TechSpot

Need help removing virus/malware; Combofix says it found Rootkit.Zeroaccess

By sicsty8
Nov 16, 2011
  1. Hi all. I found this website from another source when I was looking for remedies for my Pc. You guys on here come highly recommended. I ran all steps and have attached them. I also ran ComboFix which says it found Rootkit.Zeroaccess. I have attached that log file also. I'm actually posting this from another computer because everytime I tried to post, something was blocking and wouldn't allow me to finish the process of posting. Please help. Thanks in advance.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8162

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/14/2011 3:08:06 PM
    mbam-log-2011-11-14 (15-08-05).txt

    Scan type: Quick scan
    Objects scanned: 276491
    Time elapsed: 29 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\antoinette\my documents\downloads\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\antoinette\local settings\Temp\FH\extension.exe (PUP.Soge) -> Quarantined and deleted successfully.
    c:\documents and settings\antoinette\application data\ldr.ini (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\antoinette\local settings\Temp\FH\filehunter-win32.exe (PUP.FileHunter) -> Quarantined and deleted successfully.
    -----------------------------------------------------------------------------------------------------

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by Antoinette at 21:11:27 on 2011-11-14
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1208 [GMT -6:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Creative\Shared Files\CTDevSrv.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\AVG\AVG2012\avgemcx.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\PROGRA~1\Allume\StuffIt\MXTask.exe
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\PROGRA~1\Allume\StuffIt\mxtask.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\PROGRA~1\Allume\StuffIt\mxtask.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\WLTRAY.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\AVG Secure Search\vprot.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    mURLSearchHooks: H - No File
    BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.40\AVG Secure Search_toolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
    TB: @c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.40\AVG Secure Search_toolbar.dll
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    mRun: [<NO NAME>]
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000
    IE: Download with ImTOO YouTube to iPod Converter - c:\program files\imtoo\youtube to ipod converter\upod_link.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278726137203
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    LSA: Notification Packages = scecli scecli
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\antoinette\application data\mozilla\firefox\profiles\lk3xfloj.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B91257d9e-bc72-4654-a955-6ded9a671b05%7D&mid=640df10632abbaf5f813eb2986b2f4e4-dded5dc92328a0641c5c37243c6237a1d8397482&ds=AVG&v=8.0.0.34.1&lang=en&pr=fr&d=2011-09-29%2010%3A32%3A27&sap=ku&q=
    FF - component: c:\documents and settings\antoinette\application data\mozilla\firefox\profiles\lk3xfloj.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
    FF - component: c:\documents and settings\antoinette\application data\mozilla\firefox\profiles\lk3xfloj.default\extensions\avg@toolbar\components\toolbarhomewmp.dll
    FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll
    FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll
    FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll
    FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll
    FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff8.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg2012\Firefox4
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Image Spider: Artem@Demchenkov.ImageSpider - %profile%\extensions\Artem@Demchenkov.ImageSpider
    FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
    FF - Ext: FireDiff: firediff@johnjbarton.com - %profile%\extensions\firediff@johnjbarton.com
    FF - Ext: selectbug: selectbug@getfirebug.com - %profile%\extensions\selectbug@getfirebug.com
    FF - Ext: FireStarter: firestarter@getfirebug.com - %profile%\extensions\firestarter@getfirebug.com
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: AVG Security Toolbar: avg@toolbar - %profile%\extensions\avg@toolbar
    FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extentions.y2layers.installId - b64fd4eb-a61c-48f0-aaa5-bea35aeac1da
    FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,BestVideoDownloader,BestVideoDownloader,
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 295248]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-14 366152]
    R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-9-29 246600]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-14 22216]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-27 135664]
    S2 necusb;NEC USB Device Service;c:\windows\system32\svchost.exe -k necusb3 [2003-7-16 14336]
    S3 A_USBETHMP;USB PowerPacket Network Adapter;c:\windows\system32\drivers\usbethmp.sys [2010-11-23 14342]
    S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
    S3 cpuz132;cpuz132;\??\c:\docume~1\antoin~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\antoin~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
    S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-27 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
    S3 WLRAWMp50x86;WLRAWMp50x86 NDIS Protocol Driver;c:\windows\system32\drivers\WLRAWMp50x86.sys [2010-11-22 28312]
    S3 WLRAWSp50x86;WLRAWSp50x86 NDIS Protocol Driver;c:\windows\system32\drivers\WLRAWSp50x86.sys [2010-11-22 27032]
    .
    =============== File Associations ===============
    .
    .txt=
    .
    =============== Created Last 30 ================
    .
    2011-11-14 20:00:04 -------- d-----w- c:\documents and settings\antoinette\application data\Malwarebytes
    2011-11-14 19:59:31 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes
    2011-11-14 19:59:24 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-14 19:59:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-13 15:22:11 -------- d-----w- c:\documents and settings\antoinette\application data\FileHunter
    2011-11-12 18:05:10 -------- d-sh--w- c:\documents and settings\antoinette\UserData
    2011-11-12 05:21:12 -------- d-----w- c:\windows\Downloaded Program Files
    2011-11-12 03:21:52 -------- d-----w- c:\documents and settings\antoinette\application data\DriverCure
    2011-11-12 03:21:48 -------- d-----w- c:\documents and settings\antoinette\application data\ParetoLogic
    2011-11-12 03:21:24 -------- d-----w- c:\program files\common files\ParetoLogic
    2011-11-12 03:21:22 -------- d-----w- c:\program files\ParetoLogic
    2011-11-12 03:21:22 -------- d-----w- c:\documents and settings\all users.windows\application data\ParetoLogic
    2011-11-12 01:10:09 -------- d-----w- c:\program files\Toolbar Cleaner
    2011-11-10 08:13:51 -------- d-----w- c:\documents and settings\antoinette\application data\zbbbD33onG4QHsW
    2011-11-10 08:13:51 -------- d-----w- c:\documents and settings\antoinette\application data\I7ffRRL9gTXq
    2011-11-10 08:13:44 -------- d-----w- c:\documents and settings\antoinette\application data\ukkIIBrzPNyx1uD
    2011-11-09 12:34:37 -------- d-----w- c:\windows\system32\cache
    2011-10-29 13:32:20 -------- d-----w- c:\documents and settings\antoinette\local settings\application data\Solid State Networks
    2011-10-28 12:51:53 -------- d-----w- c:\program files\Yontoo Layers Runtime
    2011-10-28 12:51:51 -------- d-----w- c:\documents and settings\all users.windows\application data\Tarma Installer
    2011-10-28 12:51:26 -------- d-----w- c:\documents and settings\antoinette\.swt
    .
    ==================== Find3M ====================
    .
    2011-11-05 13:05:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2011-10-04 11:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-13 11:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-31 04:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-08-31 04:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-08-31 04:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-08-31 04:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll
    2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2009-09-09 04:40:12 50536 ----a-w- c:\program files\install.exe
    .
    ============= FINISH: 21:18:14.76 ===============
    _________________________________________________________________

