TechSpot

Unable to install Adobe Update

By BillAllen55
Aug 25, 2010
  1. I'm thinking I may have a spyware/trojan issue.
    I have read through the 8-step removal process. I tried updating the Adobe reader.
    This was unsuccessful.
    This is the error I receive during the installation process:


    error:
    1402.Could not open key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\Imail.

    Verify That you have sufficient access to that key, or contact your support personnel.

    Can someone give me an idea why this is happening?
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Bill, that's a permission issue that we can work on. If this is the only problem you're having running the steps, please continue on with the rest of the thread and leave the logs for review.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    This is the first of my scans:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4473

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/24/2010 5:37:04 PM
    mbam-log-2010-08-24 (17-37-04).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 280750
    Time elapsed: 1 hour(s), 38 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Program Files\Anti Trojan Elite\MSVCRTD.DLL (Malware.Packer.Gen) -> Quarantined and deleted successfully.

    This is my second scan

    Hijackthis!
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:16:20 AM, on 8/24/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\AOL\1279044589\ee\AOLSoftware.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\RocketDock\RocketDock.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ICQ6Toolbar\ICQ Service.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
    C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
    C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\AOL 9.1\waol.exe
    C:\Program Files\AOL 9.1\shellmon.exe
    C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
    C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
    O2 - BHO: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
    O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1279044589\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
    O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 8669 bytes

    I attempted to run a GMER scan which resulted in blue screening my system.

    I would appreciate whatever assistance one is able to provide.

    The issue is that the system seems a bit laggy from what it once was.
    I was on a website that was asking for survey questions.
    This was when I first noticed things starting to go wrong.

    I have done multiple virus/spyware scans but not feeling as if it is all over.

    Please help.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Bill, I need for you to complete the steps here: http://www.techspot.com/vb/topic58138.html

    As I mentioned, skip the Adobe update for now, but please run DSS. It will generate 2 logs. Leave them both in your next reply. I don't have enough information from the HijackThis log- we'll run that later.
    For GMER, try one of the following:
    1. Uncheck 'Devices'
    2. Or run in Safe Mode.

    Mbam did find malware, but what do you mean by 'laggy'? If you mean the system is slow, part of the reason is because you have so much starting on boot, then running in the background.
     
  5. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    Three of the Four aint too bad?

    View attachment Attach.txt

    View attachment DDS.txt

    View attachment SUPERAntiSpyware Scan Log - 08-26-2010 - 06-09-00.log

    When attempting to run the GMER scan it blue screened the system.
    I did not attempt to run it a second time.

    With this in mind, can you please look over the attached files?

    I'm not having significant issues with the system. Other than of course my concern for WHY it blue screened during the GMER scan. I would appreciate whatever assistance you can provide.

    I can see in my hijackthis scan that I 'do' have a lot of processes running.
    What can be done to correct this?


    Thanks
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Don't worry about the BSOD in GMER. A lot of users get it, for various reasons. It does not mean it's your problem. With what you are concerned about, I'd like you to do the following:

    Please run this Security Check. I think you may have some overlap in this area:
    Download Security Check and save it to your Desktop.
    • Double-click SecurityCheck.exe to run.
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post this log in your next reply.
    ==================================================
    Regarding running unnecessary programs: Note: For uninstalls, see if program has it's own uninstaller. If it does, use that. If not, use Add/Remove Programs in the Control Panel:
    1. Ask Toolbar: you will remove this program and all associated files. If is bundled with other downloads, rarely intentionally installed. Brings adware.
    2.Adobe Reader 9.3.3> Uninstall. Don't need since you have FoxIt.
    3.Advertising Center: Whatever this is, recommend uninstall.
    4.CCleaner>> Duplicate cleanup programs. Remove one.
    CleanUp!>> " ""
    5.Driver Detective>> Per the Restore points: you have been installing/uninstalling programs to check for driver updates. Driver Detective and Driver Whiz. Suggest you uninstall both and do your own driver update checks.
    6 FileHippo.com Update Checker: Since speed is an issue, check for update yourself. Uninstall.
    7.HiJackThis>> Duplicate. Old version. Remove both. Don't need to run in background.HJT is a diagnostic program that only need to be run as needed.
    HijackThis 2.0.2>> " " " "
    8.MSConfig CleanUp 1.2>> More cleanup. Do it yourself.
    9.Nero 8 Essentials>> old version> uninstall, keep v9
    Nero 9 Essentials>> Keep this current version.
    10.Nero StartSmart>> Duplicate of same program. Remove oldest.
    Nero StartSmart OEM>> " " "
    11.PC Pitstop Exterminate2 2.0>> checking to see if needed.
    12.Sophos Anti-Rootkit 1.5.0>> Uninstall. Use only if Rootkit suspected, with supervised cleaning help.
    13.Foxit Readery>> This replaces the Adobe Reader. If you only use to read PDF files, don't run Creator and Editor. (Foxit Creator/Foxit PDF Editor)
    14.Removed COMODO Internet Security">> did you replace the firewall?
    ==========================================


    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Do the uninstalls first. When through, reboot and run the Combofix scan. Paste the log in the next reply.You can split over 2 posts if needed.
     
