-14 05:27 -------- d-----w- c:\program files\Common Files\Java
2011-02-14 05:08 . 2011-02-14 05:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-14 05:08 . 2011-02-14 05:25 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-11 15:27 . 2011-02-11 15:27 7168 ----a-w- c:\windows\system32\drivers\utm0mjuw.sys
2011-02-11 04:29 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2011-02-11 04:00 . 2010-12-18 04:47 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-11 04:00 . 2010-12-18 06:26 129536 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-02-11 04:00 . 2010-12-18 06:22 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-10 06:10 . 2011-02-10 06:11 -------- d-----w- c:\program files\Dell Support Center
2011-02-10 05:59 . 2011-02-10 06:14 -------- d-----w- c:\programdata\PCDr
2011-02-10 05:59 . 2011-02-10 06:01 -------- d-----w- c:\users\Linda\AppData\Roaming\PCDr
2011-02-10 04:30 . 2011-02-10 06:09 -------- d-----w- c:\programdata\SupportSoft
2011-02-10 04:29 . 2011-02-10 06:09 -------- d-----w- c:\program files\Common Files\supportsoft
2011-02-09 21:27 . 2011-02-09 21:27 -------- d-----w- c:\windows\en
2011-02-09 21:26 . 2010-09-23 05:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2011-02-09 21:22 . 2011-02-09 21:41 -------- d-----w- c:\program files\Microsoft
2011-02-09 21:21 . 2009-09-04 22:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-02-09 21:21 . 2009-09-04 22:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-02-09 21:21 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-02-09 21:14 . 2011-02-28 15:59 -------- d-----w- c:\users\Linda\AppData\Local\Windows Live
2011-02-09 21:14 . 2011-02-09 21:14 -------- d-----w- c:\program files\Common Files\Windows Live
2011-02-09 21:13 . 2009-08-04 08:02 754688 ----a-w- c:\windows\system32\webservices.dll
2011-02-09 21:12 . 2011-02-10 18:27 -------- d-----w- c:\program files\Microsoft Silverlight
2011-02-09 20:17 . 2011-02-09 20:17 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2011-02-09 20:11 . 2011-01-06 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-02-09 19:39 . 2011-02-09 19:39 -------- d-----w- c:\programdata\Roaming
2011-02-09 19:38 . 2011-02-09 19:38 56 ----a-w- c:\windows\system32\IHV_Install.bat
2011-02-09 19:38 . 2011-02-09 19:38 -------- d-----w- c:\program files\Cisco
2011-02-09 19:36 . 2011-02-09 19:36 -------- d-----w- c:\programdata\Intel
2011-02-09 19:36 . 2011-02-09 19:36 -------- d-----w- c:\users\Linda\AppData\Roaming\Intel
2011-02-09 05:33 . 2011-02-02 22:10 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F3E2D36-D77E-4A02-A25F-8C92206C245C}\mpengine.dll
2011-02-09 04:46 . 2011-02-02 22:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-09 03:49 . 2011-02-09 03:49 -------- d-----w- c:\users\Linda\AppData\Roaming\SUPERAntiSpyware.com
2011-02-09 03:49 . 2011-02-09 03:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-02-09 03:48 . 2011-02-22 00:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-09 03:17 . 2011-02-09 03:17 -------- d-----w- c:\program files\CleanUp!
2011-02-09 02:51 . 2011-02-09 02:51 -------- d-----w- c:\users\Linda\AppData\Roaming\Malwarebytes
2011-02-09 02:51 . 2011-02-09 02:51 -------- d-----w- c:\programdata\Malwarebytes
2011-02-09 02:51 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-09 02:51 . 2011-02-12 15:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-09 02:51 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 22:42 . 2011-02-08 22:42 388096 ----a-r- c:\users\Linda\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-08 22:42 . 2011-02-08 22:42 -------- d-----w- c:\program files\Trend Micro
2011-02-08 21:51 . 2011-02-09 04:55 -------- d-----w- c:\programdata\MFAData
2011-02-08 21:31 . 2011-02-08 21:31 -------- d-----w- c:\users\Linda\AppData\Local\WindowsUpdate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-06 22:36 . 2011-01-06 22:36 80064 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-06 22:36 . 2011-01-06 22:36 34744 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-06 22:36 . 2011-01-06 22:36 236600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-06 22:36 . 2011-01-06 22:36 17256 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-12-29 06:42 . 2010-12-29 06:42 285480 ----a-w- c:\windows\system32\guard32.dll
2010-12-28 15:55 . 2011-01-12 22:42 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-12 22:42 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-08 18:12 . 2010-09-09 23:22 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 18:11 . 2010-09-09 23:22 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 18:11 . 2010-09-09 23:22 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 18:11 . 2010-09-09 23:22 87424 ----a-w- c:\windows\system32\LMIinit.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 05:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 05:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-22 2423752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-18 2548552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 05:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Linda^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Linda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-08-22 12:06 167368 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-07-30 19:40 16384 ----a-w- c:\dell\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-04-22 06:11 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 01:52 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-04-22 06:11 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 16:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-12-03 05:58 36864 ----a-w- c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-12-21 16:58 184320 ----a-w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-04-22 06:11 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-04-17 04:50 49168 ----a-w- c:\program files\Fingerprint Reader Suite\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-05-10 07:00 857648 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
R3 utm0mjuw;AVZ Kernel Driver;c:\windows\system32\Drivers\utm0mjuw.sys [2011-02-11 7168]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-09-09 691696]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2011-01-06 17256]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-01-06 236600]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-01-02 73728]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-08 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-24 179712]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-04-22 111616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-02-18 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]