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/9/2010 7:56:49 PM
    System Uptime: 11/14/2011 3:10:54 PM (6 hours ago)
    .
    Motherboard: Dell Inc. | | 0YD479
    Processor: Intel(R) Core(TM)2 CPU T7400 @ 2.16GHz | Microprocessor | 994/166mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 109 GiB total, 31.099 GiB free.
    D: is FIXED (NTFS) - 35 GiB total, 32.793 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) PRO/Wireless 3945ABG Network Connection
    Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10208086&REV_02\4&360A6DE&0&00E1
    Manufacturer: Intel Corporation
    Name: Intel(R) PRO/Wireless 3945ABG Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10208086&REV_02\4&360A6DE&0&00E1
    Service: NETw4x32
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    .
    µTorrent
    Acrobat.com
    Adobe Acrobat 9 Pro - English, Français, Deutsch
    Adobe After Effects CS4
    Adobe After Effects CS4 Presets
    Adobe After Effects CS4 Third Party Content
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Asset Services CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Color Video Profiles AE CS4
    Adobe Color Video Profiles CS CS4
    Adobe Community Help
    Adobe Creative Suite 4 Master Collection
    Adobe CS4 American English Speech Analysis Models
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Dreamweaver CS4
    Adobe Dreamweaver CS5
    Adobe Drive CS4
    Adobe Dynamiclink Support
    Adobe Encore CS4
    Adobe Encore CS4 Codecs
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash CS4
    Adobe Flash CS4 Extension - Flash Lite STI en
    Adobe Flash CS4 STI-en
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Fonts All
    Adobe Illustrator CS4
    Adobe InDesign CS4
    Adobe InDesign CS4 Application Feature Set Files (Roman)
    Adobe InDesign CS4 Common Base Files
    Adobe InDesign CS4 Icon Handler
    Adobe Linguistics CS4
    Adobe Media Encoder CS4
    Adobe Media Encoder CS4 Additional Exporter
    Adobe Media Encoder CS4 Dolby
    Adobe Media Encoder CS4 Exporter
    Adobe Media Encoder CS4 Importer
    Adobe Media Player
    Adobe MotionPicture Color Files CS4
    Adobe OnLocation CS4
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Photoshop CS5
    Adobe Premiere Pro CS4
    Adobe Premiere Pro CS4 Functional Content
    Adobe Premiere Pro CS4 Third Party Content
    Adobe Reader X (10.1.1)
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe SGM CS4
    Adobe SING CS4
    Adobe Soundbooth CS4
    Adobe Soundbooth CS4 Codecs
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe Version Cue CS4 Server
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    Amazon MP3 Downloader 1.0.12
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    AVG 2012
    AVG PC Tuneup 2011
    AVG Security Toolbar
    AVS Audio Converter version 6.1
    AVS Cover Editor 1.3.1.96 (AVS4YOU)
    AVS Disc Creator version 3.5
    AVS DVD Copy version 4.1.1
    AVS Media Player 3.1
    AVS Registry Cleaner version 1.1
    AVS Ringtone Maker version 1.6
    AVS Update Manager 1.0
    AVS Video Converter 6
    AVS Video Editor 4 4.2.1.166
    AVS Video Recorder 2.4 (Service Version)
    AVS YouTube Uploader version 2.1
    AVS4YOU Software Navigator 1.3
    Bing Bar
    Bing Bar Platform
    Bonjour
    Broadcom 440x 10/100 Integrated Controller
    Canon Easy-PhotoPrint EX
    Canon Easy-WebPrint EX
    Canon MP Navigator EX 4.0
    Canon MP495 series MP Drivers
    Canon MP495 series User Registration
    Canon My Printer
    CCleaner
    Compatibility Pack for the 2007 Office system
    Conexant HDA D110 MDC V.92 Modem
    Connect
    Creative Centrale
    Creative MediaSource
    Creative Removable Disk Manager
    Creative Software Update
    Creative System Information
    Creative Zen Vision M
    Creative ZEN X-Fi2 Documentation
    Dell ResourceCD
    Dell Wireless WLAN Card
    Driver Detective
    Dropbox
    FileHunter
    FileZilla Client 3.5.1
    Free FLV Converter V 7.0.0
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2570791)
    ImTOO YouTube to iPod Converter
    Intel(R) PROSet/Wireless Software
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 26
    kuler
    LameACM
    Malwarebytes' Anti-Malware version 1.51.2.1300
    McAfee Security Scan Plus
    mCore
    mDriver
    mDrWiFi
    mHlpDell
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Language Pack - DEU
    Microsoft .NET Framework 2.0 Language Pack - PTB
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Default Manager
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office XP Web Components
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    mIWA
    Mixer
    mLogView
    mMHouse
    MobileMe Control Panel
    Mozilla Firefox (3.6.24)
    mPfMgr
    mPfWiz
    mProSafe
    mSCfg
    mSSO
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    mWlsSafe
    mWMI
    mZConfig
    NVIDIA Drivers
    ParetoLogic PC Health Advisor
    PDF Settings CS4
    PDF Settings CS5
    Photoshop Camera Raw
    Picasa 3
    Pixel Bender Toolkit
    PowerISO
    Quicken 2010
    QuickTime
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553074)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2553073)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923789)
    Shareaza 2.5.5.0
    ShopAtHome.com Toolbar
    SigmaTel Audio
    Sound Blaster ADVANCED MB Drivers
    Sound Blaster Audigy ADVANCED MB Demo
    StuffIt Deluxe
    Suite Shared Configuration CS4
    SWiSH Max4
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Outlook 2007 Junk Email Filter (KB2508979)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.1.11
    Vuze
    WebFldrs XP
    WIDCOMM Bluetooth Software
    WiLife Command Center 2.5
    WiLife Command Center USB Driver x86
    Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Imaging Component
    Windows Live ID Sign-in Assistant
    Windows Media Encoder 9 Series
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinPump
    Xvid Video Codec
    Yahoo! Music Engine
    Yontoo Layers Runtime 1.10.01
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/14/2011 9:06:16 PM, error: NETw4x32 [5001] - \DEVICE\{4F526FF7-3EED-4EBB-B9D9-AD9347E3EF86} : Could not allocate the resources necessary for operation.
    11/14/2011 3:34:07 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    11/13/2011 7:34:53 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    11/13/2011 7:12:44 PM, error: Service Control Manager [7023] - The NEC USB Device Service service terminated with the following error: The specified module could not be found.
    11/13/2011 7:12:44 PM, error: Service Control Manager [7023] - The Help and Support service terminated with the following error: The specified module could not be found.
    11/12/2011 9:57:10 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    11/12/2011 9:51:31 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
    11/12/2011 9:51:31 AM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/12/2011 9:51:31 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    11/12/2011 9:51:30 AM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
    11/12/2011 9:28:16 AM, error: Service Control Manager [7034] - The vToolbarUpdater service terminated unexpectedly. It has done this 1 time(s).
    11/12/2011 9:28:16 AM, error: Service Control Manager [7034] - The StuffIt Task Manager service terminated unexpectedly. It has done this 1 time(s).
    11/12/2011 9:28:16 AM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
    11/12/2011 9:28:16 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    11/12/2011 9:28:16 AM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless SSO Service service terminated unexpectedly. It has done this 1 time(s).
    11/12/2011 9:28:16 AM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Service service terminated unexpectedly. It has done this 1 time(s).
    11/12/2011 9:28:16 AM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
    11/12/2011 9:28:16 AM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
    11/12/2011 9:28:16 AM, error: Service Control Manager [7034] - The CT Device Query service service terminated unexpectedly. It has done this 1 time(s).
    11/12/2011 9:28:16 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    11/12/2011 9:28:16 AM, error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    11/12/2011 9:28:16 AM, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/12/2011 9:28:16 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/12/2011 12:07:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/12/2011 11:17:18 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Fips intelppm OMCI SCDEmu
    11/11/2011 9:02:51 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
    11/11/2011 8:23:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    11/11/2011 8:23:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    11/11/2011 10:46:01 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
    .
    ==== End Of File ===========================
     
  2. sicsty8

    sicsty8 TS Rookie Topic Starter

    (Here's the ComboFix log)