  7. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    Requested Txt files

    View attachment checkup.txt

    ComboFix 10-08-25.01 - Philip Moore 08/26/2010 7:47.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1403 [GMT -7:00]
    Running from: c:\documents and settings\Philip Moore\My Documents\Downloads\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    Other Deletions

    c:\documents and settings\All Users\Application Data\page
    c:\documents and settings\All Users\Application Data\page\page.ico
    c:\documents and settings\All Users\Application Data\page\page.URL
    c:\program files\INSTALL.LOG
    c:\program files\PC Doc Pro v5
    c:\program files\PC Doc Pro v5\Log.txt
    c:\program files\PC Doc Pro v5\PC Doc Pro.ini
    c:\windows\a3kebook.ini
    c:\windows\akebook.ini
    c:\windows\ANS2000.INI
    c:\windows\system32\csftxctl.ocx

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
    .

    2010-08-26 14:40 . 2008-05-02 16:26 1414440 ----a-w- c:\windows\system32\ShellManager310E2D762.dll
    2010-08-26 00:52 . 2010-08-26 00:52 -------- d-----w- c:\documents and settings\Philip Moore\Application Data\Auslogics
    2010-08-22 12:22 . 2010-08-25 00:37 -------- d-----w- c:\program files\Anti Trojan Elite
    2010-08-21 23:07 . 2010-08-21 23:07 -------- d-----w- c:\documents and settings\Philip Moore\Local Settings\Application Data\Sunbelt Software
    2010-08-18 12:30 . 2010-08-22 14:29 -------- d-----w- c:\program files\NetworkView36
    2010-08-17 12:47 . 2010-08-17 15:23 -------- d-----w- c:\documents and settings\Philip Moore\Local Settings\Application Data\CutePDF Writer
    2010-08-17 12:44 . 2009-11-05 15:39 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
    2010-08-17 12:44 . 2010-08-17 12:44 -------- d-----w- c:\program files\Acro Software
    2010-08-17 12:22 . 2010-08-17 12:23 -------- d-----w- c:\program files\gs
    2010-08-12 18:29 . 2010-08-12 18:29 2772992 ----a-w- c:\windows\system32\GPhotos.scr
    2010-08-04 13:10 . 2010-07-27 05:30 705208 ----a-w- c:\documents and settings\Philip Moore\Application Data\Mozilla\Firefox\Profiles\yloszscu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
    2010-08-04 13:10 . 2010-07-27 05:30 978664 ----a-w- c:\documents and settings\Philip Moore\Application Data\Mozilla\Firefox\Profiles\yloszscu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
    2010-07-30 13:31 . 2010-07-29 01:27 1833576 ----a-w- c:\windows\SkyTel.exe
    2010-07-30 13:31 . 2010-07-29 01:27 1489512 ----a-w- c:\windows\RtlUpd.exe
    2010-07-30 13:31 . 2010-07-29 01:27 53864 ----a-w- c:\windows\system32\RtkCoInstXP.dll
    2010-07-30 13:31 . 2010-07-27 20:54 1251944 ----a-w- c:\windows\RtlExUpd.dll
    2010-07-30 13:18 . 2010-01-12 20:35 100896 ----a-w- c:\windows\system32\RTNUninst32.dll
    2010-07-30 13:05 . 2010-07-30 13:05 -------- d-----w- c:\program files\SmartTweak Software
    2010-07-30 12:55 . 2010-07-30 12:55 -------- d-----w- c:\documents and settings\Philip Moore\Application Data\NVIDIA
    2010-07-30 12:54 . 2010-08-24 22:56 -------- d-----w- c:\documents and settings\Philip Moore\Local Settings\Application Data\MotionDSP
    2010-07-30 12:54 . 2010-08-24 22:56 -------- d-----w- c:\documents and settings\Philip Moore\Application Data\MotionDSP
    2010-07-30 12:39 . 2010-07-30 12:42 -------- d-----w- c:\documents and settings\Philip Moore\Application Data\Smart PC Solutions

