TechSpot

Sick puter

By CarolinaChuck
Jun 14, 2012
  1. Hello,

    First problem stared with an random ding dong sound like I pluged in a USB device. I tried to figure it out on my own by removing unused aplication in Add/Remove Progams and msconfig start up; I may have done more harm than good. After a week, Internet Explorer 8 started to redirect me when opening links and then started to open new windows and going to sell/medical/BS type sites on its own. Also, AVG threats while off line WINDOW\system32\ping.exe

    To keep it short, here are the logs:

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.06.14.07
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Administrator :: SUPER-CHUCKIE [administrator]
    6/14/2012 11:50:51 AM
    mbam-log-2012-06-14 (11-50-51).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 224426
    Time elapsed: 11 minute(s), 20 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 1
    HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 4
    C:\Win.Msi (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\AntispywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\AntispywareBot\Log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\AntispywareBot\Settings (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
    Files Detected: 5
    C:\Win.Msi\3proxy.cfg (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Win.Msi\alg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\AntispywareBot\rs.dat (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\AntispywareBot\Log\2009 Jan 20 - 01_29_47 AM_453.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\AntispywareBot\Settings\ScanResults.pie (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
    (end)
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-06-14 12:45:06
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5 WDC_WD2500YD-01NVB1 rev.10.02E01
    Running: 6ncm6eom.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agtorfod.sys

    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Ntfs \Ntfs InCDRec.sys (InCD File System Recognizer/Nero AG)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Fastfat \Fat InCDRec.sys (InCD File System Recognizer/Nero AG)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    ---- Processes - GMER 1.0.15 ----
    Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 3892
    ---- EOF - GMER 1.0.15 ----
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
    Run by Administrator at 12:57:24 on 2012-06-14
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2773 [GMT -4:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\dKEYUSBCradle\SyncService.exe
    C:\dKEYUSBCradle\ProxyDaemon.exe
    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    C:\dKEYUSBCradle\stunnel-4.10.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\Profiler\lwemon.exe
    C:\Program Files\PowerArchiver\PASTARTER.EXE
    C:\dKEYUSBCradle\SyncInfoApp.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    .
    ============== Pseudo HJT Report ===============
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Start WingMan Profiler] "c:\program files\logitech\profiler\lwemon.exe" /noui
    uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [PowerArchiver Tray] c:\program files\powerarchiver\PASTARTER.EXE
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
    mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
    mRun: [WheelMouse] c:\program files\ocz technology\mouse\Amoumain.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1449.0\mswinext.exe"
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    mRun: [<NO NAME>]
    mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
    mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
    mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\displa~1.lnk - c:\dkeyusbcradle\SyncInfoApp.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
    IE: Lookup on Merriam Webster
    IE: Lookup on Wikipedia
    IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
    LSP: mswsock.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227396431828
    DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0l4hw7l5.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6d1b5&v=6.010.006.004&I=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre6\bin\npjpi160_32.dll
    FF - plugin: c:\program files\java\jre6\bin\npoji610.dll
    FF - plugin: c:\windows\system32\NPSWF32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
    R1 AvgLdx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
    R1 AvgMfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
    R1 AvgTdiX;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
    R3 silabenm;GE Supra DisplayKey USB Cradle Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2011-7-6 24584]
    R3 silabser;GE Supra DisplayKey USB Cradle Driver;c:\windows\system32\drivers\silabser.sys [2011-7-6 69256]
    S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-11 136176]
    S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 257224]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-11 136176]
    S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-06-14 15:46:02 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
    2012-06-14 15:38:19 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-06-14 15:38:18 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-14 15:38:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-06-13 13:34:01 1409 ----a-w- c:\windows\QTFont.for
    2012-06-12 16:30:30 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2012-06-12 16:30:30 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-06-08 15:30:35 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PCHealth
    2012-06-08 15:28:26 -------- dc-h--w- c:\windows\ie8
    2012-06-08 14:52:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-06-08 14:52:47 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-06-06 16:39:18 -------- d-----w- c:\documents and settings\administrator\application data\AVG
    2012-06-06 16:31:25 -------- d-----w- c:\documents and settings\administrator\application data\AVG2012
    2012-06-06 16:29:51 -------- d-----w- c:\windows\system32\drivers\AVG
    2012-06-06 16:29:51 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
    2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
    2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
    2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
    2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
    2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
    2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
    2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
    2012-05-31 17:48:56 -------- d-----w- c:\program files\EZ Fonts
    .
    ==================== Find3M ====================
    .
    2012-06-13 17:44:44 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-13 17:44:44 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-06-08 14:52:35 472864 ----a-w- c:\windows\system32\deployJava1.dll
    2012-04-19 08:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    2012-03-19 09:17:28 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    .
    ============= FINISH: 12:57:49.76 ===============