    ComboFix 11-11-16.01 - Antoinette 11/16/2011 15:15:07.1.2 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1554 [GMT -6:00]
    Running from: F:\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\DFx21.tmp
    c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer
    c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setup.dll
    c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll
    c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.dat
    c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.exe
    c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.ico
    c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
    c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
    c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
    c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
    c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
    c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
    c:\documents and settings\Antoinette\Start Menu\Programs\AV Security 2012
    c:\program files\autorun.inf
    c:\program files\SelectRebates
    c:\program files\SelectRebates\FFToolbar\chrome.manifest
    c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
    c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
    c:\program files\SelectRebates\FFToolbar\install.rdf
    c:\program files\SelectRebates\SahImages\alert.png
    c:\program files\SelectRebates\SahImages\check.png
    c:\program files\SelectRebates\SahImages\close.png
    c:\program files\SelectRebates\SelectAlerts.dat
    c:\program files\SelectRebates\SelectRebates.exe
    c:\program files\SelectRebates\SelectRebates.ini
    c:\program files\SelectRebates\SelectRebatesA.dat
    c:\program files\SelectRebates\SelectRebatesApi.exe
    c:\program files\SelectRebates\SelectRebatesB.dat
    c:\program files\SelectRebates\SelectRebatesBT.dat
    c:\program files\SelectRebates\SelectRebatesDownload.exe
    c:\program files\SelectRebates\SelectRebatesH.dat
    c:\program files\SelectRebates\SelectRebatesUninstall.exe
    c:\program files\SelectRebates\SRebates.dll
    c:\program files\SelectRebates\SRFF3.dll
    c:\program files\SelectRebates\Toolbar\AddtoList.bmp
    c:\program files\SelectRebates\Toolbar\basis.xml
    c:\program files\SelectRebates\Toolbar\Basis.xml.dym
    c:\program files\SelectRebates\Toolbar\Blank.bmp
    c:\program files\SelectRebates\Toolbar\CashBack.bmp
    c:\program files\SelectRebates\Toolbar\Coupons.bmp
    c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
    c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
    c:\program files\SelectRebates\Toolbar\icons.bmp
    c:\program files\SelectRebates\Toolbar\ImageCache\alert-red.bmp
    c:\program files\SelectRebates\Toolbar\logo.bmp
    c:\program files\SelectRebates\Toolbar\logo_24.bmp
    c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
    c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
    c:\program files\SelectRebates\Toolbar\RightControls.dym
    c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
    c:\program files\SelectRebates\Toolbar\Scissors.bmp
    c:\program files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
    c:\windows\$NtUninstallKB31664$
    c:\windows\$NtUninstallKB31664$\1815418757\@
    c:\windows\$NtUninstallKB31664$\1815418757\bckfg.tmp
    c:\windows\$NtUninstallKB31664$\1815418757\cfg.ini
    c:\windows\$NtUninstallKB31664$\1815418757\Desktop.ini
    c:\windows\$NtUninstallKB31664$\1815418757\keywords
    c:\windows\$NtUninstallKB31664$\1815418757\kwrd.dll
    c:\windows\$NtUninstallKB31664$\1815418757\L\ldxevyma
    c:\windows\$NtUninstallKB31664$\1815418757\lsflt7.ver
    c:\windows\$NtUninstallKB31664$\1815418757\U\00000001.@
    c:\windows\$NtUninstallKB31664$\1815418757\U\00000002.@
    c:\windows\$NtUninstallKB31664$\1815418757\U\00000004.@
    c:\windows\$NtUninstallKB31664$\1815418757\U\80000000.@
    c:\windows\$NtUninstallKB31664$\1815418757\U\80000004.@
    c:\windows\$NtUninstallKB31664$\1815418757\U\80000032.@
    c:\windows\$NtUninstallKB31664$\2599429928
    c:\windows\system32\Cache
    c:\windows\system32\Cache\272512937d9e61a4.fb
    c:\windows\system32\Cache\287204568329e189.fb
    c:\windows\system32\Cache\28bc8f716fd76a47.fb
    c:\windows\system32\Cache\2c53092c95605355.fb
    c:\windows\system32\Cache\3917078cb68ec657.fb
    c:\windows\system32\Cache\590ba23ce359fd0c.fb
    c:\windows\system32\Cache\610289e025a3ee9a.fb
    c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
    c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
    c:\windows\system32\Cache\7707d0aa3c0ba759.fb
    c:\windows\system32\Cache\ad10a52aff5e038d.fb
    c:\windows\system32\Cache\d201ef9910cd39de.fb
    c:\windows\system32\Cache\d2e94710a5708128.fb
    c:\windows\system32\Cache\d79b9dfe81484ec4.fb
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-16 to 2011-11-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-14 20:00 . 2011-11-14 20:00 -------- d-----w- c:\documents and settings\Antoinette\Application Data\Malwarebytes
    2011-11-14 19:59 . 2011-11-14 19:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2011-11-14 19:59 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-14 19:59 . 2011-11-14 19:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-13 15:22 . 2011-11-13 15:25 -------- d-----w- c:\documents and settings\Antoinette\Application Data\FileHunter
    2011-11-12 18:05 . 2011-11-12 18:05 -------- d-sh--w- c:\documents and settings\Antoinette\UserData
    2011-11-12 15:55 . 2011-11-12 16:10 -------- d-----w- c:\documents and settings\Administrator
    2011-11-12 05:21 . 2011-11-15 04:40 -------- d-----w- c:\windows\Downloaded Program Files
    2011-11-12 03:21 . 2011-11-12 03:21 -------- d-----w- c:\documents and settings\Antoinette\Application Data\DriverCure
    2011-11-12 03:21 . 2011-11-12 03:21 -------- d-----w- c:\documents and settings\Antoinette\Application Data\ParetoLogic
    2011-11-12 03:21 . 2011-11-12 03:21 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2011-11-12 03:21 . 2011-11-12 03:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic
    2011-11-12 03:21 . 2011-11-12 03:21 -------- d-----w- c:\program files\ParetoLogic
    2011-11-12 01:10 . 2011-11-12 01:10 -------- d-----w- c:\program files\Toolbar Cleaner
    2011-11-12 01:09 . 2011-11-12 02:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
    2011-11-11 04:15 . 2011-11-11 04:15 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Apple Computer
    2011-11-11 04:15 . 2011-11-11 04:15 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Application Data\Apple Computer
    2011-11-11 04:13 . 2011-11-11 04:13 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
    2011-11-11 04:13 . 2011-11-11 04:13 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\Apple Computer
    2011-11-11 00:27 . 2011-11-11 00:27 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
    2011-11-10 18:34 . 2011-11-10 18:34 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
    2011-11-10 08:13 . 2011-11-10 08:13 -------- d-----w- c:\documents and settings\Antoinette\Application Data\zbbbD33onG4QHsW
    2011-11-10 08:13 . 2011-11-10 08:13 -------- d-----w- c:\documents and settings\Antoinette\Application Data\I7ffRRL9gTXq
    2011-11-10 08:13 . 2011-11-10 08:13 -------- d-----w- c:\documents and settings\Antoinette\Application Data\ukkIIBrzPNyx1uD
    2011-10-29 13:32 . 2011-10-29 13:32 -------- d-----w- c:\documents and settings\Antoinette\Local Settings\Application Data\Solid State Networks
    2011-10-28 12:51 . 2011-10-28 12:51 -------- d-----w- c:\program files\Yontoo Layers Runtime
    2011-10-28 12:51 . 2011-10-28 12:51 -------- d-----w- c:\documents and settings\Antoinette\.swt
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-15 04:40 . 2011-06-14 00:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2010-07-10 00:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2003-03-20 21:18 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41 . 2003-07-16 20:40 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41 . 2003-07-16 20:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2010-07-21 02:03 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-08-31 04:05 . 2011-08-31 04:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-08-31 04:05 . 2011-08-31 04:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
    2011-08-22 23:48 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2003-07-16 20:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2003-07-16 20:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
    2009-09-09 04:40 . 2009-09-09 04:40 50536 ----a-w- c:\program files\install.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    2011-09-30 17:27 194848 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-27 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-16 1392640]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    .
    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]
    2010-03-24 21:26 243544 ----a-w- c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\WiLife Command Center\\Werks.exe"=
    "c:\\Program Files\\Shareaza\\Shareaza.exe"=
    "c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
    "c:\\Documents and Settings\\Antoinette\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
    "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
    "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
    "1900:UDP"= 1900:UDP:mad:xpsp2res.dll,-22007
    "2869:TCP"= 2869:TCP:mad:xpsp2res.dll,-22008
    "5800:TCP"= 5800:TCP:tcp
    "5821:UDP"= 5821:UDP:udp
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    .
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/14/2011 1:59 PM 366152]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/14/2011 1:59 PM 22216]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 4:30 PM 135664]
    S2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe -k necusb3 [7/16/2003 2:47 PM 14336]
    S3 A_USBETHMP;USB PowerPacket Network Adapter;c:\windows\system32\drivers\usbethmp.sys [11/23/2010 10:38 PM 14342]
    S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
    S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 5:42 AM 64000]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 4:30 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
    S3 WLRAWMp50x86;WLRAWMp50x86 NDIS Protocol Driver;c:\windows\system32\drivers\WLRAWMp50x86.sys [11/22/2010 12:43 PM 28312]
    S3 WLRAWSp50x86;WLRAWSp50x86 NDIS Protocol Driver;c:\windows\system32\drivers\WLRAWSp50x86.sys [11/22/2010 12:43 PM 27032]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    necusb3 REG_MULTI_SZ necusb
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2011-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-27 22:30]
    .
    2011-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-27 22:30]
    .
    2011-11-16 c:\windows\Tasks\ParetoLogic Registration3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
    .
    2011-11-12 c:\windows\Tasks\ParetoLogic Update Version3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-03-29 23:17]
    .
    2011-11-12 c:\windows\Tasks\PC Health Advisor Defrag.job
    - c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
    .
    2011-11-12 c:\windows\Tasks\PC Health Advisor.job
    - c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Download with &Shareaza - c:\program files\Shareaza\RazaWebHook32.dll/3000
    IE: Download with ImTOO YouTube to iPod Converter - c:\program files\ImTOO\YouTube to iPod Converter\upod_link.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    TCP: DhcpNameServer = 192.168.1.1
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    FF - ProfilePath - c:\documents and settings\Antoinette\Application Data\Mozilla\Firefox\Profiles\lk3xfloj.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B91257d9e-bc72-4654-a955-6ded9a671b05%7D&mid=640df10632abbaf5f813eb2986b2f4e4-dded5dc92328a0641c5c37243c6237a1d8397482&ds=AVG&v=8.0.0.34.1&lang=en&pr=fr&d=2011-09-29%2010%3A32%3A27&sap=ku&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Image Spider: Artem@Demchenkov.ImageSpider - %profile%\extensions\Artem@Demchenkov.ImageSpider
    FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
    FF - Ext: FireDiff: firediff@johnjbarton.com - %profile%\extensions\firediff@johnjbarton.com
    FF - Ext: selectbug: selectbug@getfirebug.com - %profile%\extensions\selectbug@getfirebug.com
    FF - Ext: FireStarter: firestarter@getfirebug.com - %profile%\extensions\firestarter@getfirebug.com
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
    FF - user.js: extentions.y2layers.installId - b64fd4eb-a61c-48f0-aaa5-bea35aeac1da
    FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,BestVideoDownloader,BestVideoDownloader,
    .
    .
    ------- File Associations -------
    .
    .txt=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1.WIN\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe
    AddRemove-FileHunter - c:\documents and settings\Antoinette\Application Data\FileHunter\uninstall.exe
    AddRemove-WinPump - c:\documents and settings\Antoinette\Application Data\WinPump\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-16 15:30
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    "value"="?\0a\05\1c\0b:9r"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(880)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    c:\windows\System32\BCMLogon.dll
    c:\windows\system32\netprovcredman.dll
    .
    - - - - - - - > 'explorer.exe'(3360)
    c:\windows\system32\WININET.dll
    c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    c:\windows\system32\netprovcredman.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\windows\system32\CTsvcCDA.exe
    c:\program files\Creative\Shared Files\CTDevSrv.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\progra~1\Allume\StuffIt\MXTask.exe
    c:\program files\Intel\Wireless\Bin\WLKeeper.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\windows\system32\SearchIndexer.exe
    c:\progra~1\Allume\StuffIt\mxtask.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-16 15:36:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-16 21:36
    .
    Pre-Run: 33,814,872,064 bytes free
    Post-Run: 34,942,504,960 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - CF9E482548B6F1302210032D4CE1CB5C
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! It is good you followed the steps- but Combofix wasn't one of them. There is a sticky at the top of this forum saying not to run Combofix unless you are instructed to do so and with a helper to assist.