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-26 14:40 . 2009-02-15 17:56 -------- d-----w- c:\program files\Common Files\Nero
    2010-08-26 14:40 . 2009-02-15 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
    2010-08-26 14:38 . 2009-02-24 12:46 -------- d-----w- c:\program files\filehippo.com
    2010-08-26 14:25 . 2010-03-30 14:43 -------- d-----w- c:\program files\PCPitstop
    2010-08-26 14:24 . 2009-02-15 20:14 -------- d-----w- c:\program files\Google
    2010-08-26 14:22 . 2009-02-15 17:42 16608 ----a-w- c:\windows\gdrv.sys
    2010-08-26 14:21 . 2010-06-23 12:27 4167424 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-08-26 13:57 . 2009-03-26 13:32 -------- d-----w- c:\program files\Yahoo!
    2010-08-26 13:57 . 2009-08-06 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2010-08-26 13:00 . 2010-04-29 21:23 63488 ----a-w- c:\documents and settings\Philip Moore\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-08-26 13:00 . 2009-10-31 11:14 117760 ----a-w- c:\documents and settings\Philip Moore\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-08-25 22:29 . 2009-02-19 22:59 -------- d-----w- c:\program files\ICQ
    2010-08-25 14:20 . 2009-11-17 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-08-25 14:18 . 2009-03-05 14:39 -------- d-----w- c:\program files\Common Files\aol
    2010-08-24 22:58 . 2009-03-18 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-24 22:55 . 2009-11-15 14:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-08-24 16:23 . 2010-03-24 12:56 -------- d-----w- c:\documents and settings\Philip Moore\Application Data\QuickScan
    2010-08-21 23:06 . 2009-02-15 18:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-08-21 23:04 . 2009-02-15 19:00 -------- d-----w- c:\program files\CCleaner
    2010-08-16 12:48 . 2010-06-18 12:03 -------- d-----w- c:\program files\Auslogics
    2010-08-14 20:29 . 2009-02-15 20:02 -------- d-----w- c:\program files\nLite
    2010-08-14 20:21 . 2010-02-16 13:24 -------- d-----w- c:\program files\BSR Screen Recorder 4
    2010-08-11 13:16 . 2009-02-15 17:45 -------- d-----w- c:\program files\Realtek
    2010-08-08 23:48 . 2010-01-05 17:28 -------- d-----w- c:\program files\Last.fm
    2010-08-07 11:56 . 2010-07-09 13:09 -------- d-----w- c:\program files\MSN Toolbar Installer
    2010-08-02 12:20 . 2009-11-13 13:24 -------- d-----w- c:\documents and settings\Philip Moore\Application Data\CBS Interactive
    2010-08-01 19:04 . 2009-02-15 20:10 34744 ----a-w- c:\documents and settings\Philip Moore\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-01 12:12 . 2010-05-04 13:53 -------- d-----w- c:\program files\MSECACHE
    2010-07-31 12:47 . 2010-03-17 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania
    2010-07-31 11:43 . 2010-07-26 13:04 -------- d-----w- c:\program files\Free Window Registry Repair
    2010-07-30 12:58 . 2010-06-18 12:07 233696 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2010-07-30 12:58 . 2010-06-18 12:07 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2010-07-30 12:58 . 2010-06-18 12:07 233696 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2010-07-29 13:03 . 2010-05-31 13:36 -------- d-----w- c:\documents and settings\Philip Moore\Application Data\AVS4YOU
    2010-07-29 01:27 . 2009-05-12 13:57 359016 ----a-w- c:\windows\vncutil.exe
    2010-07-29 01:27 . 2009-02-15 17:46 84584 ----a-w- c:\windows\SOUNDMAN.EXE
    2010-07-29 01:27 . 2009-02-15 17:46 9721960 ----a-w- c:\windows\RTLCPL.EXE
    2010-07-29 01:27 . 2009-02-15 17:46 6108776 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
    2010-07-29 01:27 . 2009-05-12 13:57 129640 ----a-w- c:\windows\RtkAudioService.exe
    2010-07-29 01:27 . 2009-02-15 17:45 19557480 ----a-w- c:\windows\RTHDCPL.EXE
    2010-07-29 01:27 . 2009-02-15 17:45 2180712 ----a-w- c:\windows\MicCal.exe
    2010-07-29 01:27 . 2009-03-28 13:58 64104 ----a-w- c:\windows\ALCMTR.EXE
    2010-07-29 01:27 . 2009-02-15 17:45 2815592 ----a-w- c:\windows\ALCWZRD.EXE
    2010-07-26 13:27 . 2010-07-26 13:27 -------- d-----w- c:\program files\3B Software
    2010-07-26 12:47 . 2010-07-26 12:40 -------- d-----w- c:\documents and settings\Philip Moore\Application Data\Error Fix
    2010-07-26 12:43 . 2010-07-26 12:39 -------- d-----w- c:\program files\Error Fix
    2010-07-23 14:29 . 2009-02-24 13:06 -------- d-----w- c:\program files\Virtual Earth 3D
    2010-07-23 13:06 . 2009-02-15 18:27 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-23 13:05 . 2009-03-04 13:59 -------- d-----w- c:\program files\NVIDIA Corporation
    2010-07-17 12:42 . 2010-07-09 11:54 -------- d-----w- c:\program files\Ask.com
    2010-07-17 12:18 . 2010-07-09 12:27 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 1
    2010-07-16 18:34 . 2009-02-15 22:08 -------- d-----w- c:\documents and settings\Philip Moore\Application Data\LimeWire
    2010-07-16 18:34 . 2010-03-29 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-07-13 18:54 . 2010-07-13 18:09 -------- d-----w- c:\program files\AOL 9.1
    2010-07-13 18:11 . 2009-02-15 18:20 -------- d-----w- c:\documents and settings\Philip Moore\Application Data\AOL
    2010-07-13 18:11 . 2009-02-15 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