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/22/2008 4:55:26 PM
    System Uptime: 6/14/2012 12:17:45 PM (0 hours ago)
    .
    Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | MS-7550
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5400+ | CPU1 | 2800/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 112 GiB total, 66.875 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP881: 3/17/2012 2:09:56 AM - System Checkpoint
    RP882: 3/18/2012 2:37:54 AM - System Checkpoint
    RP883: 3/19/2012 3:35:03 AM - System Checkpoint
    RP884: 3/20/2012 3:37:54 AM - System Checkpoint
    RP885: 3/21/2012 4:37:54 AM - System Checkpoint
    RP886: 3/22/2012 5:37:57 AM - System Checkpoint
    RP887: 3/23/2012 6:37:54 AM - System Checkpoint
    RP888: 3/24/2012 7:57:43 AM - System Checkpoint
    RP889: 3/25/2012 8:38:59 AM - System Checkpoint
    RP890: 3/26/2012 9:37:54 AM - System Checkpoint
    RP891: 3/27/2012 6:39:42 PM - System Checkpoint
    RP892: 3/28/2012 8:34:13 PM - System Checkpoint
    RP893: 3/29/2012 8:37:51 PM - System Checkpoint
    RP894: 3/30/2012 9:44:43 PM - System Checkpoint
    RP895: 3/31/2012 10:27:14 PM - System Checkpoint
    RP896: 4/1/2012 11:27:14 PM - System Checkpoint
    RP897: 4/2/2012 11:28:36 PM - System Checkpoint
    RP898: 4/4/2012 12:36:10 AM - System Checkpoint
    RP899: 4/5/2012 2:36:41 AM - System Checkpoint
    RP900: 4/6/2012 3:11:30 AM - System Checkpoint
    RP901: 4/7/2012 4:11:30 AM - System Checkpoint
    RP902: 4/8/2012 5:11:09 AM - System Checkpoint
    RP903: 4/9/2012 5:11:30 AM - System Checkpoint
    RP904: 4/10/2012 6:11:25 AM - System Checkpoint
    RP905: 4/11/2012 7:11:25 AM - System Checkpoint
    RP906: 4/12/2012 8:11:25 AM - System Checkpoint
    RP907: 4/13/2012 8:21:16 AM - System Checkpoint
    RP908: 4/14/2012 9:11:25 AM - System Checkpoint
    RP909: 4/15/2012 10:56:03 AM - System Checkpoint
    RP910: 4/16/2012 4:22:30 PM - System Checkpoint
    RP911: 4/16/2012 6:50:17 PM - Removed HP Software Update
    RP912: 4/16/2012 7:23:44 PM - Printer Driver HP Officejet 4500 G510n-z fax Installed
    RP913: 4/17/2012 7:44:45 PM - System Checkpoint
    RP914: 4/18/2012 8:51:19 PM - System Checkpoint
    RP915: 4/19/2012 10:27:09 PM - System Checkpoint
    RP916: 4/20/2012 11:51:29 PM - System Checkpoint
    RP917: 4/22/2012 12:44:45 AM - System Checkpoint
    RP918: 4/23/2012 12:46:09 AM - System Checkpoint
    RP919: 4/24/2012 2:00:36 AM - System Checkpoint
    RP920: 4/25/2012 2:57:11 AM - System Checkpoint
    RP921: 4/26/2012 3:44:41 AM - System Checkpoint
    RP922: 4/27/2012 4:44:41 AM - System Checkpoint
    RP923: 4/28/2012 5:44:41 AM - System Checkpoint
    RP924: 4/29/2012 6:44:43 AM - System Checkpoint
    RP925: 4/30/2012 7:44:41 AM - System Checkpoint
    RP926: 5/1/2012 2:30:31 PM - System Checkpoint
    RP927: 5/2/2012 6:58:18 PM - System Checkpoint
    RP928: 5/3/2012 7:45:22 PM - System Checkpoint
    RP929: 5/4/2012 8:44:22 PM - System Checkpoint
    RP930: 5/5/2012 9:57:52 PM - System Checkpoint
    RP931: 5/6/2012 10:44:22 PM - System Checkpoint
    RP932: 5/8/2012 12:36:53 AM - System Checkpoint
    RP933: 5/9/2012 12:56:25 AM - System Checkpoint
    RP934: 5/10/2012 1:44:25 AM - System Checkpoint
    RP935: 5/11/2012 2:44:25 AM - System Checkpoint
    RP936: 5/12/2012 3:44:25 AM - System Checkpoint
    RP937: 5/13/2012 4:44:25 AM - System Checkpoint
    RP938: 5/14/2012 5:44:25 AM - System Checkpoint
    RP939: 5/15/2012 5:45:30 AM - System Checkpoint
    RP940: 5/16/2012 6:44:24 AM - System Checkpoint
    RP941: 5/17/2012 7:44:25 AM - System Checkpoint
    RP942: 5/18/2012 8:57:25 AM - System Checkpoint
    RP943: 5/19/2012 9:44:25 AM - System Checkpoint
    RP944: 5/28/2012 11:49:42 AM - System Checkpoint
    RP945: 5/29/2012 3:24:08 PM - System Checkpoint
    RP946: 5/30/2012 8:18:44 PM - System Checkpoint
    RP947: 5/31/2012 9:17:29 PM - System Checkpoint
    RP948: 6/1/2012 10:17:29 PM - System Checkpoint
    RP949: 6/2/2012 11:17:30 PM - System Checkpoint
    RP950: 6/4/2012 12:17:30 AM - System Checkpoint
    RP951: 6/5/2012 1:17:30 AM - System Checkpoint
    RP952: 6/6/2012 1:40:38 AM - System Checkpoint
    RP953: 6/6/2012 12:19:30 PM - Removed Ask Toolbar.
    RP954: 6/6/2012 12:29:17 PM - Installed AVG 2012
    RP955: 6/6/2012 12:29:34 PM - Installed AVG 2012
    RP956: 6/7/2012 2:05:31 PM - System Checkpoint
    RP957: 6/8/2012 10:35:17 AM - Restore Operation
    RP958: 6/8/2012 10:52:09 AM - Removed Java(TM) 6 Update 23
    RP959: 6/8/2012 10:52:30 AM - Installed Java(TM) 6 Update 32
    RP960: 6/8/2012 11:24:36 AM - Software Distribution Service 3.0
    RP961: 6/8/2012 11:29:54 AM - Installed Windows Internet Explorer 8.
    RP962: 6/8/2012 11:30:46 AM - Software Distribution Service 3.0
    RP963: 6/8/2012 4:07:07 PM - Restore Operation
    RP964: 6/8/2012 4:14:48 PM - Installed AVG 2012
    RP965: 6/8/2012 4:14:59 PM - Removed AVG 2012
    RP966: 6/8/2012 4:19:17 PM - Installed AVG 2012
    RP967: 6/8/2012 4:19:27 PM - Removed AVG 2012
    RP968: 6/12/2012 12:29:44 PM - Restore Operation
    RP969: 6/12/2012 1:19:01 PM - Installed AVG 2012
    RP970: 6/12/2012 1:19:12 PM - Removed AVG 2012
    RP971: 6/12/2012 6:29:16 PM - Installed AVG 2012
    RP972: 6/12/2012 6:29:29 PM - Removed AVG 2012
    RP973: 6/13/2012 7:38:22 AM - Installed AVG 2012
    RP974: 6/13/2012 7:38:38 AM - Installed AVG 2012
    .
    ==== Installed Programs ======================
    .
    7200
    7200_Help
    7200Trb
    Add or Remove Adobe Creative Suite 3 Master Collection
    Adobe Acrobat 8 Professional
    Adobe Acrobat 8.1.4 Professional
    Adobe After Effects CS3
    Adobe After Effects CS3 Presets
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe BridgeTalk Plugin CS3
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Contribute CS3
    Adobe Creative Suite 3 Master Collection
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Dreamweaver CS3