    How did you manage Combofix with AVG on the system? And part of the Combofix header is missing. There are quite a few processes that need to be removed. I note at least 2 file sharing programs, so would like you to run the following:


    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    ------------------------------------------
    This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
    ============================================
    Please tell me how it is or where it is that Combofix said you have the ZeroAccess Rootkit? I would also like to know what problems you were having that caused you to runs these scans.
    ===========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  4. sicsty8

    sicsty8 TS Rookie Topic Starter

    reply to first round

    Hi Bobbye. Thanx for the assistance. I was going to attempt to remove whatever was on my PC myself and started researching on different sites. On one or two I did see where users suggested using Combofix. The first ones I found didn't mention to not run it. When I came here I also saw Combofix being used so that is why I went ahead and ran it. Sorry, I should have just waited but I was anxious. I didn't go any further though; I realized I'd better let someone who really knows what he's doing work with me instead.

    I did have AVG installed and I already downloaded and used Malwarebytes. I did this before running Combofix. Since installing, Malwarebytes has been blocking sites trying to access my PC. It said "outgoing" for types of websites and was giving various IP addresses.
    ================================================================

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.RP.11.QUCPER
    ----- EOF -----

    _________________________________________________________________

    1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
    XP Home, 2002 version

    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    No it does not

    3. Or, does it have the computer manufacturer's name in black lettering?
    The CD comes in a 3 way folder and the booklet says "For distribution only with a new PC", and it does have the logo. I hope that's what you're asking.
    _______________________________________________________________

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
    Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
    Windows Product ID: 55277-OEM-2111907-00102
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 5.1.2600.2.00010300.3.0.hom
    ID: {A0476A4A-7C6A-4BE5-B4AE-702ADCEB60F1}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.7.69.2
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_77F760FE-153-80070002_7E90FEE8-175-80070002_77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{A0476A4A-7C6A-4BE5-B4AE-702ADCEB60F1}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>55277-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-2025429265-1343024091-839522115</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>MP061 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A04</Version><SMBIOSVersion major="2" minor="4"/><Date>20060929000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>9BD207C80184607A</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>70C7F96C82AD586</Val><Hash>S30ULyO45UgloVP4AEiIursPalM=</Hash><Pid>89388-707-1806497-65421</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

    Licensing Data-->
    N/A

    Windows Activation Technologies-->
    N/A

    HWID Data-->
    N/A

    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 4000:Dell Inc|4000:Microsoft Corporation
    Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System

    OEM Activation 2.0 Data-->
    N/A

    -------------------------------------------------------------------------------------------------------------------------------


    I uninstalled AVG before running Combofix (or at least I thought it all uninstalled.). I used AppRemover.

    I'd let my daughter use my computer and she had been on YouTube watching videos. When I came back to my computer, AVG ran it's scan and started giving off warnings. It was running really slow too.