    2010-07-13 18:11 . 2010-07-13 18:09 -------- d-----w- c:\program files\Common Files\aolshare
    2010-07-13 18:09 . 2009-11-21 15:46 711392 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\sysinfo\SinfInst.exe
    2010-07-13 18:09 . 2009-02-15 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
    2010-07-13 18:08 . 2009-11-21 15:46 607392 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\tpspd\wbsetup.exe
    2010-07-13 18:08 . 2009-11-21 15:46 260040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\acs\ecuinst.exe
    2010-07-13 18:08 . 2009-11-21 15:46 15920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\ccu\ocpchk.dll
    2010-07-13 18:08 . 2009-11-21 15:46 6144 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\afix\ocfcheck.dll
    2010-07-13 18:04 . 2009-11-21 15:46 2439824 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\ccu\ocpinsti.exe
    2010-07-13 18:04 . 2009-11-21 15:46 11312 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\acs\ecuchk.dll
    2010-07-13 18:04 . 2009-11-21 15:46 1893728 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\waol-0.4334.34.7.exe
    2010-07-13 18:03 . 2009-11-21 15:45 1475416 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\ocp\ocpinst.exe
    2010-07-13 18:03 . 2009-11-21 15:45 45056 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\sysinfo\SiNdInst.dll
    2010-07-13 18:03 . 2009-11-21 15:45 67120 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\ccu\instSup.dll
    2010-07-13 18:03 . 2009-11-21 15:45 61440 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\vwpt\VPPrePop.exe
    2010-07-13 18:03 . 2009-11-21 15:45 54832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\parcon\AOLParconLink.exe
    2010-07-13 18:03 . 2009-11-21 15:44 8139800 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\acs\acssetup.exe
    2010-07-13 18:02 . 2009-11-21 15:44 99256 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\sm\sminstlp.exe
    2010-07-13 18:02 . 2009-11-21 15:44 62816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\ocp\ocpgc.exe
    2010-07-13 18:02 . 2009-11-21 15:44 1134216 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\flash\flash9ex.exe
    2010-07-13 18:02 . 2009-11-21 15:44 75104 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\ocp\instSup.dll
    2010-07-13 18:02 . 2009-11-21 15:44 10800 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\afix\wsfixchk.dll
    2010-07-13 18:02 . 2009-11-21 15:44 223152 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\afix\wsfinst.exe
    2010-07-13 18:02 . 2009-11-21 15:44 359184 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.7\comps\tb\tbsetup.exe
    2010-07-12 14:12 . 2010-07-12 14:12 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2010-07-12 14:07 . 2010-07-12 14:07 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
    2010-07-12 12:38 . 2010-07-12 12:38 -------- d-----w- c:\program files\Common Files\Java
    2010-07-12 12:37 . 2010-05-04 13:47 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-11 11:45 . 2010-07-11 11:45 2944904 ----a-w- c:\documents and settings\Philip Moore\Application Data\Mozilla\Firefox\Profiles\yloszscu.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
    2010-07-10 12:49 . 2010-01-01 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Wondershare
    2010-07-10 12:48 . 2009-11-30 19:12 -------- d-----w- c:\program files\Wondershare
    2010-07-09 23:24 . 2010-07-09 23:24 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2010-07-09 23:24 . 2010-07-09 23:24 277608 ----a-w- c:\windows\system32\nvmccs.dll
    2010-07-09 23:24 . 2010-07-09 23:24 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-07-09 23:24 . 2010-07-09 23:24 155752 ----a-w- c:\windows\system32\nvsvc32.exe
    2010-07-09 23:24 . 2010-07-09 23:24 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2010-07-09 23:24 . 2010-07-09 23:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
    2010-07-09 22:28 . 2009-03-01 16:29 32036 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-07-09 13:39 . 2009-11-20 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
    2010-07-09 13:39 . 2009-11-20 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
    2010-07-09 13:09 . 2010-07-09 13:09 -------- d-----w- c:\program files\MSN Toolbar
    2010-07-09 12:18 . 2010-07-09 12:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
    2010-07-09 12:18 . 2010-07-09 12:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
    2010-07-09 12:18 . 2010-07-09 12:18 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
    2010-07-07 20:46 . 2009-11-20 15:20 604776 ----a-w- c:\windows\system32\nvuninst.exe
    2010-08-22 14:58 . 2010-08-22 14:58 101768 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2008-06-03 50528]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2009-09-29 03:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^Philip Moore^Start Menu^Programs^Startup^Y'z Toolbar.lnk]
    backup=c:\windows\pss\Y'z Toolbar.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
    2006-03-23 08:13 1591808 ----a-w- c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBTUpd]
    2008-04-03 18:01 297480 ----a-w- c:\program files\GIGABYTE\GBTUpd\PreRun.exe