    Adobe Encore CS3
    Adobe Encore CS3 Codecs
    Adobe ExtendScript Toolkit 2
    Adobe Extension Manager CS3
    Adobe Fireworks CS3
    Adobe Flash CS3
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 9 Plugin
    Adobe Flash Video Encoder
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Illustrator CS3
    Adobe InDesign CS3
    Adobe InDesign CS3 Icon Handler
    Adobe Linguistics CS3
    Adobe MotionPicture Color Files
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Premiere Pro CS3
    Adobe Premiere Pro CS3 Functional Content
    Adobe Premiere Pro CS3 Third Party Content
    Adobe Setup
    Adobe SING CS3
    Adobe Soundbooth CS3
    Adobe Soundbooth CS3 Codecs
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe Version Cue CS3 Server {ko_KR}
    Adobe Video Profiles
    Adobe WAS CS3
    Adobe WinSoft Linguistics Plugin
    Adobe XMP DVA Panels CS3
    Adobe XMP Panels CS3
    AGEIA PhysX v2.3.3
    AHV content for Acrobat and Flash
    AiO_Scan
    AiOSoftware
    AMD Processor Driver
    Ask Toolbar
    ATI - Software Uninstall Utility
    ATI Display Driver
    AVG 2012
    Bing Bar Platform
    BufferChm
    Call of Duty(R) 2
    Call of Duty(TM) Game of the Year Edition
    Chinese Traditional Fonts Support For Adobe Reader 9
    Compatibility Pack for the 2007 Office system
    Copy
    CP_AtenaShokunin1Config
    cp_dwShrek2Albums1
    cp_dwShrek2Cards1
    CreativeProjects
    CreativeProjectsTemplates
    Critical Update for Windows Media Player 11 (KB959772)
    CueTour
    CutePDF Writer 2.8
    DD Tournament Poker 1.2
    Destinations
    Director
    DisplayKEY USB Cradle
    dKeyUSBCradleDriver_x86
    DocProc
    DocumentViewer
    DVD Suite
    Fax
    File Uploader
    Ghost Recon Advanced Warfighter
    Google Chrome
    Google Earth Plug-in
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    HP Image Zone 4.7
    HP Product Assistant
    HP PSC & OfficeJet 4.7
    HP Software Update
    HPSystemDiagnostics
    InstantShare
    Java Auto Updater
    Java(TM) 6 Update 29
    Just Learn Morse Code
    LightScribe System Software 1.12.29.2
    LightScribe Template Designs - 9 to 5 Pack 1
    LightScribe Template Designs - Bonus Pack 1
    LightScribe Template Designs - Fantasy Pack 1
    LightScribe Template Designs - Kids Korner Pack 1
    LightScribe Template Designs - Mythology Pack 1
    LightScribe Template Designs - Tattoo Pack 1
    LightScribeTemplateLabeler
    Logitech Gaming Software
    Malwarebytes Anti-Malware version 1.61.0.1400
    Marine Aquarium 2, Sharks & Carousel Bundle
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Default Manager
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office XP Media Content
    Microsoft Office XP Professional
    Microsoft Publisher 2002
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Mozilla Firefox (3.5.5)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NASCAR® Racing 2003 Season
    Nero 7 Essentials
    neroxml
    Nikon Message Center
    Nikon Message Center 2
    Nikon Movie Editor
    Nikon Transfer
    Notepad++
    OCZ Technology Laser Gaming Mouse
    PanoStandAlone
    PC Wizard 2008.1.87
    PDF Settings
    PhotoGallery
    Picture Control Utility
    PowerArchiver 2009
    PowerDVD
    PowerProducer
    ProductContext
    QFolder
    QuickTime
    Readme
    RealFlight G2 Simulator
    Realtek High Definition Audio Driver
    Scan
    ScannerCopy
    SecurDisc Viewer
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SkinsHP1
    TrayApp
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676-v2)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB943729)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    ViewNX
    ViewNX 2
    WebFldrs XP
    WebReg
    Windows Driver Package - GE Security (silabenm) Ports (12/10/2008 5.4.0.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live ID Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/14/2012 2:38:49 AM, error: Service Control Manager [7034] - The AVGIDSAgent service terminated unexpectedly. It has done this 1 time(s).
    6/13/2012 8:41:37 AM, error: DCOM [10000] - Unable to start a DCOM Server: {ABC01078-F197-4B0B-ADBC-CFE684B39C82}. The error: "%3" Happened while starting this command: "C:\Program Files\Google\Update\1.3.21.65\GoogleUpdateOnDemand.exe" -Embedding
    6/13/2012 3:03:54 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    6/13/2012 12:05:49 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 002185995894 has been denied by the DHCP server 192.168.254.254 (The DHCP Server sent a DHCPNACK message).
    6/13/2012 1:30:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
    6/13/2012 1:30:32 PM, error: Service Control Manager [7001] - The AVG Free8 E-mail Scanner service depends on the AVG Free8 WatchDog service which failed to start because of the following error: The system cannot find the path specified.
    6/13/2012 1:30:32 PM, error: Service Control Manager [7000] - The SeaPort service failed to start due to the following error: The system cannot find the path specified.
    6/13/2012 1:30:32 PM, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: The system cannot find the file specified.
    6/13/2012 1:30:32 PM, error: Service Control Manager [7000] - The Nero Registry InCD Service service failed to start due to the following error: The system cannot find the file specified.
    6/13/2012 1:30:32 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/13/2012 1:30:32 PM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The system cannot find the path specified.
    6/12/2012 12:32:05 PM, error: Service Control Manager [7001] - The AVG Free8 E-mail Scanner service depends on the AVG Free8 WatchDog service which failed to start because of the following error: The system cannot find the file specified.
    6/12/2012 12:32:05 PM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================

