Unable to reach search engines

Solved
By pidjones
Jan 21, 2013
  1. This is for a friends PC running XP (I'll get the version and post it later, but I believe it to be SP3) IE8, Firefox latest as of last week. None can reach the search engines, although they can reach other sites and do email. I have run Malwarebytes and SBS&D on it. Hijackthis reports a lot of 02 host redirects, and the host file was locked but I was able to access it in safemode and replace it with a plain vanilla non-writeprotected. I have not looked for another (like in Windows/help). The box had AVG security but it may be freshly installed. I plan to remove it and put him on MSSE when this is fixed. I plan to go over to his house this evening (in a couple hours) and start with the suggested steps from the Preliminary Instructions sticky. Any other advise before then?
  2. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    I ran the AVG that is installed on it. It found and cleaned a Trojan horse BackDoor.Generic16.XFU

    [HJT log removed by Broni]

    Here is the MB log from today:

    Malwarebytes Anti-Malware 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.01.21.09

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Eddie :: BAILIFF-AB9682E [administrator]

    1/21/2013 5:35:19 PM
    mbam-log-2013-01-21 (17-35-19).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 194052
    Time elapsed: 4 minute(s), 39 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  3. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    Here is the DDS.txt log from today:


    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702
    Run by Eddie at 17:45:46 on 2013-01-21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.457 [GMT -5:00]
    .
    AV: AVG Internet Security 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: AVG Internet Security 2012 *Enabled*
    .
    ============== Running Processes ================
    .
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\AVG\AVG2013\avgui.exe
    C:\Program Files\AVG Secure Search\vprot.exe
    C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
    C:\Program Files\AVG\AVG2013\avgwdsvc.exe
    C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\notepad.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
    TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\13.3.0.17\AVG Secure Search_toolbar.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\ahead\data\xtras\mssysmgr.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
    mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
    mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1358616790875
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\13.3.2\ViProtocol.dll
    Notify: igfxcui - igfxdev.dll
    Notify: SDWinLogon - SDWinLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\eddie\application data\mozilla\firefox\profiles\heqxw2b0.default\
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\13.3.2\npsitesafety.dll
    FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
    FF - plugin: c:\program files\marineaquarium3free_57ei\installr\1.bin\NP57EISb.dll
    FF - ExtSQL: 2013-01-01 10:49; specialsavings@vshsolutions.com; c:\documents and settings\eddie\application data\mozilla\extensions\specialsavings@vshsolutions.com
    FF - ExtSQL: 2013-01-02 14:19; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 55776]
    R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
    R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 94048]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 35552]
    R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 179936]
    R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 19936]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 159712]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 164832]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-12-13 26984]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2012-10-22 196664]
    R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2013-1-19 439632]
    R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-1-19 1103392]
    R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-1-19 1369624]
    R2 vToolbarUpdater13.3.2;vToolbarUpdater13.3.2;c:\program files\common files\avg secure search\vtoolbarupdater\13.3.2\ToolbarUpdater.exe [2012-12-13 894920]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
    S2 5606;5606;\??\c:\docume~1\eddie\locals~1\temp\5606.sys --> c:\docume~1\eddie\locals~1\temp\5606.sys [?]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2012-11-15 5814904]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-1-19 168384]
    S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-1-19 35144]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2013-01-19 20:25:31 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2013-01-19 20:08:23 -------- d-----w- c:\documents and settings\eddie\application data\Malwarebytes
    2013-01-19 20:08:07 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2013-01-19 20:08:05 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-01-19 20:08:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-01-19 19:35:32 -------- d-----w- c:\documents and settings\all users\application data\Trend Micro
    2013-01-19 19:34:15 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2013-01-19 19:33:58 15224 ----a-w- c:\windows\system32\sdnclean.exe
    2013-01-19 19:33:52 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
    2013-01-19 19:02:09 -------- d-----w- c:\program files\WinPcap
    2013-01-19 19:01:52 -------- d-----w- c:\program files\Trend Micro
    2013-01-19 18:13:22 -------- d-----w- c:\windows\pss
    2013-01-19 18:00:35 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    2013-01-07 21:40:44 -------- d-----w- c:\program files\CCleaner
    2013-01-07 20:42:33 -------- d-----w- c:\windows\system32\appmgmt
    2013-01-04 14:58:36 -------- d-----w- c:\documents and settings\eddie\application data\AVG
    2013-01-04 14:57:27 -------- d-----w- c:\documents and settings\all users\application data\AVG
    2013-01-04 14:57:12 -------- d-sh--w- c:\documents and settings\all users\application data\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