    PART ONE OF COMBO FIX. SEND SECOND PART DIRECTLY
     
  8. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    Part two of Combo fix

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-03-18 11:18 136176 ----atw- c:\documents and settings\Philip Moore\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\aol\1279044589\ee\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2009-11-12 00:23 1468256 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2005-02-17 00:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
    2009-07-17 18:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
    2009-12-09 04:29 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-07-09 23:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2010-07-09 23:24 110696 ----a-w- c:\windows\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2010-07-08 06:52 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2010-07-29 01:27 19557480 ----a-w- c:\windows\RTHDCPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-07-19 17:50 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "IJPLMSVC"=2 (0x2)
    "GoogleDesktopManager-110408-113106"=3 (0x3)
    "ose"=3 (0x3)
    "Imapi Helper"=3 (0x3)
    "IDriverT"=3 (0x3)
    "gusvc"=3 (0x3)
    "gupdate1c9967e6b8fdeaa"=2 (0x2)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" -b

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
    "c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
    "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Winmx\\WinMX.exe"=
    "c:\\Program Files\\GIGABYTE\\EnergySaver\\run.exe"=
    "c:\\Program Files\\GIGABYTE\\GBTUpd\\RunUpd.exe"=
    "c:\\Program Files\\GIGABYTE\\GBTUpd\\GBTUpd.exe"=
    "c:\\Program Files\\ICQ\\Icq.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
    "c:\\Program Files\\Adobe Media Player\\Adobe Media Player.exe"=
    "c:\\Program Files\\GIGABYTE\\@BIOS\\UpdExe.exe"=
    "c:\\Program Files\\TmNationsForever\\TmForever.exe"=
    "c:\\Program Files\\AOL 9.1\\waol.exe"=
    "c:\\Program Files\\TmUnitedForever\\TmForever.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Documents and Settings\\Philip Moore\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Common Files\\aol\\1279044589\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/4/2010 7:31 AM 135336]
    R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2/19/2010 5:00 PM 148744]
    R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2/15/2009 10:43 AM 80392]
    R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2/15/2009 11:30 AM 222456]
    S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/26/2009 6:43 AM 1691480]
    S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [7/12/2010 7:07 AM 23456]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [8/18/2005 1:00 AM 7168]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7E.tmp --> c:\windows\system32\7E.tmp [?]
    S4 gupdate1c9967e6b8fdeaa;Google Update Service (gupdate1c9967e6b8fdeaa);c:\program files\Google\Update\GoogleUpdate.exe [2/24/2009 5:50 AM 133104]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - ATWPKT2
    .
    Contents of the 'Scheduled Tasks' folder

    2009-12-16 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

    2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 12:50]

    2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 12:50]

    2010-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1303643608-725345543-1004Core.job
    - c:\documents and settings\Philip Moore\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:18]

    2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1303643608-725345543-1004UA.job
    - c:\documents and settings\Philip Moore\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:18]

    2009-11-14 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
    - c:\program files\Microsoft IntelliType Pro\itype.exe [2009-06-01 20:43]

    2009-11-14 c:\windows\Tasks\NSSstub.job
    - c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-05-08 12:36]

    2010-08-26 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-05-26 22:23]

    2010-01-17 c:\windows\Tasks\SmartDefrag.job
    - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-01-17 23:30]