    I hope you can help
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware.

    Does any of this sound familiar?
    1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
    2. Clicking on any executable loads the malware
    3. Display fake security alerts on the infected computer.
    4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
    5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.
    To fix #5, you start here: Download a Registry file that will fix these changes.
    Please download FixNCR.regand save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
    • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
    • Double click the FixNCR.reg file
    • You should now be able to run the .exe files.
    -------------------------------------
    To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKill is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after running RKill as the malware programs will start again.
    ================================
    Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ==============================
    This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ====================================================
    There are also some toolbars(TB) and browser helper objects(BHO) that we will need to remove as they ill give you ads and possibly spyware:
    ======================================================
    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.
    Temporary AV: Use one:
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------

    • Download Combofix from HERE or HERE and save to the desktop
      • Double click combofix.exe [​IMG]& follow the prompts.
      • If prompted for Recovery Console, please allow.
      • Once installed, you should see a blue screen prompt that says:
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • Close any open browsers.
    • Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • Click on Yes, to continue scanning for malware
    • If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
    =====================================================
    Please leave any logs generated in your next reply.
    ====================================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  3. CarolinaChuck

    CarolinaChuck TS Rookie Topic Starter

    I ran the first two, Fix and Kill, but the full scan on Malwarebytes has stoped twice with a message box stating it encountered a problem and needed to stop. The following is the rkill log:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Rkill was run on 06/15/2012 at 4:46:39.
    Operating System: Microsoft Windows XP

    Processes terminated by Rkill or while it was running:

    Rkill completed on 06/15/2012 at 4:46:52.


    AVG has asked me twice to either move to vault or heal detected threats-which I did. My other option would have been to close out of the notice...

    Chuck
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, stop where you are. Instead of going on to the Malwarebytes Full Scan, do the following:

    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. Click on Next after choice has been made
    5. Check the AVG program you want to uninstall
    6. After uninstall shows complete, follow online prompts to Exit the program.
    Temporary AV: Use one:
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    =============================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =================================================
    We will pick up as needed after I review Combofix.
     
  5. CarolinaChuck

    CarolinaChuck TS Rookie Topic Starter

    Ok,

    I have done something wrong. First, let me thank you for your time; it is nice to have a place to go.

    I uninstalled AVG with AppRemover.

    I then put on Avast.

    Next I went on to the ESETOnlineScan and Avast went insane and would not let go throught it. Avast wanted to do a scan so I let it. It found Sirefef all over and I put the files in Avast vault; also a ping.exe that I had to ignore. When the system rebooted I now have no connection to the internet (Local Area Connection).

    I would send the log from Avast, but I do not know where to find it. Only the internet connect is not working at this time. Avast also did a restore point before it scanned???

    I imagine I can do ComboFix viva a USB thumb drive, but wanted to tell you what has transpired. I am now on the laptop to post. Sorry, I screwed the pooch.

    I am real sorry for messing this up

    Chuck
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're suppose to disble the resident AV when you run the online Eset scan. I don't need the log from Avast.

    We'll break a rule here and see if we can get the connection back. Use the restore point that Avast set before the scan. After the system restores, see if the connection is back- okay?

    There is a variant of the malware that seems to either cause a constant rebooting or loss of the internet connection. I'd like to see how much of it we can remove> after the restore, go ahead and run Combofix. Use either direct download if connection is back or the flash drive to download Combofix then run on problem system.

    Hold on the Eset scan until I check Combofix.

    I noticed this in your first logs- I think it is contributing to the instability:

    If you actually did what the restore point was set for, In 4 days, the system was restored twice, AVG was installed 6 times and AVG was uninstalled 4 time and again today. This is tough on any system and more so in one that has malware.
     