    Only after running other cleaners (Malwarebytes) did I run Combofix. Shortly after starting. Combofix gave a warning message saying (and I don't remember exact words) but I do remember it said it was attached to tcp/ip stack. It said something along the lines of 'Zero Access.Rootkit Infected TCP/IP stack and that it was difficult to remove'. I allowed it to continue running. It shutdown/restarted the PC a couple of times. When finished I got the resulting log, which is what I pasted here.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Start Menu\Programs\AV Security 2012

    You are experiencing problems due to AV Security 2012 This is a computer infection from the Rogue.WinAVPro family, which includes other rogues such as OpenCloud Security. (This is NOT AVG 2012!).
    This infection is classified as a rogue anti-spyware program because it uses false security alerts and fake scan results to try and trick you into thinking that your computer is infected so that you will then purchase it. It scans then goes on to display a variety of fake security alerts and warnings that are designed to make you think your computer has a serious security problem.
    ==============================================
    Please do the following to help you run other programs:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

    This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
    • Access Internet Options through Tools> Connections tab
    • Click on the Lan Settings at the bottom
    • Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
    • Then click on OK> and OK again to close Internet Options.
    ===============================
    This malware frequently comes with the TDSS rootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    To end the processes that belong to AV Security 2012:
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
    Do not reboot until instructed. as it will start the malware again
    ==================================
    You will run another scan with Mbam, after it updates, but this time, on the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ========================================
    Logs to leave in next reply:
    TDSSKiller
    RKill
    New Malwarebytes
    ==========================================
    Please reboot back into Normal Mode.
    =========================================
    There are many processes running on the system that are putting it at risk.
    1. P2P or 'file sharing' Warning:> I notice the following programs on the system:
    µTorrent
    Shareaza
    Vuze/Azureus

    Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall these file sharing programs for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    ===============================================
    2. You have both AVG 2012 (the legitimate program) and also McAfee Security Scan. Running multiple AV programs makes system more vulnerable and can also slow it down.

    If I had instructed you about the AppRemover and Combofix, I would have left links for you to choose a temporary AV. But since I didn't give the instruction, I don't know whether you added McAfee after removing AVG, or whether you had the 2 AV programs already.

    My directions would have been to run the AppRemover and uninstall AVG.
    Then I would have instructed you to put one of the following on the system:
    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version

    Since I don't know what you did, please get it down to only 1 AV program on the system.
    ===================================================
    3. How much RAM do you have?
    There is an error in the Event Viewer> "Could not allocate the resources necessary for operation." To me, that sounds like a RAM problem.
    There is a huge number of programs installed and processes running for Win XP Home. You need at least 512MB of RAM to run decently and more is better.

    The programs installed indicate you might be a software developer> graphic design, video editing, and web development applications,etc. but I would think if that is the case, you would be running the Pro version, not Home.
    =============================
    Please get these scans done. Then I will write some script to run through Combofix. Please do not anticipate what I might ask you to do next- wait for me to instruct you. We'll go from there
     
  6. sicsty8

    sicsty8 TS Rookie Topic Starter

    Hi. I restarted in Safe Mode w/networking and here are my findings first.

    -------------------------------------------------------------------------------------------------------
    Done. However, 'Use a proxy server for your LAN' was NOT checked. I closed out of here with no action taken.

    Next,

    Done. Here are the results as they appeared. (there was no log file to save)

    209 objects scanned, 0 threats found, 0 threats neutralized, 0 threats Quarantined.


    ================================================================

    I haven't done anything else since it said no threats were found.
    Should I proceed with one of the RKill programs?

    Also, I do not have any AV currently installed. When I previously ran AppRemover it said it removed AVG and McAfee.
    I am following instructions and not installing anything unless instructed so...can I install one of the AV listed in your reply?

    Thanks.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Choose one of the temporary AV I left, download and install it. Attempt to update after install. It may not update, but run it anyway
    Reboot the computer when done.

    An example of why you should not go ahead with scans like Combofix and programs like app remover for AVG is because you did not get the directions to chose one of the temporary AV programs. This means you have been running with an unprotected system. It is likely you will have gotten more malware.
    ========================================
    Boot back into Safe Mode with Networking:
    Follow directions for RKill and Malwarebytes Full Scan
    =======================================
    It is best to put question regarding scans & logs on the thread, not send a PM- it doesn't go any quicker with a PM.

    It's okay if no proxy was set- it isn't always changed.
    It's okay if the TDSSKiller didn't find anything- it doesn't always.
     
  8. sicsty8

    sicsty8 TS Rookie Topic Starter

    reply #2

    I installed Avast. It installed and updated.


    Noted and heeded. :grinthumb


    Gotcha. I am running scans now in Safe mode w/networking. (I'm replying from another computer).

    RKill still shows "clean". MBAM is running a Full Scan now.

    I will post all completed logs when completed.
     
  9. sicsty8

    sicsty8 TS Rookie Topic Starter

    reply # 3

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8199

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    11/20/2011 12:46:56 PM
    mbam-log-2011-11-20 (12-46-56).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 450884
    Time elapsed: 43 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\antoinette\my documents\shareaza downloads\.$$ stuffit temp 1314566716\anydvd.hd.6.7.6.0.final.patch-jw\anydvd.hd.6.7.6.0.final.patch-jw.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{646ec2fe-0606-4498-a093-f57557d71b21}\RP1\A0000232.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{646ec2fe-0606-4498-a093-f57557d71b21}\RP1\A0001041.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.

    ===============================================================

    RKill results


    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 11/20/2011 at 10:41:45.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 11/20/2011 at 10:41:47.

    ================================================================


    TDSSKiller results


    209 objects scanned, 0 threats found, 0 threats neutralized, 0 threats Quarantined.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You do not need to quote my directions.

    I repeat: How much RAM is installed?
    ---------------------------------------
    Run the CK Scanner again please and don't remove anything in the log:
    ---------------------------------------
    1. You are using multiple files sharing programs.

    2. Several entries found in Mbam come under the heading of PUP-Potentially unwanted programs.
    (PUP soge)> "CaM.Adware.Downware.Win32.PEx.C.1440487003" or AdInstaller.SoGe
    (PUP.FileHunter)> filehunter-win32.exe
    3. Another is a hack tool> (RiskWare.Tool CK) This is usually found on site that have cracks and keygens that allow the user to pirate a program.
    Your use of shareaza downloads to get the anydvd.hd.6.7.6.0.final.patch-jw is an example of piracy.

    You have Stuffit Deluxe installed- more frequently seen on a Mac. It was used on the pirated file:
    c:\documents and settings\antoinette\my documents\shareaza downloads\.$$ stuffit temp 1314566716\anydvd.hd.6.7.6.0.final.patch-jw\anydvd.hd.6.7.6.0.final.patch-jw.exe (RiskWare.Tool.CK)
    =========================================
    Please explain what's happening here:
    What is being blocked? How do you not finish the post? Are you referring to just TechSpot?
    ========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    c:\documents and settings\Antoinette\Application Data\zbbbD33onG4QHsW
    c:\documents and settings\Antoinette\Application Data\I7ffRRL9gTXq
    c:\documents and settings\Antoinette\Application Data\ukkIIBrzPNyx1uD
    c:\documents and settings\Antoinette\Local Settings\Application Data\Solid State Networks
    c:\program files\Yontoo Layers Runtime
    c:\documents and settings\Antoinette\.swt
    c:\documents and settings\Antoinette\Application Data\FileHunter
    c:\documents and settings\Antoinette\UserData
    c:\program files\Common Files\ParetoLogic
    c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic
    c:\program files\ParetoLogic
    c:\program files\Toolbar Cleaner
    DDS::
    mURLSearchHooks: H - No File
    BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
    BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
    BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    ClearJavaCache::
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    "c:\\Program Files\\Shareaza\\Shareaza.exe"=-
    "c:\\Program Files\\Vuze\\Azureus.exe"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "5800:TCP"=-
    "5821:UDP"=-
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    "value"="?\0a\05\1c\0b:9r"
    
    Reboot::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    When you post the Combofix log that is generated after you run the script, please include the entire heading:
    From this first line>>>ComboFix 11-11-16.01 - Antoinette 11/16/2011 15:15:07.1.2 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1554 [GMT -6:00]
    .Include everything that is missing between the line above and the line below.
    (((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
     
  11. sicsty8

    sicsty8 TS Rookie Topic Starter

    response #4

    Ram = 2.00 GB of RAM

    Also, when I was first trying to post my problem to Techspot, everytime I would hit 'Post Reply', the next page would be "Page not found". I don't know what was blocking me from being able to post. I ended up using another computer to actually submit my initial post. Sorry I don't remember if I'd ran MBAM before or after, but I was able to eventually post from the infected PC. (as I've been doing now)
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There have been a couple of complaints about the 'post reply' problem. It was caused by work being done on the site, not malware- sometimes a temporary problem can occur. It should be fine now.