    2013-01-03 17:24:25 -------- d-----w- c:\documents and settings\eddie\application data\Systweak
    2013-01-01 15:49:47 -------- d-----w- c:\documents and settings\eddie\application data\SpecialSavings
    2013-01-01 15:47:24 -------- d-----w- c:\windows\system32\XPSViewer
    2013-01-01 15:46:46 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2013-01-01 15:44:55 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2013-01-01 15:44:55 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2013-01-01 15:44:55 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2013-01-01 15:44:55 117760 ------w- c:\windows\system32\prntvpt.dll
    2013-01-01 15:44:54 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2013-01-01 15:44:54 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2013-01-01 15:44:53 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2013-01-01 15:44:53 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2013-01-01 15:44:52 -------- d-----w- C:\2c2bd26be38239c57f4297a4c4
    2013-01-01 15:43:13 -------- d-----w- c:\documents and settings\eddie\application data\DriverCure
    2013-01-01 15:43:06 -------- d-----w- c:\documents and settings\eddie\application data\SparkTrust
    2013-01-01 15:41:57 -------- d-----w- c:\documents and settings\all users\application data\SparkTrust
    .
    ==================== Find3M ====================
    .
    2013-01-09 07:21:14 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-01-09 07:21:14 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
    2012-12-13 16:00:53 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2012-11-17 23:37:56 18360 ----a-w- c:\windows\system32\roboot.exe
    2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
    2012-11-06 02:01:39 1371648 ------w- c:\windows\system32\msxml6.dll
    2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
    2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
    .
    ============= FINISH: 17:46:06.92 ===============
  4. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    And the Attach.txt from today:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/29/2011 6:42:40 PM
    System Uptime: 1/20/2013 8:14:19 PM (21 hours ago)
    .
    Motherboard: Dell Inc. | | 0ND237
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 74 GiB total, 57.691 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP311: 10/23/2012 9:52:55 PM - System Checkpoint
    RP312: 10/24/2012 10:16:02 PM - System Checkpoint
    RP313: 10/25/2012 10:38:51 PM - System Checkpoint
    RP314: 10/26/2012 11:38:51 PM - System Checkpoint
    RP315: 10/28/2012 12:38:50 AM - System Checkpoint
    RP316: 10/29/2012 1:38:50 AM - System Checkpoint
    RP317: 10/30/2012 7:50:15 AM - System Checkpoint
    RP318: 10/31/2012 8:03:10 AM - System Checkpoint
    RP319: 11/1/2012 8:11:30 AM - System Checkpoint
    RP320: 11/2/2012 8:12:28 AM - System Checkpoint
    RP321: 11/3/2012 9:10:26 AM - System Checkpoint
    RP322: 11/4/2012 9:09:21 AM - System Checkpoint
    RP323: 11/5/2012 10:09:21 AM - System Checkpoint
    RP324: 11/6/2012 10:31:08 AM - System Checkpoint
    RP325: 11/7/2012 11:04:50 AM - System Checkpoint
    RP326: 11/8/2012 11:09:21 AM - System Checkpoint
    RP327: 11/9/2012 11:28:28 AM - System Checkpoint
    RP328: 11/9/2012 2:00:13 PM - Software Distribution Service 3.0
    RP329: 11/10/2012 2:37:22 PM - System Checkpoint
    RP330: 11/11/2012 2:53:00 PM - System Checkpoint
    RP331: 11/12/2012 4:52:33 PM - System Checkpoint
    RP332: 11/13/2012 5:18:59 PM - System Checkpoint
    RP333: 11/14/2012 6:18:59 PM - System Checkpoint
    RP334: 11/15/2012 6:29:33 PM - System Checkpoint
    RP335: 11/16/2012 2:00:14 PM - Software Distribution Service 3.0
    RP336: 11/17/2012 2:33:47 PM - System Checkpoint
    RP337: 11/18/2012 3:02:26 PM - System Checkpoint
    RP338: 11/19/2012 3:39:21 PM - System Checkpoint
    RP339: 11/20/2012 5:07:56 PM - System Checkpoint
    RP340: 11/21/2012 5:39:22 PM - System Checkpoint
    RP341: 11/22/2012 6:39:21 PM - System Checkpoint
    RP342: 11/23/2012 7:41:42 PM - System Checkpoint
    RP343: 11/24/2012 8:01:30 PM - System Checkpoint
    RP344: 11/25/2012 8:51:20 PM - System Checkpoint
    RP345: 11/26/2012 10:17:19 PM - System Checkpoint
    RP346: 11/27/2012 10:18:51 PM - System Checkpoint
    RP347: 11/28/2012 10:39:19 PM - System Checkpoint
    RP348: 11/29/2012 11:44:05 PM - System Checkpoint
    RP349: 11/30/2012 11:48:18 PM - System Checkpoint
    RP350: 12/2/2012 12:39:18 AM - System Checkpoint
    RP351: 12/3/2012 1:39:18 AM - System Checkpoint
    RP352: 12/4/2012 1:48:12 AM - System Checkpoint
    RP353: 12/5/2012 3:04:32 AM - System Checkpoint
    RP354: 12/6/2012 3:39:18 AM - System Checkpoint
    RP355: 12/7/2012 4:39:18 AM - System Checkpoint
    RP356: 12/8/2012 6:15:23 AM - System Checkpoint
    RP357: 12/9/2012 7:03:22 AM - System Checkpoint
    RP358: 12/10/2012 7:39:16 AM - System Checkpoint
    RP359: 12/11/2012 8:39:18 AM - System Checkpoint
    RP360: 12/12/2012 8:41:07 AM - System Checkpoint
    RP361: 12/12/2012 2:00:14 PM - Software Distribution Service 3.0
    RP362: 12/13/2012 10:58:50 AM - Installed AVG 2013
    RP363: 12/13/2012 10:59:02 AM - Removed AVG 2012
    RP364: 12/13/2012 10:59:33 AM - Installed AVG 2013
    RP365: 12/13/2012 11:02:29 AM - Removed AVG 2012
    RP366: 12/14/2012 11:28:42 AM - System Checkpoint
    RP367: 12/15/2012 3:14:25 PM - System Checkpoint
    RP368: 12/16/2012 3:28:41 PM - System Checkpoint
    RP369: 12/17/2012 4:42:43 PM - System Checkpoint
    RP370: 12/18/2012 5:09:10 PM - System Checkpoint
    RP371: 12/19/2012 5:12:24 PM - System Checkpoint
    RP372: 12/20/2012 5:17:25 PM - System Checkpoint
    RP373: 12/21/2012 2:00:15 PM - Software Distribution Service 3.0
    RP374: 12/22/2012 2:00:19 PM - System Checkpoint
    RP375: 12/23/2012 2:27:28 PM - System Checkpoint
    RP376: 12/24/2012 3:00:19 PM - System Checkpoint
    RP377: 12/25/2012 4:36:18 PM - System Checkpoint
    RP378: 12/26/2012 5:00:17 PM - System Checkpoint
    RP379: 12/27/2012 6:00:17 PM - System Checkpoint
    RP380: 12/28/2012 7:00:17 PM - System Checkpoint
    RP381: 12/29/2012 7:57:20 PM - System Checkpoint
    RP382: 12/30/2012 8:13:18 PM - System Checkpoint