  7. CarolinaChuck

    CarolinaChuck TS Rookie Topic Starter

    Ok, it came back online...
    Da log:

    ComboFix 12-06-15.06 - Administrator 06/15/2012 23:42:12.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2929 [GMT -4:00]
    Running from: e:\tech_ware\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\All Users\Application Data\TEMP
    c:\windows\$NtUninstallKB60926$
    c:\windows\$NtUninstallKB60926$\1377903237
    c:\windows\$NtUninstallKB60926$\3856140326\@
    c:\windows\$NtUninstallKB60926$\3856140326\Desktop.ini
    c:\windows\$NtUninstallKB60926$\3856140326\L\00000004.@
    c:\windows\$NtUninstallKB60926$\3856140326\L\1afb2d56
    c:\windows\$NtUninstallKB60926$\3856140326\L\201d3dde
    c:\windows\$NtUninstallKB60926$\3856140326\L\pepjmhmo
    c:\windows\$NtUninstallKB60926$\3856140326\U\00000004.@
    c:\windows\$NtUninstallKB60926$\3856140326\U\00000008.@
    c:\windows\$NtUninstallKB60926$\3856140326\U\000000cb.@
    c:\windows\$NtUninstallKB60926$\3856140326\U\80000000.@
    c:\windows\$NtUninstallKB60926$\3856140326\U\80000032.@
    c:\windows\system32\dllcache\dlimport.exe
    c:\windows\system32\dllcache\wmpvis.dll
    c:\windows\system32\SET14A.tmp
    c:\windows\system32\SET14B.tmp
    c:\windows\system32\SET1A4.tmp
    c:\windows\system32\SET1A6.tmp
    c:\windows\system32\SET1B4.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-16 to 2012-06-16 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-16 02:48 . 2012-06-16 02:48 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-06-15 17:37 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-06-15 17:37 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-06-15 17:37 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-06-15 17:37 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-06-15 17:37 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-06-15 17:37 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-06-15 17:37 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-06-15 17:37 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-06-15 17:33 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-06-15 17:33 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-06-15 17:33 . 2012-06-15 17:33 -------- d-----w- c:\program files\AVAST Software
    2012-06-15 17:33 . 2012-06-15 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-06-15 08:48 . 2012-06-15 09:26 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-06-14 15:46 . 2012-06-14 15:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2012-06-14 15:38 . 2012-06-14 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-06-14 15:38 . 2012-06-14 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-06-14 15:38 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-13 13:34 . 2012-06-13 13:34 1409 ----a-w- c:\windows\QTFont.for
    2012-06-08 15:30 . 2012-06-08 15:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
    2012-06-08 15:28 . 2012-06-08 15:29 -------- dc-h--w- c:\windows\ie8
    2012-06-08 14:53 . 2012-06-08 14:53 -------- d-----w- c:\program files\Common Files\Java
    2012-06-08 14:52 . 2012-06-08 14:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-06-08 14:52 . 2012-06-08 14:52 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-06-08 14:52 . 2012-06-08 14:52 -------- d-----w- c:\program files\Java
    2012-06-07 09:51 . 2012-06-07 09:51 664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\d3d9caps.tmp
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
    2012-06-04 20:56 . 2012-06-04 20:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
    2012-05-31 17:48 . 2012-05-31 17:49 -------- d-----w- c:\program files\EZ Fonts
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-13 17:44 . 2012-04-05 06:12 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-06-13 17:44 . 2011-06-19 02:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-08 14:52 . 2010-12-16 03:16 472864 ----a-w- c:\windows\system32\deployJava1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-01 68856]
    "Start WingMan Profiler"="c:\program files\Logitech\Profiler\lwemon.exe" [2004-04-23 77824]
    "PowerArchiver Tray"="c:\program files\PowerArchiver\PASTARTER.EXE" [2008-11-30 148288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
    "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "WheelMouse"="c:\program files\OCZ Technology\Mouse\Amoumain.exe" [2006-12-28 196608]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]
    "Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2009-9-15 479232]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DisplayKEY eSYNC Info.lnk - c:\dkeyusbcradle\SyncInfoApp.exe [2010-4-2 297472]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^DiskDoctor.lnk]
    path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\DiskDoctor.lnk
    backup=c:\windows\pss\DiskDoctor.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
    2008-02-18 19:36 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2008-02-27 18:03 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=
    "c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    "c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\\setup\\hpznui01.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    .
    R3 silabenm;GE Supra DisplayKey USB Cradle Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [7/6/2011 4:19 PM 24584]
    R3 silabser;GE Supra DisplayKey USB Cradle Driver;c:\windows\system32\drivers\silabser.sys [7/6/2011 4:19 PM 69256]
    S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 11:26 AM 136176]
    S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 2:12 AM 257224]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 11:26 AM 136176]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/15/2012 4:48 AM 40776]
    S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.SYS [3/27/2005 11:26 PM 21696]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-01-24 17:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-16 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 17:44]
    .
    2012-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 15:26]
    .
    2012-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 15:26]
    .
    2012-06-16 c:\windows\Tasks\User_Feed_Synchronization-{9C8C3BE7-D894-4540-AD52-1C1BE3AE0504}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
    IE: Lookup on Merriam Webster
    IE: Lookup on Wikipedia
    IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
    TCP: DhcpNameServer = 192.168.254.254
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0l4hw7l5.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6d1b5&v=6.010.006.004&I=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
    BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
    Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
    HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
    HKLM-Run-Bing Bar - c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
    HKLM-Run-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
    HKLM-Run-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
    Notify-avgrsstarter - avgrsstx.dll
    AddRemove-HP Photo & Imaging - c:\program files\HP\Digital Imaging\uninstall\hpzscr01.exe
    AddRemove-Marine Aquarium 2, Sharks & Carousel Bundle - c:\program files\Prolific Publishing
    AddRemove-Google Chrome - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\17.0.963.79\Installer\setup.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-15 23:52
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1177238915-602162358-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4b,a9,fa,78,f6,9b,22,49,95,b6,a0,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4b,a9,fa,78,f6,9b,22,49,95,b6,a0,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,b5,79,66,e0,6f,55,43,9f,15,d2,\
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY*]
    "DisplayName"="???\17?\11\09"
    "DeviceDesc"="???\17?\11\09"
    "ProviderName"="???\11???\11??"
    "MFG"="???????"
    "ReinstallString"=".10.1000.8"
    "DeviceInstanceIds"=multi:"d:\\ati\\atidrv\\sbdrv\\smbus\\smbusati.inf\00"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(760)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(2312)
    c:\windows\system32\WININET.dll
    c:\program files\Logitech\Profiler\LWEHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\dkeyusbcradle\SyncService.exe
    c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\dkeyusbcradle\ProxyDaemon.exe
    c:\dkeyusbcradle\stunnel-4.10.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-06-15 23:55:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-16 03:55
    .
    Pre-Run: 73,559,621,632 bytes free
    Post-Run: 74,725,367,808 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer
    .
    - - End Of File - - 50FB22110EB5FD453AC11ABACEC59C81
    Chuck
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Some things to keep in mind:

    1. Your hard drive has only about 50% free> C: is FIXED (NTFS) - 112 GiB total, 66.875 GiB free.
    It is best to run with as close to 80% free as possible. Take a look in Add/Rmove Progrms and uninstall any programs you don't use or need.
    2. Always check download screens for pre-checked items. These will be for toolbrs and browser helper objects, usually unrelated to what you're downloading. These should always be unchecked- before the download.
    3. If you are given a choice of Custom or Srandard instll, always choose Custom. That will help you prevent some useless bundled programs from being installed with the download.
    =============================================

    The scanners cannot read this. This appears to be the driver for the ATI SMBUS Controller but the source is questionable. It may be a part of your problem.

    ====================================================
    Please see if you can pick up at the Full Scan with Malwarebytes.
    Follow with the Ese scan> Disable the resident antivirus before running the scan.
    =====================================================
    The directions for Combofix say to do this:
    But the Combofix header shows Running from: e:\tech_ware\ComboFix.exe
    What or where is this. I have script to run through Combofix but it is saved to the desktop. If Combofix isn't on the desktop, you will not be able to drag the script into it.
    ===================================================
    If able to run, leave new Mbam log and Eset log if there is one in your next reply. Please detail what problems remain.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Some things to keep in mind:

    1. Your hard drive has only about 50% free> C: is FIXED (NTFS) - 112 GiB total, 66.875 GiB free.
    It is best to run with as close to 80% free as possible. Take a look in Add/Rmove Progrms and uninstall any programs you don't use or need.
    2. Always check download screens for pre-checked items. These will be for toolbrs and browser helper objects, usually unrelated to what you're downloading. These should always be unchecked- before the download.
    3. If you are given a choice of Custom or Srandard instll, always choose Custom. That will help you prevent some useless bundled programs from being installed with the download.
    =============================================

    The scanners cannot read this. This appears to be the driver for the ATI SMBUS Controller but the source is questionable. It may be a part of your problem.

    ====================================================
    Please see if you can pick up at the Full Scan with Malwarebytes.
    Follow with the Ese scan> Disable the resident antivirus before running the scan.
    =====================================================
    The directions for Combofix say to do this:
    But the Combofix header shows Running from: e:\tech_ware\ComboFix.exe
    What or where is this. I have script to run through Combofix but it is saved to the desktop. If Combofix isn't on the desktop, you will not be able to drag the script into it.
    ===================================================
    If able to run, leave new Mbam log and Eset log if there is one in your next reply. Please detail what problems remain.
     
  10. CarolinaChuck

    CarolinaChuck TS Rookie Topic Starter

    OK,

    ComboFix is now on desk top, the E: was my USB thumb drive. I'll ask about that when we finish this clean up.

    Here are the logs from full scan and ESet:

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.06.15.02
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Administrator :: SUPER-CHUCKIE [administrator]
    6/16/2012 9:53:57 PM
    mbam-log-2012-06-16 (21-53-57).txt
    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 380944
    Time elapsed: 38 minute(s), 19 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)

    ESet log:

    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP951\A0080557.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP956\A0082031.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP957\A0082212.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP962\A0082538.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP962\A0082629.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP962\A0082655.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP962\A0082758.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP963\A0082782.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082816.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082826.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082839.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082851.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082863.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082875.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP968\A0082897.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP970\A0083897.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP970\A0083915.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP975\A0084495.sys Win32/Sirefef.DA trojan
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP976\A0084527.sys Win32/Sirefef.DA trojan

    As far as what is not working-AVast is in and unsecured state and not respononding to the fix all button or the individuial start now buttons.

    Chuck
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good! Mbam is clean. Eset has no new entries. 'System Volume is where there restore points are. Those entries are no longer active. When we have finisned, I'll have you set new, clean restore point and remove all of the old ones.

    I asked about how much RAM is installed??
    And about what problems you are now having??

    Please run Combofix again and I'll write the script from that log.'

    Did you want to disinfect the flash drive??
    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
     
  12. CarolinaChuck

    CarolinaChuck TS Rookie Topic Starter

    Ok,

    I have 4 Gig of ram in this machine.