    2010-08-26 c:\windows\Tasks\User_Feed_Synchronization-{4C7BC7CC-AEA4-4620-A730-E10550B9C4A5}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    Trusted Zone: sitesell.com
    FF - ProfilePath - c:\documents and settings\Philip Moore\Application Data\Mozilla\Firefox\Profiles\yloszscu.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=
    FF - prefs.js: browser.startup.homepage - hxxp://www.cocc.edu/
    FF - prefs.js: keyword.URL - hxxp://inboxtoolbar.com/search/dispatcher.aspx?tp=sf&tbid=80105&language=en&qkw=
    FF - component: c:\documents and settings\Philip Moore\Application Data\Mozilla\Firefox\Profiles\yloszscu.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
    FF - component: c:\documents and settings\Philip Moore\Application Data\Mozilla\Firefox\Profiles\yloszscu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
    FF - component: c:\documents and settings\Philip Moore\Application Data\Mozilla\Firefox\Profiles\yloszscu.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
    FF - plugin: c:\documents and settings\Philip Moore\Application Data\Mozilla\Firefox\Profiles\yloszscu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
    FF - plugin: c:\documents and settings\Philip Moore\Application Data\Mozilla\plugins\npcoolirisplugin.dll
    FF - plugin: c:\documents and settings\Philip Moore\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox 4.0 Beta 1\plugins\npunagi2.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    WebBrowser-{1E01C8AD-95BB-498A-8CAC-70FD1348936F} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    MSConfigStartUp-Anti Trojan Elite - c:\program files\Anti Trojan Elite\TJEnder.exe
    MSConfigStartUp-COMODO Internet Security - c:\program files\COMODO\COMODO Internet Security\cfp.exe
    MSConfigStartUp-FileHippo - c:\program files\filehippo.com\UpdateChecker.exe
    MSConfigStartUp-RebateInformer - c:\progra~1\REBATE~1\REBATE~1.EXE
    MSConfigStartUp-Windows Registry Repair Pro - c:\program files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe



    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EverestDriver]
    "ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\7E.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1547161642-1303643608-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
    @Denied: (Full) (LocalSystem)

    [HKEY_USERS\S-1-5-21-1547161642-1303643608-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F679CE86-4DBE-74D7-4C73-9586DE8246D5}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10f_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10f_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    @=""
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    @=""
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    @=""
    "Installed"="1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(704)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2010-08-26 07:50:01
    ComboFix-quarantined-files.txt 2010-08-26 14:49

    Pre-Run: 357,893,189,632 bytes free
    Post-Run: 357,843,238,912 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - C3FF5749B6F5E9881ABB399DA5F42FC0
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's try a different security check> some of the programs I see aren't showing on the one I had you run> For instance, Sunbelt Software is a leading provider of Windows security software including antispyware software, endpoint security software and other, AntiTrojan Elite:

    Download eSec-Info2.zip and save it to your Desktop.
    You will need to extract the file.
    • Right click on the zipped folder> click on Extract All...
    • Click on Next In the 'Extraction Wizard'window that opens
    • click on Next> and in the next window that appears
    • click on Finish in the final window
    • Double click on the folder Sec-info2.vbs to run
    • When completed, a text file named Sec-Info.txtis created in the same folder
    • Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

    I have to finish checking the Combox log.
     
  10. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    Requested Txt File

    Bobbye:
    I wanted to tell you after the recommended scans the system seems to be much faster and more like how it once was.
    I think we are getting there.


    Script run: 8/27/2010 4:18:25 AM

    ~~~~~~~~~~~~~~~~~~~~~~~~

    Company Name: Avira GmbH
    AV Name: AntiVir Desktop
    Version Number: 10.0.1.44
    On-Access Scanning Enabled: Yes
    Product up-to-date: Yes

    ~~~~~~~~~~~~~~~~~~~~~~~~

    The Windows Firewall is enabled.

    ~~~~~~~~~~~~~~~~~~~~~~~~

    The Security Center Anti-Virus Alerts are enabled.
    The Security Center Firewall Alerts are enabled.

    ~~~~~~~~~~~~~~~~~~~~~~~~

    Number of Restore Points found: 108

    ~~~~~~~~~~~~~~~~~~~~~~~~


    Script run: 8/27/2010 4:19:58 AM

    ~~~~~~~~~~~~~~~~~~~~~~~~

    Company Name: Avira GmbH
    AV Name: AntiVir Desktop
    Version Number: 10.0.1.44
    On-Access Scanning Enabled: Yes
    Product up-to-date: Yes

    ~~~~~~~~~~~~~~~~~~~~~~~~

    The Windows Firewall is enabled.