    RP383: 12/31/2012 8:19:59 PM - System Checkpoint
    RP384: 1/1/2013 10:44:26 AM - PC Performer Tue, Jan 01, 13 10:43
    RP385: 1/1/2013 10:45:57 AM - Installed Windows KB954550-v5.
    RP386: 1/1/2013 10:46:28 AM - Printer Driver Microsoft XPS Document Writer Installed
    RP387: 1/2/2013 11:00:15 AM - System Checkpoint
    RP388: 1/2/2013 2:00:14 PM - Software Distribution Service 3.0
    RP389: 1/2/2013 2:54:41 PM - Printer Driver Microsoft XPS Document Writer Installed
    RP390: 1/3/2013 3:28:44 PM - System Checkpoint
    RP391: 1/4/2013 9:57:59 AM - Installed AVG PC TuneUp
    RP392: 1/4/2013 10:02:40 AM - Software Distribution Service 3.0
    RP393: 1/5/2013 12:19:34 PM - System Checkpoint
    RP394: 1/6/2013 1:25:10 PM - System Checkpoint
    RP395: 1/7/2013 1:32:38 PM - System Checkpoint
    RP396: 1/7/2013 3:42:30 PM - Removed ASPCA TriMini Reminder by We-Care.com v5.0.5.1
    RP397: 1/7/2013 3:43:16 PM - Removed AVG PC TuneUp
    RP398: 1/7/2013 3:43:36 PM - Removed AVG PC TuneUp Language Pack (en-US)
    RP399: 1/7/2013 3:47:35 PM - Removed Iminent Toolbar For Internet Explorer
    RP400: 1/7/2013 3:50:10 PM - Removed SpecialSavings
    RP401: 1/7/2013 3:51:07 PM - Configured Ulead Drop Spot
    RP402: 1/8/2013 4:16:21 PM - System Checkpoint
    RP403: 1/9/2013 4:17:26 PM - System Checkpoint
    RP404: 1/10/2013 2:00:13 PM - Software Distribution Service 3.0
    RP405: 1/11/2013 3:06:44 PM - System Checkpoint
    RP406: 1/12/2013 5:21:09 PM - System Checkpoint
    RP407: 1/13/2013 5:57:43 PM - System Checkpoint
    RP408: 1/14/2013 6:56:37 PM - System Checkpoint
    RP409: 1/15/2013 2:00:13 PM - Software Distribution Service 3.0
    RP410: 1/16/2013 2:20:41 PM - System Checkpoint
    RP411: 1/17/2013 3:41:10 PM - System Checkpoint
    RP412: 1/18/2013 4:32:41 PM - System Checkpoint
    RP413: 1/19/2013 12:10:18 PM - Installed Microsoft Fix it 50195
    RP414: 1/19/2013 12:38:11 PM - Software Distribution Service 3.0
    RP415: 1/19/2013 2:17:48 PM - Restore Operation
    RP416: 1/19/2013 2:22:36 PM - Restore Operation
    RP417: 1/19/2013 2:25:04 PM - Restore Operation
    RP418: 1/20/2013 2:36:18 PM - System Checkpoint
    RP419: 1/21/2013 3:18:57 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.5)
    AVG 2013
    CCleaner
    Compatibility Pack for the 2007 Office system
    File Type Assistant
    Final Media Player 2012
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB2756822)
    Hotfix for Windows XP (KB2779562)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    HP Deskjet 3740
    HP Software Update
    Intel(R) Graphics Media Accelerator Driver
    Malwarebytes Anti-Malware version 1.70.0.1100
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Mozilla Firefox 18.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero PhotoShow Express
    Nero Suite
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB2744842)
    Security Update for Windows Internet Explorer 8 (KB2761465)
    Security Update for Windows Internet Explorer 8 (KB2799329)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2655992)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2691442)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB2698365)
    Security Update for Windows XP (KB2705219)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB2712808)
    Security Update for Windows XP (KB2718523)
    Security Update for Windows XP (KB2719985)
    Security Update for Windows XP (KB2723135)
    Security Update for Windows XP (KB2724197)
    Security Update for Windows XP (KB2727528)
    Security Update for Windows XP (KB2731847)
    Security Update for Windows XP (KB2753842-v2)
    Security Update for Windows XP (KB2753842)
    Security Update for Windows XP (KB2757638)
    Security Update for Windows XP (KB2758857)
    Security Update for Windows XP (KB2761226)
    Security Update for Windows XP (KB2770660)
    Security Update for Windows XP (KB2779030)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    Spybot - Search & Destroy
    Trend Micro RUBotted 2.0 Beta
    Ulead PhotoImpact 8
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB2661254-v2)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB2736233)
    Update for Windows XP (KB2749655)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinPcap 4.1.1
    WordPerfect Office 12
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/19/2013 3:06:57 PM, error: Service Control Manager [7031] - The Spybot-S&D 2 Updating Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/19/2013 2:34:16 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security Center Service service to connect.
    1/19/2013 2:34:16 PM, error: Service Control Manager [7000] - The Spybot-S&D 2 Security Center Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/19/2013 12:32:18 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    1/19/2013 12:27:54 PM, error: Service Control Manager [7034] - The vToolbarUpdater13.3.2 service terminated unexpectedly. It has done this 1 time(s).
    1/19/2013 1:38:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    1/19/2013 1:38:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AVGIDSDriver AVGIDSShim Avgldx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    1/19/2013 1:38:36 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    1/19/2013 1:38:36 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/19/2013 1:38:36 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/19/2013 1:38:36 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    1/19/2013 1:38:36 PM, error: Service Control Manager [7001] - The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/19/2013 1:38:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/15/2013 2:17:15 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.
    1/15/2013 2:17:15 PM, error: Service Control Manager [7000] - The 5606 service failed to start due to the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================
  5. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    Searched for another Hosts file and found none. The box still cannot reach any search engines (google, etc.) says Connecting to www.google.com but never connects. Then sets a Problem loading page error.