    As per problems I see; AVast is unresponsive, browser seemes to work fine and no redirects or random windows opening. Right now this machine has no working AV

    New log:

    ComboFix 12-06-16.02 - Administrator 06/17/2012 14:11:52.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2597 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    c:\program files\Mozilla Firefox\Plugins\npqtplugin2.dll
    c:\program files\Mozilla Firefox\Plugins\npqtplugin3.dll
    c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
    c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
    c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
    c:\program files\Mozilla Firefox\Plugins\npqtplugin7.dll
    c:\program files\QuickTime\Plugins\npqtplugin2.dll
    c:\program files\QuickTime\Plugins\npqtplugin3.dll
    c:\program files\QuickTime\Plugins\npqtplugin4.dll
    c:\program files\QuickTime\Plugins\npqtplugin5.dll
    c:\program files\QuickTime\Plugins\npqtplugin6.dll
    c:\program files\QuickTime\Plugins\npqtplugin7.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-17 to 2012-06-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-17 03:07 . 2012-06-17 03:07 -------- d-----w- c:\program files\ESET
    2012-06-16 02:48 . 2012-06-16 02:48 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-06-15 17:37 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-06-15 17:37 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-06-15 17:37 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-06-15 17:37 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-06-15 17:37 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-06-15 17:37 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-06-15 17:37 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-06-15 17:37 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-06-15 17:33 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-06-15 17:33 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-06-15 17:33 . 2012-06-15 17:33 -------- d-----w- c:\program files\AVAST Software
    2012-06-15 17:33 . 2012-06-15 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-06-14 15:46 . 2012-06-14 15:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2012-06-14 15:38 . 2012-06-14 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-06-14 15:38 . 2012-06-14 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-06-14 15:38 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-13 13:34 . 2012-06-13 13:34 1409 ----a-w- c:\windows\QTFont.for
    2012-06-08 15:30 . 2012-06-08 15:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
    2012-06-08 15:28 . 2012-06-08 15:29 -------- dc-h--w- c:\windows\ie8
    2012-06-08 14:53 . 2012-06-08 14:53 -------- d-----w- c:\program files\Common Files\Java
    2012-06-08 14:52 . 2012-06-08 14:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-06-08 14:52 . 2012-06-08 14:52 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-06-08 14:52 . 2012-06-08 14:52 -------- d-----w- c:\program files\Java
    2012-06-07 09:51 . 2012-06-07 09:51 664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\d3d9caps.tmp
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
    2012-06-04 20:56 . 2012-06-04 20:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
    2012-05-31 17:48 . 2012-05-31 17:49 -------- d-----w- c:\program files\EZ Fonts
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-13 17:44 . 2012-04-05 06:12 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-06-13 17:44 . 2011-06-19 02:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-08 14:52 . 2010-12-16 03:16 472864 ----a-w- c:\windows\system32\deployJava1.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-06-16_03.52.42 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2002-09-03 19:51 . 2012-06-16 03:53 540594 c:\windows\system32\perfh009.dat
    + 2002-09-03 19:51 . 2012-06-16 03:56 540594 c:\windows\system32\perfh009.dat
    + 2002-09-03 19:51 . 2012-06-16 03:56 109994 c:\windows\system32\perfc009.dat
    - 2002-09-03 19:51 . 2012-06-16 03:53 109994 c:\windows\system32\perfc009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-01 68856]
    "Start WingMan Profiler"="c:\program files\Logitech\Profiler\lwemon.exe" [2004-04-23 77824]
    "PowerArchiver Tray"="c:\program files\PowerArchiver\PASTARTER.EXE" [2008-11-30 148288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
    "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "WheelMouse"="c:\program files\OCZ Technology\Mouse\Amoumain.exe" [2006-12-28 196608]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]
    "Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2009-9-15 479232]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DisplayKEY eSYNC Info.lnk - c:\dkeyusbcradle\SyncInfoApp.exe [2010-4-2 297472]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^DiskDoctor.lnk]
    path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\DiskDoctor.lnk
    backup=c:\windows\pss\DiskDoctor.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
    2008-02-18 19:36 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2008-02-27 18:03 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    "c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\\setup\\hpznui01.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    .
    R3 silabenm;GE Supra DisplayKey USB Cradle Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [7/6/2011 4:19 PM 24584]
    R3 silabser;GE Supra DisplayKey USB Cradle Driver;c:\windows\system32\drivers\silabser.sys [7/6/2011 4:19 PM 69256]
    S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 11:26 AM 136176]
    S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 2:12 AM 257224]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 11:26 AM 136176]
    S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.SYS [3/27/2005 11:26 PM 21696]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - MBAMSwissArmy
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-01-24 17:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-17 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 17:44]
    .
    2012-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 15:26]
    .
    2012-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 15:26]
    .
    2012-06-17 c:\windows\Tasks\User_Feed_Synchronization-{9C8C3BE7-D894-4540-AD52-1C1BE3AE0504}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
    IE: Lookup on Merriam Webster
    IE: Lookup on Wikipedia
    IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
    TCP: DhcpNameServer = 192.168.254.254
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0l4hw7l5.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6d1b5&v=6.010.006.004&I=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-17 14:18
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1177238915-602162358-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4b,a9,fa,78,f6,9b,22,49,95,b6,a0,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4b,a9,fa,78,f6,9b,22,49,95,b6,a0,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,b5,79,66,e0,6f,55,43,9f,15,d2,\
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY*]
    "DisplayName"="???\17?\11\09"
    "DeviceDesc"="???\17?\11\09"
    "ProviderName"="???\11???\11??"
    "MFG"="???????"
    "ReinstallString"=".10.1000.8"
    "DeviceInstanceIds"=multi:"d:\\ati\\atidrv\\sbdrv\\smbus\\smbusati.inf\00"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(760)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2012-06-17 14:19:53
    ComboFix-quarantined-files.txt 2012-06-17 18:19
    ComboFix2.txt 2012-06-16 03:55
    .
    Pre-Run: 84,137,861,120 bytes free
    Post-Run: 84,129,132,544 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer
    .
    - - End Of File - - 66E558061BFDF9B4D215F0B2121B1F77
    Chuck
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you see my note about this in my Reply #9?