    With all the processes you're running, I would guess you're using every bit of that RAM!

    Please continue with my instructions.
     
  13. sicsty8

    sicsty8 TS Rookie Topic Starter

    reply #5

    I followed your instructions and created the .txt file, dragged it into ComboFix and ComboFix started up with the blue box. It started doing somethings and then an alert box popped up saying something to the tune of "a more recent version of ComboFix being available and to update it". It only gave me an option to click "OK", which I did. ComboFix then continued functioning. It said it was connecting to the server then began updating ComboFix. When it was finished with that part, it started running stages and listing them as it went. I got as far as the 5th stage before I stopped watching.

    When I came back to the PC, I saw where my machine had shut down and rebooted itself. I clicked my username and Windows finished starting up. Here's where I'm not sure what happened. I'm running Avast as the AV. I figured out after the fact, that I could "permanently disable" Avast so it wouldn't run even if the machine restarted, as opposed to just stopping it from running for the time being, as I had done. So when the PC restarted, Avast restarted as well. It immediately picked up ComboxFix (or something it was doing) as a possible threat and wanted to run this in what Avast calls the "sandbox". I'm not really certain how that would affect ComboFix. It did give me a drop down box to select other actions but before I could select anything, a message box appears. It's the grey message box you get when an application or IE unexpectedly crashes and asks you if you want to "Send" or "Don't send" a report to Microsoft. I clicked "Don't Send" and then my PC just shut down and began the rebooting process, all without any interaction from me. When it got back to the Windows user screen, I clicked my username again and Windows finished starting up normally.

    **Note:
    I had originally posted I couldn't find the resulting ComboFix.txt file. I did a system search and found it. It was actually in a folder called Combofix on the C:/ drive. I don't know if this is everything that was supposed to happen and be logged, but this is all that's in the log file.

    ==================================================================================================================

    ComboFix 11-11-22.03 - Antoinette 11/22/2011 21:07:42.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1267 [GMT -6:00]
    Running from: C:\Documents and Settings\Antoinette\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Antoinette\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ===================================================================================================================

    Should I run the .txt file again; or is this correct?
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    ------------------------------------
    Be sure AVG is still removed:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Be sure a temporary AV is on the system- even though you will need to disble it for Combofix.
    ============================
    Be sure the previous Combofix has been uninstallled as instructed.
    ============================
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ===============================
    After you have reinstalled Combofix and run a new scan, go right on to this:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    c:\documents and settings\Antoinette\Application Data\zbbbD33onG4QHsW
    c:\documents and settings\Antoinette\Application Data\I7ffRRL9gTXq
    c:\documents and settings\Antoinette\Application Data\ukkIIBrzPNyx1uD
    c:\documents and settings\Antoinette\Local Settings\Application Data\Solid State Networks
    c:\program files\Yontoo Layers Runtime
    c:\documents and settings\Antoinette\.swt
    c:\documents and settings\Antoinette\Application Data\FileHunter
    c:\documents and settings\Antoinette\UserData
    c:\program files\Common Files\ParetoLogic
    c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic
    c:\program files\ParetoLogic
    c:\program files\Toolbar Cleaner
    DDS::
    mURLSearchHooks: H - No File
    BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
    BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
    BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    ClearJavaCache::
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    "c:\\Program Files\\Shareaza\\Shareaza.exe"=-
    "c:\\Program Files\\Vuze\\Azureus.exe"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "5800:TCP"=-
    "5821:UDP"=-
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    "value"="?\0a\05\1c\0b:9r"
    
    Reboot::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please give me the entire new Combofix log that will be generated after the script.

    You do not need to quote my instructions.
     
  15. sicsty8

    sicsty8 TS Rookie Topic Starter

    reply #6 (comboFix log 11/27/11)

    Edit: Extra Combofix log without script has been deleted by Bobbye. Log after script is in next reply..
    - - End Of File - - A228205B1405CA4C28DC710622BF157B
     