    I need to head home now. I'll monitor the thread for the next action and take it when I can (probably tomorrow after work).

    Thanks for the service!
  6. Broni

    Broni Malware Annihilator Posts: 46,319   +252

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ==========================

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
  7. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    Thanks. I'll do these tomorrow after work and report/post logs.
  8. Broni

    Broni Malware Annihilator Posts: 46,319   +252

  9. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    The last MBAR said no malware! getting there!

    RK report 1:

    RogueKiller V8.4.3 [Jan 21 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Eddie [Admin rights]
    Mode : Scan -- Date : 01/22/2013 18:26:53

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 3 ¤¤¤
    [Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\5606 (C:\DOCUME~1\Eddie\LOCALS~1\Temp\5606.sys) -> FOUND
    [Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\5606 (C:\DOCUME~1\Eddie\LOCALS~1\Temp\5606.sys) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED ([INLINE] atapi.sys @ 0xF7427852)

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST380819AS +++++
    --- User ---
    [MBR] 38609dd6bb9e9dc8a55f097b525ed00a
    [BSP] cbb50d5200fd87549f83a5a797df3ad4 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76285 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1]_S_01222013_02d1826.txt >>
    RKreport[1]_S_01222013_02d1826.txt

    RK report 2:

    RogueKiller V8.4.3 [Jan 21 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Eddie [Admin rights]
    Mode : Remove -- Date : 01/22/2013 18:27:27

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 3 ¤¤¤
    [Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\5606 (C:\DOCUME~1\Eddie\LOCALS~1\Temp\5606.sys) -> DELETED
    [Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\5606 (C:\DOCUME~1\Eddie\LOCALS~1\Temp\5606.sys) -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED ([INLINE] atapi.sys @ 0xF7427852)

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST380819AS +++++
    --- User ---
    [MBR] 38609dd6bb9e9dc8a55f097b525ed00a
    [BSP] cbb50d5200fd87549f83a5a797df3ad4 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76285 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[2]_D_01222013_02d1827.txt >>
    RKreport[1]_S_01222013_02d1826.txt ; RKreport[2]_D_01222013_02d1827.txt
  10. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    MBAR report 1:

    Malwarebytes Anti-Rootkit BETA 1.01.0.1016
    www.malwarebytes.org

    Database version: v2013.01.22.09

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Eddie :: BAILIFF-AB9682E [administrator]

    1/22/2013 6:42:49 PM
    mbar-log-2013-01-22 (18-42-49).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 25050
    Time elapsed: 12 minute(s), 44 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\WINDOWS\system32\drivers\acpi.sys (Rootkit.RLoader) -> Delete on reboot.

    (end)

    MBAR report 2:

    Malwarebytes Anti-Rootkit BETA 1.01.0.1016
    www.malwarebytes.org

    Database version: v2013.01.22.09

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Eddie :: BAILIFF-AB9682E [administrator]

    1/22/2013 7:01:17 PM
    mbar-log-2013-01-22 (19-01-17).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 25039
    Time elapsed: 11 minute(s), 12 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  11. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    MBAR system-log.txt:

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1016

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 2.793000 GHz
    Memory total: 1063325696, free: 462282752

    ------------ Kernel report ------------
    01/22/2013 18:29:27
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    ACPI.sys
    \WINDOWS\system32\DRIVERS\WMILIB.SYS
    pci.sys
    isapnp.sys
    pciide.sys
    \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    MountMgr.sys
    ftdisk.sys
    dmload.sys
    dmio.sys
    PartMgr.sys
    VolSnap.sys
    atapi.sys
    cercsr6.sys
    \WINDOWS\System32\Drivers\SCSIPORT.SYS
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltmgr.sys
    sr.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    avgrkx86.sys
    avglogx.sys
    avgmfx86.sys
    avgidshx.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\ialmnt5.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\b57xp32.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\drivers\smwdm.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\drivers\senfilt.sys
    \SystemRoot\system32\DRIVERS\fdc.sys
    \SystemRoot\system32\DRIVERS\parport.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\DRIVERS\imapi.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\flpydisk.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \??\C:\WINDOWS\system32\drivers\avgtpx86.sys
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\DRIVERS\avgtdix.sys
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\system32\DRIVERS\avgldx86.sys
    \SystemRoot\system32\DRIVERS\usbprint.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\avgidsshimx.sys
    \SystemRoot\system32\DRIVERS\avgidsdriverx.sys
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\Fastfat.SYS
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\ialmdnt5.dll
    \SystemRoot\System32\ialmrnt5.dll
    \SystemRoot\System32\ialmdev5.DLL
    \SystemRoot\System32\ialmdd5.DLL
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\drivers\wdmaud.sys
    \SystemRoot\system32\drivers\sysaudio.sys
    \SystemRoot\system32\DRIVERS\mrxdav.sys
    \SystemRoot\System32\Drivers\ParVdm.SYS
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\npf.sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \??\C:\DOCUME~1\Eddie\LOCALS~1\Temp\mbr.sys
    \SystemRoot\system32\drivers\kmixer.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8656cab8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
    Lower Device Object: 0xffffffff8656ed98
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    Initialization returned 0x0
    Load Function returned 0x0
    Downloaded database version: v2013.01.22.09
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8656cab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8658ab70, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8656cab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff8656ed98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xffffffffe1348a20, 0xffffffff8656cab8, 0xffffffff8547c040
    Lower DeviceData: 0xffffffffe2b69cd8, 0xffffffff8656ed98, 0xffffffff8605b310
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\WINDOWS\system32\drivers...
    Infected: C:\WINDOWS\system32\drivers\acpi.sys --> [Rootkit.RLoader]
    Replacement file found for a file C:\WINDOWS\system32\drivers\acpi.sys
    File C:\WINDOWS\system32\drivers\acpi.sys --> [Forged file]
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: A2D0A2C