    ~~~~~~~~~~~~~~~~~~~~~~~~

    The Security Center Anti-Virus Alerts are enabled.
    The Security Center Firewall Alerts are enabled.

    ~~~~~~~~~~~~~~~~~~~~~~~~

    Number of Restore Points found: 108

    ~~~~~~~~~~~~~~~~~~~~~~~~


    Script run: 8/27/2010 4:20:03 AM

    ~~~~~~~~~~~~~~~~~~~~~~~~

    Company Name: Avira GmbH
    AV Name: AntiVir Desktop
    Version Number: 10.0.1.44
    On-Access Scanning Enabled: Yes
    Product up-to-date: Yes

    ~~~~~~~~~~~~~~~~~~~~~~~~

    The Windows Firewall is enabled.

    ~~~~~~~~~~~~~~~~~~~~~~~~

    The Security Center Anti-Virus Alerts are enabled.
    The Security Center Firewall Alerts are enabled.

    ~~~~~~~~~~~~~~~~~~~~~~~~

    Number of Restore Points found: 108

    ~~~~~~~~~~~~~~~~~~~~~~~~
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't know why the security scans aren't picking up what I'm seeing! The scan should actually be listing what program you have by name: the only name I see if Avira. Looking at installed programs and running processes, i see these:
    Adobe Reader 9.3.3
    Avira AntiVir Personal
    COMODO Internet Security
    ESET Online Scanner v3
    Java(TM) 6 Update 21
    Malwarebytes' Anti-Malware
    Mozilla Firefox (3.6.8)
    PC Pitstop Exterminate2 2.0
    Sophos Anti-Rootkit 1.5.0
    Spybot - Search & Destroy
    Also see this: 2010-08-22 12:22:08 0 d-----w- c:\program files\Anti Trojan Elite

    These should be in the security check along with their versions to make sure they are up to date.

    And I found another driver program> 'Driver Cure'.

    Please run this Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\docume~1\philip~1\locals~1\temp\cpuz132\cpuz132_x32.sys
    c:\windows\system32\7e.tmp
    c:\program files\logmein\x86\rainfo.sys
    c:\documents and settings\All Users\Application Data\DriverCure
    c:\program files\anti trojan elite\atepmon.sys
    
    Folder::
    
    DDS::
    TB: {1E01C8AD-95BB-498A-8CAC-70FD1348936F} - No File
    TB: {C70E30C7-140A-4166-A2E8-43557E62B41A} - No File
    TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
    TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
    
    Registry::
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
    
    Driver::
    cpuz132
    MEMSWEEP2
    LMIInfo
    LMIRfsClientNP
    ATE_PROCMON
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ===========================================
    Then =Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  12. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    Attempting to run Combofix

    Bobbye,
    After copying the data provided in your last reply,
    I then downloaded to my desktop a copy of the Combofix program.
    After this I shut down all browsers, and disabled my security protection. (Avira)
    I dragged the text file with info you provided to the Combofix program icon, from the desktop.
    I get through part of the installation process of the program and then receive this message:

    Errors encountered while performing the operation
    Look at the information window for more details.
    There is no 'information window' visible.

    I then restarted my system.

    As an addition piece of info, The link you provided did not allow me to download the combofix directly from your posting. I went to Bleeping computer and downloaded the combofix program from that website.
    I can't see how this would effect anything unless of course if I didn't get the correct version that you had intended for me to have.


    I went through this process twice, (double checking the cut and paste) before responding to you.

    Your thoughts?
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Bill, you should already have Combofix on the desktop. The script does not require you to download it again, but runs from within the program you have on the desktop per the drag and drop.

    Instructions are:
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]
    Referring to the picture above, drag CFScript into ComboFix.exe

    I had one other person do the same thing yesterday.
     
  14. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Bill, I'm a it confused about the link that didn't work and the post I'm suppose to ignore. The link for Combofix works fine. As for the log- if you're referring to the security log post, Yes, it wasn't what I gave you. This one is fine- although all not showing.

    But the Combofix still isn't right. You have given me the same log twice, without the script being run, so the deletions I set up haven't been done.This part, in the header: "Running from: c:\documents and settings\Philip Moore\My Documents\Downloads\ComboFix.exe" should be followed by this: "
    Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
     
  16. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    Number 11 posting you put this
    sentence: Please run this Custom CFScript

    This link does not work. does not give one
    an opportunity to click on it.

    I apologize for sending the incorrect
    combofix txt. I have searched my HDD and I
    don't have a combofix.txt dated from today.

    Would you recommend me run the combofix a second time?

    If so can you include the txt that you want added to
    the combofix prior to starting it?
     