2011-03-03 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]

2011-03-03 c:\windows\Tasks\User_Feed_Synchronization-{E25AF0CE-209A-4671-829D-9113D775E90A}.job
- c:\windows\system32\msfeedssync.exe [2011-02-11 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: {92344F64-B6DC-4365-80A0-4EA5E5B7256F} = 156.154.70.22,156.154.71.22
TCP: {9F7F5F0B-B2F9-401B-A173-FB3487657F61} = 156.154.70.22,156.154.71.22
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\users\Linda\AppData\Roaming\Mozilla\Firefox\Profiles\4ib0vqk6.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 23:15
Windows 6.0.6002 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(712)
c:\windows\system32\guard32.dll

- - - - - - - > 'Explorer.exe'(1552)
c:\windows\system32\guard32.dll
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\STacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-03-02 23:19:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-03 04:19
ComboFix2.txt 2011-02-23 20:26

Pre-Run: 16,665,456,640 bytes free
Post-Run: 16,674,189,312 bytes free

- - End Of File - - 96104C203917526CB5C485FE177BE5B6

Bobbye · Mar 5, 2011

Let me know if you get the online virus scan after running the error checking.

rmhughes0711 · Mar 5, 2011

I got further this time but it still errored, although with a different error. This time it downloaded the updates and actually started to install them. I walked away for about an hour and when I got back, this was the error I got.

Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: Anti-virus database was updated after license expiry]

Please advise on appropriate next steps. Thanks!!!!

Bobbye · Mar 5, 2011

Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Did you note the above on the site and follow it?
I will check their forums and see if others are experiencing this. I know the site was down recently while they updated their database.

rmhughes0711 · Mar 5, 2011

I did notice this. Before I got started, I not only deactivated Comodo but I also shut it down so that it wasn't even running. I did the same for my spyware. When I did, Windows started yelling at me that I was not protected anymore. I then tried to install the updates. As I said in my prior post, I did get further that you think. his time so I thought that was good.

Let me know w

Bobbye · Mar 5, 2011

Looking at these errors in the logs:

2/12/2011 3:38:16 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070020: Security Update for Windows Vista (KB2393802).
2/12/2011 3:27:31 AM, Error: Service Control Manager [7023] - The Windows Modules Installer service terminated with the following error: The process cannot access the file because it is being used by another process.
2/10/2011 1:28:56 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2485376~31bf3856ad364e35~x86~~6.0.1.3 () into Staged(Staged) state.

I think the same problem is causing the online scan failure. Several forums have offered this:

Run cmd.exe with elevated privileges (right click on cmd.exe and choose "run as Administrator") and type:

fsutil resource setautoreset true c:\

and next restart computer.

Alternatively you can run this MS Fix it 50140http://go.microsoft.com/?linkid=9666962

There are 2 additional parts that can be added to the Command sequence if needed.

Inactive Google redirect

Posts: 16,313 +36

Posts: 57 +0

Posts: 16,313 +36

Posts: 57 +0

Attachments

Posts: 16,313 +36

Posts: 57 +0

Posts: 16,313 +36

Posts: 57 +0

Posts: 16,313 +36

Posts: 57 +0

Posts: 16,313 +36

Posts: 57 +0

Attachments

Posts: 16,313 +36

Posts: 57 +0

Posts: 16,313 +36

Posts: 57 +0

Posts: 16,313 +36

Posts: 57 +0

Posts: 16,313 +36

Posts: 57 +0

Posts: 16,313 +36

Posts: 57 +0

Posts: 16,313 +36

Posts: 57 +0

Posts: 16,313 +36

Similar threads