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 156232062
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 80000000000 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-156230000-156250000)...
    Done!
    Performing system, memory and registry scan...
    Read File: File "c:\Documents and Settings\All Users\Application Data\AVG2013\chjw\d68c5dc28c5d9db5.dat" is sparse (flags = 32768)
    Read File: File "c:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Avg2013\log\avgcore.log.1" is compressed (flags = 1)
    Done!
    Scan finished
    Creating System Restore point...
    Scheduling clean up...
    <<<2>>>
    Device number: 0, partition: 1
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Removal scheduling successful. System shutdown needed.
    System shutdown occurred
    =======================================


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1016

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 2.793000 GHz
    Memory total: 1063325696, free: 658419712

    Removal queue found; removal started
    Removal finished
    =======================================
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1016

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 2.793000 GHz
    Memory total: 1063325696, free: 531345408

    ------------ Kernel report ------------
    01/22/2013 18:49:51
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    ACPI.sys
    \WINDOWS\system32\DRIVERS\WMILIB.SYS
    pci.sys
    isapnp.sys
    pciide.sys
    \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    MountMgr.sys
    ftdisk.sys
    dmload.sys
    dmio.sys
    PartMgr.sys
    VolSnap.sys
    atapi.sys
    cercsr6.sys
    \WINDOWS\System32\Drivers\SCSIPORT.SYS
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltmgr.sys
    sr.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    avgrkx86.sys
    avglogx.sys
    avgmfx86.sys
    avgidshx.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\ialmnt5.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\b57xp32.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\drivers\smwdm.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\drivers\senfilt.sys
    \SystemRoot\system32\DRIVERS\fdc.sys
    \SystemRoot\system32\DRIVERS\parport.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\DRIVERS\imapi.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\flpydisk.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \??\C:\WINDOWS\system32\drivers\avgtpx86.sys
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\DRIVERS\avgtdix.sys
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\usbprint.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\avgldx86.sys
    \SystemRoot\system32\DRIVERS\avgidsshimx.sys
    \SystemRoot\system32\DRIVERS\avgidsdriverx.sys
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\Fastfat.SYS
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\ialmdnt5.dll
    \SystemRoot\System32\ialmrnt5.dll
    \SystemRoot\System32\ialmdev5.DLL
    \SystemRoot\System32\ialmdd5.DLL
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\drivers\wdmaud.sys
    \SystemRoot\system32\drivers\sysaudio.sys
    \SystemRoot\system32\DRIVERS\mrxdav.sys
    \SystemRoot\System32\Drivers\ParVdm.SYS
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\npf.sys
    \SystemRoot\system32\drivers\kmixer.sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8653eab8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
    Lower Device Object: 0xffffffff86541d98
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    Initialization returned 0x0
    Load Function returned 0x0
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8653eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff865a0e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8653eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff86541d98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xffffffffe1291a98, 0xffffffff8653eab8, 0xffffffff857ce4e0
    Lower DeviceData: 0xffffffffe11c7ae8, 0xffffffff86541d98, 0xffffffff864f44c0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\WINDOWS\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: A2D0A2C

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 156232062
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 80000000000 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-156230000-156250000)...
    Done!
    Performing system, memory and registry scan...
    Read File: File "c:\Documents and Settings\All Users\Application Data\AVG2013\chjw\d68c5dc28c5d9db5.dat" is sparse (flags = 32768)
    Done!
    Scan finished
    =======================================
     
  12. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    They will be at church tomorrow, so it will be Thursday before I can do more. I hope to finish this week, as I start 16 hour work days on Monday.

    Thanks so much for your help! They now have Google back, but I have advised them to avoid browsing until we finish (and I remove the about-to-expire AVG and install MSSE).
  13. Broni

    Broni Malware Annihilator Posts: 46,319   +252

    Cool beans :)

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ===========================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  14. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    Well, I may actually get to work on it tomorrow after all. I will try to get there before they leave for church and then lock up when I leave.
  15. Broni

    Broni Malware Annihilator Posts: 46,319   +252

  16. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    Well, I ran Combofix and it ran peacfully after it upgraded itself, but I had only disabled AVG 2013. It looks like I need to unintall it and run Combofix again. Here is the Combofix log:

    ComboFix 13-01-23.01 - Eddie 01/23/2013 17:14:20.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.467 [GMT -5:00]
    Running from: c:\documents and settings\Eddie\Desktop\ComboFix.exe
    AV: AVG Internet Security 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: AVG Internet Security 2012 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\data
    c:\data\default\us_sres.data
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Eddie\Application Data\Toolbar4
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-12-23 to 2013-01-23 )))))))))))))))))))))))))))))))
    .
    .
    2013-01-19 20:08 . 2013-01-19 20:08 -------- d-----w- c:\documents and settings\Eddie\Application Data\Malwarebytes
    2013-01-19 20:08 . 2013-01-19 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2013-01-19 20:08 . 2013-01-19 20:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-01-19 20:08 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-01-19 19:35 . 2013-01-19 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
    2013-01-19 19:34 . 2013-01-19 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2013-01-19 19:33 . 2009-01-25 17:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
    2013-01-19 19:33 . 2013-01-19 19:34 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
    2013-01-19 19:02 . 2013-01-19 19:16 -------- d-----w- c:\program files\WinPcap
    2013-01-19 19:01 . 2013-01-19 19:01 -------- d-----w- c:\program files\Trend Micro
    2013-01-19 18:00 . 2008-04-14 05:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    2013-01-19 17:41 . 2013-01-19 17:41 -------- d-----w- c:\documents and settings\Eddie\Local Settings\Application Data\Mozilla
    2013-01-19 17:41 . 2013-01-19 17:41 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2013-01-01 15:49 . 2013-01-01 15:49 -------- d-----w- c:\documents and settings\Eddie\Application Data\SpecialSavings
    2013-01-01 15:47 . 2013-01-02 19:36 -------- d-----w- c:\windows\system32\XPSViewer
    2013-01-01 15:47 . 2013-01-01 15:47 -------- d-----w- c:\program files\MSBuild
    2013-01-01 15:47 . 2013-01-01 15:47 -------- d-----w- c:\program files\Reference Assemblies
    2013-01-01 15:46 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2013-01-01 15:44 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2013-01-01 15:44 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2013-01-01 15:44 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2013-01-01 15:44 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2013-01-01 15:44 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2013-01-01 15:44 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2013-01-01 15:44 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2013-01-01 15:44 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2013-01-01 15:44 . 2013-01-01 15:46 -------- d-----w- C:\2c2bd26be38239c57f4297a4c4
    2013-01-01 15:43 . 2013-01-01 15:43 -------- d-----w- c:\documents and settings\Eddie\Application Data\DriverCure
    2013-01-01 15:43 . 2013-01-01 15:43 -------- d-----w- c:\documents and settings\Eddie\Application Data\SparkTrust
    2013-01-01 15:41 . 2013-01-07 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SparkTrust
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-01-09 07:21 . 2012-07-27 16:10 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-01-09 07:21 . 2011-12-30 02:05 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-12-16 12:23 . 2004-08-04 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
    2012-12-13 16:00 . 2012-12-13 16:01 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2012-11-17 23:37 . 2012-12-18 12:49 18360 ----a-w- c:\windows\system32\roboot.exe
    2012-11-16 04:33 . 2011-08-08 11:08 94048 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2012-11-13 01:25 . 2004-08-04 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
    2012-11-06 02:01 . 2011-12-30 01:08 1371648 ------w- c:\windows\system32\msxml6.dll
    2012-11-02 02:02 . 2004-08-04 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
    2012-11-01 12:17 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-11-01 12:17 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-11-01 12:17 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-11-01 00:35 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2013-01-16 20:11 . 2013-01-19 17:41 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.3.0.17\AVG Secure Search_toolbar.dll" [2012-12-13 1828808]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-23 172032]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-07-23 49152]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
    "AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
    "vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-12-13 1046984]
    "Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
    "SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart\0\0sdnclean.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-06-16 11:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-06-16 11:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\FinalMediaPlayer\\FMPCheckForUpdates.exe"=
    "c:\\Program Files\\File Type Assistant\\tsassist.exe"=
    "c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
    "c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 3:50 AM 55776]
    R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 3:46 AM 177376]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 35552]
    R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 12:32 PM 179936]
    R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 12:32 PM 19936]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 159712]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 164832]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [12/13/2012 11:01 AM 26984]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [11/15/2012 11:34 PM 5814904]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [10/22/2012 1:05 PM 196664]
    R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [1/19/2013 2:01 PM 439632]
    R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [1/19/2013 2:33 PM 1103392]
    R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1/19/2013 2:34 PM 1369624]
    R2 vToolbarUpdater13.3.2;vToolbarUpdater13.3.2;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe [12/13/2012 11:01 AM 894920]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
    S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [1/19/2013 2:34 PM 168384]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-01-23 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-27 07:21]
    .
    2013-01-23 c:\windows\Tasks\Final Media Player Update Checker.job
    - c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2012-01-25 23:40]
    .
    2013-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-30 01:41]
    .
    2013-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-30 01:41]
    .
    2013-01-23 c:\windows\Tasks\ProgramUpdateCheck.job
    - c:\program files\File Type Assistant\tsassist.exe [2012-11-09 16:44]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\13.3.2\ViProtocol.dll
    FF - ProfilePath - c:\documents and settings\Eddie\Application Data\Mozilla\Firefox\Profiles\heqxw2b0.default\
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - ExtSQL: 2013-01-01 10:49; specialsavings@vshsolutions.com; c:\documents and settings\Eddie\Application Data\Mozilla\Extensions\specialsavings@vshsolutions.com
    FF - ExtSQL: 2013-01-02 14:19; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Notify-SDWinLogon - SDWinLogon.dll
    MSConfigStartUp-SpeetItUpFree - c:\program files\SpeedItup Free\speeditupfree.exe
    MSConfigStartUp-StartNow Search Protect - c:\program files\StartNow Toolbar\search_protect.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-01-23 17:19
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2013-01-23 17:21:11
    ComboFix-quarantined-files.txt 2013-01-23 22:21
    .
    Pre-Run: 61,782,036,480 bytes free
    Post-Run: 61,973,716,992 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - D13135B9242AC69C96815A77ACDFE476
  17. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    Ran Combofix again after removing AVG 2013 free with add/remove programs and also a couple other malware blockers that I found on it.