  17. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I went back and reread your post about Combofix- here's where the mixup was:
    1. Combofix must be downloaded and run first. There is a link for the download.
    2. After I view the log, if necessary, I write 'custom' (just for you) script to move some files. I put it this in the Code box (this is the custom script)
    3. You copy the text in the Code box, then paste in Notepad that you opened.
    3. The text (which is the script from the Code Box) is then dragged into the Combofix.txt.
    There is no link. I made the words Custom script in bold, purple text. It's not a link. Links are blue.
    4. When complete, we ask that the log generated after running the script be pasted into the next reply.

    CFScript to run: (see Code box)


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    
    Folder::
    c:\program files\Anti Trojan Elite
    c:\documents and settings\Philip Moore\Local Settings\Application Data\Sunbelt Software
    c:\documents and settings\All Users\Application Data\TEMP
    c:\program files\Free Window Registry Repair
    c:\program files\Error Fix
    c:\program files\Ask.com
    c:\documents and settings\Philip Moore\Application Data\LimeWire
    c:\documents and settings\All Users\Application Data\ParetoLogic
    c:\documents and settings\All Users\Application Data\DriverCure
    
    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_USERS\S-1-5-21-1547161642-1303643608-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
    
    RegNull::
    [HKEY_USERS\S-1-5-21-1547161642-1303643608-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F679CE86-4DBE-74D7-4C73-9586DE8246D5}*]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ===========================
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  19. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    2 attachmets

    Bobbye,

    Here are the two attachments.
    I wanted to stop and thank you very much for your assistance.
    I'm going back to school as a VERY old man will be studying to become a
    Master Automotive Tech and NEED my computer in the best shape possible
    for study purposes.
    This is a tremendous help!

    View attachment log8.30.txt

    View attachment hijackthis.log
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You are very welcome. You will love going back to school- you'll be the best student in the class. When adults go back, their time is precious- each minute has to count. So they don't do the foolish things of youth that take time away from the learning process. The hardest thing you'll have to do is separate the information that has to stay in your brain from that which can be recalled later.

    I wish you the best! Been there, done that and it was one of the best experiences of my life!

    IF you want to keep the system in good shape, stay away from LimeWire and any other file sharing programs. Don't overload the browser with too many addons. Be careful in ICQ.

    Take this site out of the Trusted Zone. That zone has lower security and nothing needs to be in it:
    Use either the Control Panel or Tools in IE> Internet Options> Security tab> Trusted Sites> Sited:
    Paste in sitesell.com> Click on Remove> OK> Apply> OK
    Even if you participate there, it shouldn't be listed as a trusted site.

    I have removed significant content from your system. You can streamline it further by removing processes from Startup that you don't need to start on boot and run in the background. Additionally, check the Add/Remove Programs in the Control Panel. Uninstall anything you no longer use. If you don't know what it is, search.

    I don't see any remaining malware. How is the system running? Any problems. IF resolved, I'll have you remove the cleaning tools.
     
  21. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    Thanks to your fine direction, the computer is running much as it did when it was first assembled.
    The wife enjoys ICQ so, I am basically stuck with having this program on the system. She does not spend a lot of time there, she doesn't use it for transferring files. Which of the cleaning tools specifically are you suggesting that I remove? The Combofix and Eset? I have other maintenance tools that I use. Which should I remove?
     
  22. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    By the way, I believe early on in your direction, you said it was not a big deal to resolve the situation with the adobe update. I use Firefox for my PDF's and the Firefox reader. Would you recommend that I get rid of Adobe reader. Or is it better to correct the issue with getting it to update the files?

    The first part of my posting had to do, with not being able to update the Adobe program.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you use the FoxIt Reader for PDF files, you do not need the Adobe Reader (sometimes shown as 'Acrobat') and it can be removed in Add/Remove Programs. The Adobe Reader has a lot of bloat that the FoxIt Reader doesn't have, but FoxIt does the same thing.

    The instructions I gave are for removal of the tools we used for cleaning> that would be Malwarebytes, GMER, DDS, Combofix, HijackThis and Eset. Some of these are for 1 time scanning free and not suitable to leave on the system
     
  24. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    Bobbye,

    I believe issues relating to virus issues are resolved. I've been having connection issues with my Modem/router on and off for about 6 weeks. The service provider technician came out to the house and installed what he called an amplifier which from early service seems to have taken care of the problem. I believe you have corrected all issues and again I say thanks to you and feel all issues have been resolved.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Glad to help. Check the following to help you stay clean:

    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
    6. Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
    7. Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    8. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

    I'm going to close this thread now. Let me know if you have questions in the future.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...