  16. sicsty8

    sicsty8 TS Rookie Topic Starter

    reply #6a (Combofix w/CFScript.txt) post

    ComboFix 11-11-27.02 - Antoinette 11/27/2011 20:43:52.4.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1372 [GMT -6:00]
    Running from: c:\documents and settings\Antoinette\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Antoinette\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Antoinette\UserData
    c:\documents and settings\Antoinette\UserData\FCMSQRC5\pmocntr2[1].xml
    c:\documents and settings\Antoinette\UserData\index.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-23 14:28 . 2011-11-23 14:28 -------- d-----w- c:\documents and settings\Antoinette\Application Data\Windows Search
    2011-11-20 14:35 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-11-20 14:35 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-11-20 14:35 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-11-20 14:35 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-11-20 14:35 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-11-20 14:35 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-11-20 14:35 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-11-20 14:35 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-11-20 14:35 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
    2011-11-20 14:35 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-11-20 14:34 . 2011-11-20 14:34 -------- d-----w- c:\program files\AVAST Software
    2011-11-20 14:34 . 2011-11-20 14:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVAST Software
    2011-11-17 05:46 . 2011-11-17 05:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
    2011-11-14 20:00 . 2011-11-14 20:00 -------- d-----w- c:\documents and settings\Antoinette\Application Data\Malwarebytes
    2011-11-14 19:59 . 2011-11-14 19:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2011-11-14 19:59 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-14 19:59 . 2011-11-14 19:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-12 15:55 . 2011-11-12 16:10 -------- d-----w- c:\documents and settings\Administrator
    2011-11-12 05:21 . 2011-11-15 04:40 -------- d-----w- c:\windows\Downloaded Program Files
    2011-11-12 03:21 . 2011-11-12 03:21 -------- d-----w- c:\documents and settings\Antoinette\Application Data\DriverCure
    2011-11-12 03:21 . 2011-11-12 03:21 -------- d-----w- c:\documents and settings\Antoinette\Application Data\ParetoLogic
    2011-11-12 01:09 . 2011-11-12 02:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
    2011-11-11 04:15 . 2011-11-11 04:15 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Apple Computer
    2011-11-11 04:15 . 2011-11-11 04:15 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Application Data\Apple Computer
    2011-11-11 04:13 . 2011-11-11 04:13 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
    2011-11-11 04:13 . 2011-11-11 04:13 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\Apple Computer
    2011-11-11 00:27 . 2011-11-11 00:27 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
    2011-11-10 18:34 . 2011-11-10 18:34 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-15 04:40 . 2011-06-14 00:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2010-07-10 00:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2003-03-20 21:18 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41 . 2003-07-16 20:40 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41 . 2003-07-16 20:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2010-07-21 02:03 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-08-31 04:05 . 2011-08-31 04:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-08-31 04:05 . 2011-08-31 04:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
    2009-09-09 04:40 . 2009-09-09 04:40 50536 ----a-w- c:\program files\install.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-28_02.21.48 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-11-28 02:59 . 2011-11-28 02:59 16384 c:\windows\TEMP\Perflib_Perfdata_794.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-27 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-16 1392640]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
    .
    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]
    2010-03-24 21:26 243544 ----a-w- c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\WiLife Command Center\\Werks.exe"=
    "c:\\Program Files\\Shareaza\\Shareaza.exe"=
    "c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
    "c:\\Documents and Settings\\Antoinette\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
    "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
    "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
    "1900:UDP"= 1900:UDP:mad:xpsp2res.dll,-22007
    "2869:TCP"= 2869:TCP:mad:xpsp2res.dll,-22008
    "5800:TCP"= 5800:TCP:tcp
    "5821:UDP"= 5821:UDP:udp
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/20/2011 8:35 AM 442200]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/20/2011 8:35 AM 320856]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/20/2011 8:35 AM 20568]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/14/2011 1:59 PM 366152]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/14/2011 1:59 PM 22216]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 4:30 PM 135664]
    S2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe -k necusb3 [7/16/2003 2:47 PM 14336]
    S3 A_USBETHMP;USB PowerPacket Network Adapter;c:\windows\system32\drivers\usbethmp.sys [11/23/2010 10:38 PM 14342]
    S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
    S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 5:42 AM 64000]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 4:30 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
    S3 WLRAWMp50x86;WLRAWMp50x86 NDIS Protocol Driver;c:\windows\system32\drivers\WLRAWMp50x86.sys [11/22/2010 12:43 PM 28312]
    S3 WLRAWSp50x86;WLRAWSp50x86 NDIS Protocol Driver;c:\windows\system32\drivers\WLRAWSp50x86.sys [11/22/2010 12:43 PM 27032]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    necusb3 REG_MULTI_SZ necusb
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-27 22:30]
    .
    2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-27 22:30]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Download with ImTOO YouTube to iPod Converter - c:\program files\ImTOO\YouTube to iPod Converter\upod_link.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    TCP: DhcpNameServer = 192.168.1.254
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    FF - ProfilePath - c:\documents and settings\Antoinette\Application Data\Mozilla\Firefox\Profiles\lk3xfloj.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B91257d9e-bc72-4654-a955-6ded9a671b05%7D&mid=640df10632abbaf5f813eb2986b2f4e4-dded5dc92328a0641c5c37243c6237a1d8397482&ds=AVG&v=8.0.0.34.1&lang=en&pr=fr&d=2011-09-29%2010%3A32%3A27&sap=ku&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Image Spider: Artem@Demchenkov.ImageSpider - %profile%\extensions\Artem@Demchenkov.ImageSpider
    FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
    FF - Ext: FireDiff: firediff@johnjbarton.com - %profile%\extensions\firediff@johnjbarton.com
    FF - Ext: selectbug: selectbug@getfirebug.com - %profile%\extensions\selectbug@getfirebug.com
    FF - Ext: FireStarter: firestarter@getfirebug.com - %profile%\extensions\firestarter@getfirebug.com
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
    FF - user.js: extentions.y2layers.installId - b64fd4eb-a61c-48f0-aaa5-bea35aeac1da
    FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,BestVideoDownloader,BestVideoDownloader,
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-27 21:00
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(920)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    c:\windows\System32\BCMLogon.dll
    c:\windows\system32\netprovcredman.dll
    .
    - - - - - - - > 'explorer.exe'(4084)
    c:\windows\system32\WININET.dll
    c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    c:\windows\system32\netprovcredman.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\windows\system32\CTsvcCDA.exe
    c:\program files\Creative\Shared Files\CTDevSrv.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\progra~1\Allume\StuffIt\MXTask.exe
    c:\program files\Intel\Wireless\Bin\WLKeeper.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\system32\SearchIndexer.exe
    c:\windows\System32\bcmwltry.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\progra~1\Allume\StuffIt\mxtask.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-27 21:06:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-28 03:06
    ComboFix2.txt 2011-11-28 02:27
    .
    Pre-Run: 43,570,839,552 bytes free
    Post-Run: 43,552,739,328 bytes free
    .
    - - End Of File - - AD9AE997860DCABB5AB7CF9429C08D9F
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    KillAll::
    File::
    c:\program files\install.exe
    Folder::
    c:\documents and settings\Antoinette\UserData
    c:\documents and settings\Antoinette\Application Data\DriverCure
    c:\documents and settings\Antoinette\Application Data\ParetoLogic
    ClearJavaCache::
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=-
    "c:\\Program Files\\Shareaza\\Shareaza.exe"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "5800:TCP"=-
    "5821:UDP"=-
    
    Reboot::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Open Firefox> Tools> Extensions> Delete entries for Java v6u22, v6u23, v6u24, v6u26
    Also delete the following":
    FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
    FF - user.js: extentions.y2layers.installId - b64fd4eb-a61c-48f0-aaa5-bea35aeac1da
    FF - user.js: extentions.y2layers.defaultEnableAppsList - and all of the following if listed separately:
    Buzzdock,BuzzdockTease,DropDownDeals,BestVideoDownloader,BestVideoDownloade
    ========================
    Things to know:
    1. MS bundles the BingBar with SeaScapes. They do not tell you they are doing this, nor do they ask permission. The BingBar often come with Zugo bundles with it!
    2. Re Shop at Home Toolbar:
    Threat Profile: Generic PUP.x!fr!44263720A4DC
    This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove.
    The applications attempted the following network connection(s):
    * 74.63.145.***:80
    * hxxp://www.shopathome.com/agent/*****
    * hxxp://www.shopathome.com/install/*****
    * hxxp://tbws.shopathome.com/*****
    ==============================
    Please repeat as requested. Give me the entire log:
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==============================================
    How is the system running now?
     