    ComboFix 13-01-23.01 - Eddie 01/23/2013 17:33:35.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.622 [GMT -5:00]
    Running from: c:\documents and settings\Eddie\Desktop\ComboFix.exe
    FW: AVG Internet Security 2012 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\drivers\etc\hosts.txt
    c:\windows\system32\roboot.exe
    c:\windows\wininit.ini
    .
    Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
    Restored copy from - c:\windows\erdnt\cache\ntfs.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-12-23 to 2013-01-23 )))))))))))))))))))))))))))))))
    .
    .
    2013-01-19 20:08 . 2013-01-19 20:08 -------- d-----w- c:\documents and settings\Eddie\Application Data\Malwarebytes
    2013-01-19 20:08 . 2013-01-19 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2013-01-19 20:08 . 2013-01-19 20:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-01-19 20:08 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-01-19 19:34 . 2013-01-19 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2013-01-19 19:33 . 2009-01-25 17:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
    2013-01-19 19:33 . 2013-01-19 19:34 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
    2013-01-19 19:02 . 2013-01-19 19:16 -------- d-----w- c:\program files\WinPcap
    2013-01-19 18:00 . 2008-04-14 05:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    2013-01-19 17:41 . 2013-01-19 17:41 -------- d-----w- c:\documents and settings\Eddie\Local Settings\Application Data\Mozilla
    2013-01-19 17:41 . 2013-01-19 17:41 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2013-01-01 15:49 . 2013-01-01 15:49 -------- d-----w- c:\documents and settings\Eddie\Application Data\SpecialSavings
    2013-01-01 15:47 . 2013-01-02 19:36 -------- d-----w- c:\windows\system32\XPSViewer
    2013-01-01 15:47 . 2013-01-01 15:47 -------- d-----w- c:\program files\MSBuild
    2013-01-01 15:47 . 2013-01-01 15:47 -------- d-----w- c:\program files\Reference Assemblies
    2013-01-01 15:46 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2013-01-01 15:44 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2013-01-01 15:44 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2013-01-01 15:44 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2013-01-01 15:44 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2013-01-01 15:44 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2013-01-01 15:44 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2013-01-01 15:44 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2013-01-01 15:44 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2013-01-01 15:44 . 2013-01-01 15:46 -------- d-----w- C:\2c2bd26be38239c57f4297a4c4
    2013-01-01 15:43 . 2013-01-01 15:43 -------- d-----w- c:\documents and settings\Eddie\Application Data\DriverCure
    2013-01-01 15:43 . 2013-01-01 15:43 -------- d-----w- c:\documents and settings\Eddie\Application Data\SparkTrust
    2013-01-01 15:41 . 2013-01-07 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SparkTrust
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-01-09 07:21 . 2012-07-27 16:10 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-01-09 07:21 . 2011-12-30 02:05 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-12-16 12:23 . 2004-08-04 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
    2012-11-13 01:25 . 2004-08-04 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
    2012-11-06 02:01 . 2011-12-30 01:08 1371648 ------w- c:\windows\system32\msxml6.dll
    2012-11-02 02:02 . 2004-08-04 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
    2012-11-01 12:17 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-11-01 12:17 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-11-01 12:17 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-11-01 00:35 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2013-01-16 20:11 . 2013-01-19 17:41 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-23 172032]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-07-23 49152]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
    "SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-06-16 11:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-06-16 11:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\FinalMediaPlayer\\FMPCheckForUpdates.exe"=
    "c:\\Program Files\\File Type Assistant\\tsassist.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
    .
    R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [1/19/2013 2:33 PM 1103392]
    R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1/19/2013 2:34 PM 1369624]
    S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe --> c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [?]
    S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [1/19/2013 2:34 PM 168384]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-01-23 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-27 07:21]
    .
    2013-01-23 c:\windows\Tasks\Final Media Player Update Checker.job
    - c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2012-01-25 23:40]
    .
    2013-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-30 01:41]
    .
    2013-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-30 01:41]
    .
    2013-01-23 c:\windows\Tasks\ProgramUpdateCheck.job
    - c:\program files\File Type Assistant\tsassist.exe [2012-11-09 16:44]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\documents and settings\Eddie\Application Data\Mozilla\Firefox\Profiles\heqxw2b0.default\
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - ExtSQL: 2013-01-01 10:49; specialsavings@vshsolutions.com; c:\documents and settings\Eddie\Application Data\Mozilla\Extensions\specialsavings@vshsolutions.com
    FF - ExtSQL: 2013-01-02 14:19; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-01-23 17:38
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3568)
    c:\windows\system32\WININET.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2013-01-23 17:40:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-01-23 22:40
    ComboFix2.txt 2013-01-23 22:21
    .
    Pre-Run: 61,940,527,104 bytes free
    Post-Run: 61,933,604,864 bytes free
    .
    - - End Of File - - 82AC2E082D349F606B15716A4E6FFC50

    I will install MSSE on it before I leave it for the evening. They are going to a funeral tomorrow night so I may not get to it again until Friday (but, again I might).


    Thanks once again for the help!
  18. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    MSSE installed and set for weekly scan and update. Leaving it for the evening.
  19. Broni

    Broni Malware Annihilator Posts: 46,319   +252

    Looks good.

    How is computer doing?