    ==========================================
    The above is not correct. You restored back to BEFORE Avast did the scan so these is nothing for it to remove! The program is on the system, but it has n oscan results. Do you understand?
    ==---------------------> What you did-------------------->>
    1. I uninstalled AVG with AppRemover.
    2. I then put on Avast.
    3. Avast also did a restore point before it scanned.
    4. Next I went on to the ESETOnlineScan and Avast went insane and would not let go throught it. Avast wanted to do a scan so I let it. It found Sirefef all over and I put the files in Avast vault; also a ping.exe that I had to ignore. When the system rebooted I now have no connection to the internet (Local Area Connection).

    5. Remember, you restored back to the restore point BEORE Avast scanned. So on your system, it hasn't found anything yet!
    ============================================
    Note an antivirus program does not distinguish 'location.' The Avast scan is most likely finding these entries:
    C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP976\A0084527.sys Win32/Sirefef.DA trojan

    But in it's 'dumbness', it can't distinguish that these entries are not active any longer. The System Volume folder is a protected system folder. These don't get 'quarantined' or 'deleted' in a security scan, even though you may see those words. As I told you, when the system is clean, I will have you set a new, clean restore point and remove the old one.

    As I Mentioned, I made an exception and had you deliberately use the System Restore point made by Avast BEFORE it scanned.

    There were no new or active entries in the Eset scan.
    =======================================================

    This is curious >>>> These were entries in first Combofix log: They are all QuickTime plugins.
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
    2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll

    And deleted in the second scan:
    c:\program files\Mozilla Firefox\Plugins\npqtplugin2.dll
    c:\program files\Mozilla Firefox\Plugins\npqtplugin3.dll
    c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
    c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
    c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
    c:\program files\Mozilla Firefox\Plugins\npqtplugin7.dll

    along with the following

    c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    ------------------------------------
    c:\program files\QuickTime\Plugins\npqtplugin2.dll
    c:\program files\QuickTime\Plugins\npqtplugin3.dll
    c:\program files\QuickTime\Plugins\npqtplugin4.dll
    c:\program files\QuickTime\Plugins\npqtplugin5.dll
    c:\program files\QuickTime\Plugins\npqtplugin6.dll
    c:\program files\QuickTime\Plugins\npqtplugin7.dll
    .
    Where did you get these plugins? All 3 sets are the same.
     
  14. CarolinaChuck

    CarolinaChuck TS Rookie Topic Starter

    Humm,

    Not sure as I have not used the machine for anything other than this site and Eset....everything else has come in on the thumb drive when IE would not play; no thumb drive needed this go around. IE would not play with Eset so I used Mozilla to run Eset this last time-I don't use Mozilla often so I don't know if it brought it in or thought it needed it, either way I was not asked...All I have done is click on IE or Mozilla and closed them out. When I say IE would not play with ESet, it stopped responding when I tried to run ESet and required to be stopped using Ctl/Alt/Del (task managager).

    As per the restore and the Avast; I am an ex Marine and I am good with critizism and following directions, It just does not allow me to read between the lines well. Sorry, I am not the sharpest knife in the drawer when it comes to computers.

    HKEY_LOCAL_MACHINE refers to part of the registry, as such it is above my paygrade so to speak. ATI, I have an ATI video card in this machine. As I recall, when I put this machine together I had an issue loading the driver from the suplied CD. This entry may date back from that time (2006/2007). I just chocked it up to a bad CD and used the motherboards on board video capabilities and went on with the program pulling the driver off the web.

    I appreciate your patience,
    Chuck
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Chuck, for the Eset scan, did you realize the first set of instructions were in accordance with which browser you were using- or better sais> "Do this if you use IE or do this if you use a different browser. Once that distinction is made, the rest of the directions get picked up.

    As for the Avast restore, my explanation was meant to put your mind at ease, nothing else. No criticism> just a 'this is how it went.' I thought it was kind of cool to know that what the Avast scan found was no longer 'found' because we did a time travel to before the scan was run. I'm sorry if I failed to do a better job with the explanation.
    =================================================
    Maybe the flash drive you used had the infected plugins already on it. So when you loaded it onto the already infected system, the plugins also loaded. I think it would be a good idea to disinfect the flash drive:

    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
    ===============================================

    Sorry I can't help anymore with th Regiatry entry: [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY*]

    Has there been any improvement in the system?
     
  16. CarolinaChuck

    CarolinaChuck TS Rookie Topic Starter

    Bobbye,

    Your good, I was tryin to imply my short commings when it comes such matters; my wife thinks I am smart on tech things, but I know I am over my head. The military analogy fell flat on its face-let's try the another; I played with race cars in my days and learned straight off-the car does all the work, I am just the ******* along for the ride...

    The computer seems back to the way it was. I find no issues. Let's go forward.

    Chuck
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Give yourself credit! You now have a clean, well running computer! Actually, about those cars: whether they were match book cars or real race cars, you were the one who had to make them work!

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
    • Choose Disc Cleanup
    • Click "OK" to select the partition or drive you want.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.
    Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...