  18. sicsty8

    sicsty8 TS Rookie Topic Starter

    reply #7

    ComboFix 11-12-03.01 - Antoinette 12/03/2011 10:37:31.5.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1279 [GMT -6:00]
    Running from: c:\documents and settings\Antoinette\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Antoinette\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    FILE ::
    "c:\program files\install.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Antoinette\Application Data\DriverCure
    c:\documents and settings\Antoinette\Application Data\DriverCure\LogFile.txt
    c:\documents and settings\Antoinette\Application Data\ParetoLogic
    c:\documents and settings\Antoinette\Application Data\ParetoLogic\PC Health Advisor\Client.txt
    c:\documents and settings\Antoinette\Application Data\ParetoLogic\PC Health Advisor\Server.txt
    c:\documents and settings\Antoinette\UserData
    c:\documents and settings\Antoinette\UserData\index.dat
    c:\documents and settings\Antoinette\UserData\MQGHO4PH\YL[1].xml
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-03 to 2011-12-03 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-29 11:10 . 2011-11-29 11:10 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-11-23 14:28 . 2011-11-23 14:28 -------- d-----w- c:\documents and settings\Antoinette\Application Data\Windows Search
    2011-11-20 14:35 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-11-20 14:35 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-11-20 14:35 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-11-20 14:35 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-11-20 14:35 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-11-20 14:35 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-11-20 14:35 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-11-20 14:35 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-11-20 14:35 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2011-11-20 14:35 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
    2011-11-20 14:34 . 2011-11-20 14:34 -------- d-----w- c:\program files\AVAST Software
    2011-11-20 14:34 . 2011-11-20 14:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVAST Software
    2011-11-17 05:46 . 2011-11-17 05:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
    2011-11-14 20:00 . 2011-11-14 20:00 -------- d-----w- c:\documents and settings\Antoinette\Application Data\Malwarebytes
    2011-11-14 19:59 . 2011-11-14 19:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2011-11-14 19:59 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-14 19:59 . 2011-11-14 19:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-12 15:55 . 2011-11-12 16:10 -------- d-----w- c:\documents and settings\Administrator
    2011-11-12 05:21 . 2011-11-15 04:40 -------- d-----w- c:\windows\Downloaded Program Files
    2011-11-12 01:09 . 2011-11-12 02:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
    2011-11-11 04:15 . 2011-11-11 04:15 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Apple Computer
    2011-11-11 04:15 . 2011-11-11 04:15 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Application Data\Apple Computer
    2011-11-11 04:13 . 2011-11-11 04:13 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
    2011-11-11 04:13 . 2011-11-11 04:13 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\Apple Computer
    2011-11-11 00:27 . 2011-11-11 00:27 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
    2011-11-10 18:34 . 2011-11-10 18:34 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-15 04:40 . 2011-06-14 00:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2010-07-10 00:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2003-03-20 21:18 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41 . 2003-07-16 20:40 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41 . 2003-07-16 20:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2010-07-21 02:03 1858944 ----a-w- c:\windows\system32\win32k.sys
    2009-09-09 04:40 . 2009-09-09 04:40 50536 ----a-w- c:\program files\install.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-28_02.21.48 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-12-03 16:56 . 2011-12-03 16:56 16384 c:\windows\temp\Perflib_Perfdata_23c.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-27 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-16 1392640]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
    .
    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]
    2010-03-24 21:26 243544 ----a-w- c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\WiLife Command Center\\Werks.exe"=
    "c:\\Program Files\\Shareaza\\Shareaza.exe"=
    "c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
    "c:\\Documents and Settings\\Antoinette\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
    "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
    "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
    "1900:UDP"= 1900:UDP:mad:xpsp2res.dll,-22007
    "2869:TCP"= 2869:TCP:mad:xpsp2res.dll,-22008
    "5800:TCP"= 5800:TCP:tcp
    "5821:UDP"= 5821:UDP:udp
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/20/2011 8:35 AM 435032]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/20/2011 8:35 AM 314456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/20/2011 8:35 AM 20568]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/14/2011 1:59 PM 366152]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/14/2011 1:59 PM 22216]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 4:30 PM 135664]
    S2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe -k necusb3 [7/16/2003 2:47 PM 14336]
    S3 A_USBETHMP;USB PowerPacket Network Adapter;c:\windows\system32\drivers\usbethmp.sys [11/23/2010 10:38 PM 14342]
    S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
    S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 5:42 AM 64000]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 4:30 PM 135664]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
    S3 WLRAWMp50x86;WLRAWMp50x86 NDIS Protocol Driver;c:\windows\system32\drivers\WLRAWMp50x86.sys [11/22/2010 12:43 PM 28312]
    S3 WLRAWSp50x86;WLRAWSp50x86 NDIS Protocol Driver;c:\windows\system32\drivers\WLRAWSp50x86.sys [11/22/2010 12:43 PM 27032]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    necusb3 REG_MULTI_SZ necusb
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2011-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-27 22:30]
    .
    2011-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-27 22:30]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Download with ImTOO YouTube to iPod Converter - c:\program files\ImTOO\YouTube to iPod Converter\upod_link.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    TCP: DhcpNameServer = 192.168.1.254
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    FF - ProfilePath - c:\documents and settings\Antoinette\Application Data\Mozilla\Firefox\Profiles\lk3xfloj.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B91257d9e-bc72-4654-a955-6ded9a671b05%7D&mid=640df10632abbaf5f813eb2986b2f4e4-dded5dc92328a0641c5c37243c6237a1d8397482&ds=AVG&v=8.0.0.34.1&lang=en&pr=fr&d=2011-09-29%2010%3A32%3A27&sap=ku&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Image Spider: Artem@Demchenkov.ImageSpider - %profile%\extensions\Artem@Demchenkov.ImageSpider
    FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
    FF - Ext: FireDiff: firediff@johnjbarton.com - %profile%\extensions\firediff@johnjbarton.com
    FF - Ext: selectbug: selectbug@getfirebug.com - %profile%\extensions\selectbug@getfirebug.com
    FF - Ext: FireStarter: firestarter@getfirebug.com - %profile%\extensions\firestarter@getfirebug.com
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
    FF - user.js: extentions.y2layers.installId - b64fd4eb-a61c-48f0-aaa5-bea35aeac1da
    FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,BestVideoDownloader,BestVideoDownloader,
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-03 10:56
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    C:\## aswSnx private storage
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(924)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    c:\windows\System32\BCMLogon.dll
    c:\windows\system32\netprovcredman.dll
    .
    - - - - - - - > 'explorer.exe'(3300)
    c:\windows\system32\WININET.dll
    c:\documents and settings\Antoinette\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    c:\windows\system32\netprovcredman.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\windows\system32\CTsvcCDA.exe
    c:\program files\Creative\Shared Files\CTDevSrv.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\progra~1\Allume\StuffIt\MXTask.exe
    c:\program files\Intel\Wireless\Bin\WLKeeper.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\system32\SearchIndexer.exe
    c:\windows\System32\bcmwltry.exe
    c:\progra~1\Allume\StuffIt\mxtask.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-03 11:04:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-03 17:04
    ComboFix2.txt 2011-11-28 03:06
    ComboFix3.txt 2011-11-28 02:27
    .
    Pre-Run: 42,845,687,808 bytes free
    Post-Run: 42,897,149,952 bytes free
    .
    - - End Of File - - D57887811B5750C0B3CDF7EAAA344AE6
     
  19. sicsty8

    sicsty8 TS Rookie Topic Starter

    reply #7a (ckfiles.txt)

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.RP.11.TFBBRJ
    ----- EOF -----
     
  20. sicsty8

    sicsty8 TS Rookie Topic Starter

    reply #7b (EsetScan)

    C:\Documents and Settings\Antoinette\Application Data\AVG\Rescue\PC Tuneup 2011\110312225326546.rsc multiple threats
     
  21. sicsty8

    sicsty8 TS Rookie Topic Starter

    reply #7c

    I don't know what these are or where to find them. I looked in FF extensions but didn't see anything. I did find the Java and uninstalled that as instructed.

    System seems to be back to normal. No slow downs at any point on any programs or while browsing.
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The y2 entries are part of this:
    FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com

    This plugin is used with Facebook..
    The Yontoo.com site is not well rated by WOT. All areas of 'vendor reliability', 'privacy' and 'child safety' are showing "Caution.".

    It's possible that this was bundled with another progrm and added to the system without your knowledge or permission. We call the 'Foistware.' It not a virus or malware, but the potential of exposure to the system is high for malware.

    Comments from users:
    "Yontoo is an unnecessary program that doesn't register within IE. That means it's probably tapping into more than just Internet Explorer's functionality. And is also why it won't work in Firefox, Chrome, etc... too secure. It's associated with PageRage"

    "There is absolutely ZERO value to this software. in fact on the contrary it only benefits the software writer by getting ad revenues."
    =========================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\Antoinette\Application Data\AVG\Rescue\PC Tuneup 2011\110312225326546.rsc
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ======================================
    You need to be more discriminating of the sites where you're getting downloads.I suggest you put this Site Advisor on the system asnd don't click on any site for anything unless you see a Green Light:
    The Web of Trust-(WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

    Every time you do a search and the screen comes up with the sites, they will have the rating light:
    Green (2 shades)> Good to go.
    Amber/Yellow> use Caution,
    Red> not advised.
    ===========================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any questions.
     
  23. sicsty8

    sicsty8 TS Rookie Topic Starter

    reply #8 (OTMoveit)

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\Antoinette\Application Data\AVG\Rescue\PC Tuneup 2011\110312225326546.rsc moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes

    User: All Users

    User: All Users.WINDOWS

    User: Antoinette
    ->Temp folder emptied: 1714 bytes
    ->Temporary Internet Files folder emptied: 9608384 bytes
    ->Java cache emptied: 50428 bytes
    ->FireFox cache emptied: 91146662 bytes
    ->Flash cache emptied: 48303 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Default User.WINDOWS
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 41620 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: LocalService.NT AUTHORITY
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: mydesyn
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 402 bytes

    User: NetworkService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 67888 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 1165502 bytes
    %systemroot%\System32 .tmp files removed: 4186929 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 32128 bytes
    Windows Temp folder emptied: 696753 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 50619 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 102.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 12072011_201501
    All processes killed

    OTM by OldTimer - Version 3.1.19.0 log created on 12072011_201501

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your system is clean! Please follow my directions in my Reply #22 to "Removing all of the tools we used and the files and folders they created."

    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...