    =========================

    Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    =========================

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    =======================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  20. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    It seemed to be running fine when I left. Google search was quick to hook up and respond in Firefox. I didn't try IE. I will call them this afternoon before I leave work and see if I can work on it for a while this evening.
  21. Broni

    Broni Malware Annihilator Posts: 46,319   +252

  22. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    Adwcleaner report:

    # AdwCleaner v2.108 - Logfile created 01/24/2013 at 17:51:22
    # Updated 24/01/2013 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : Eddie - BAILIFF-AB9682E
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\Eddie\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
    Folder Deleted : C:\Documents and Settings\All Users\Application Data\WeCareReminder
    Folder Deleted : C:\Documents and Settings\Eddie\Application Data\PerformerSoft
    Folder Deleted : C:\Documents and Settings\Eddie\Application Data\SpecialSavings
    Folder Deleted : C:\Program Files\file scout

    ***** [Registry] *****

    Key Deleted : HKCU\Software\Default Tab
    Key Deleted : HKCU\Software\Iminent
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{58124A0B-DC32-4180-9BFF-E0E21AE34026}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{84FF7BD6-B47F-46F8-9130-01B2696B36CB}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BB184E6D-26D1-461A-9226-B93CA8DA2AF9}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{58124A0B-DC32-4180-9BFF-E0E21AE34026}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{84FF7BD6-B47F-46F8-9130-01B2696B36CB}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BB184E6D-26D1-461A-9226-B93CA8DA2AF9}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
    Key Deleted : HKCU\Software\SpecialSavings
    Key Deleted : HKCU\Software\wecarereminder
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF}
    Key Deleted : HKLM\Software\Default Tab
    Key Deleted : HKLM\Software\DefaultTab
    Key Deleted : HKLM\Software\Freeze.com
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\aidbbndgjnlaclnmhkdimcdjiebjpdel
    Key Deleted : HKLM\Software\Iminent
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B81CCD-A80C-4060-8947-5AE69ED01199}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48D2-9061-8BBD4899EB08}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Updater Service
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0238BBE24EA3A70408B81E4BB89C15E5
    Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29799DE249E7DBC459FC6C8F07EB8375
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP
    Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [specialsavings@vshsolutions.com]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.6001.18702

    [OK] Registry is clean.

    -\\ Mozilla Firefox v18.0.1 (en-US)

    File : C:\Documents and Settings\Eddie\Application Data\Mozilla\Firefox\Profiles\heqxw2b0.default\prefs.js

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [8839 octets] - [24/01/2013 17:51:22]

    ########## EOF - C:\AdwCleaner[S1].txt - [8899 octets] ##########
  23. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    JRT Report:

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 4.5.0 (01.23.2013:2)
    OS: Microsoft Windows XP x86
    Ran by Eddie on Thu 01/24/2013 at 17:55:21.73
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values

    Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
    Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL



    ~~~ Registry Keys

    Successfully deleted: [Registry Key] hkey_current_user\software\filescout
    Successfully deleted: [Registry Key] hkey_current_user\software\sparktrust
    Successfully deleted: [Registry Key] hkey_local_machine\software\sparktrust
    Successfully deleted: [Registry Key] hkey_current_user\software\systweak
    Successfully deleted: [Registry Key] hkey_local_machine\software\systweak



    ~~~ Files



    ~~~ Folders

    Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\sparktrust"
    Successfully deleted: [Folder] "C:\Documents and Settings\Eddie\Application Data\drivercure"
    Successfully deleted: [Folder] "C:\Documents and Settings\Eddie\Application Data\sparktrust"
    Successfully deleted: [Folder] "C:\Documents and Settings\Eddie\Application Data\systweak"





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Thu 01/24/2013 at 18:02:00.96
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  24. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    OTL.txt:

    OTL logfile created on: 1/24/2013 6:10:16 PM - Run 2
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Eddie\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1014.07 Mb Total Physical Memory | 511.49 Mb Available Physical Memory | 50.44% Memory free
    2.38 Gb Paging File | 2.01 Gb Available in Paging File | 84.39% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.50 Gb Total Space | 56.43 Gb Free Space | 75.75% Space Free | Partition Type: NTFS

    Computer Name: BAILIFF-AB9682E | User Name: Eddie | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/01/24 09:46:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eddie\Desktop\OTL.exe
    PRC - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
    PRC - [2012/09/12 17:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
    PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2005/07/22 22:25:06 | 000,172,032 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    PRC - [2005/07/22 22:25:04 | 000,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
    PRC - [2004/05/12 15:04:54 | 000,196,608 | ---- | M] () -- C:\Program Files\Ahead\Ahead\data\Xtras\mssysmgr.exe


    ========== Modules (No Company Name) ==========

    MOD - [2004/05/12 15:04:54 | 000,196,608 | ---- | M] () -- C:\Program Files\Ahead\Ahead\data\Xtras\mssysmgr.exe


    ========== Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe -- (RUBotSrv)
    SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
    SRV - [2013/01/16 15:10:51 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2013/01/09 02:21:16 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - [2005/04/01 10:52:46 | 000,132,608 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Reg Error: Value error.
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Reg Error: Value error.
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?ocid=OIE8HP&PC=B8MC
    IE - HKLM\..\SearchScopes,DefaultScope =
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search


    IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

    IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

    IE - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
    IE - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\..\SearchScopes,DefaultScope =
    IE - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\..\SearchScopes\{B8F72896-EAA8-4FE9-A03E-9410E2AB45CB}: "URL" = http://www.google.com/search?q={sea...rce}&ie={inputEncoding?}&oe={outputEncoding?}
    IE - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\..\SearchScopes\{BF5A1BBC-AA55-450A-ADC2-C186BFD97428}: "URL" = http://www.bing.com/search?q={searchTerms}&form=B8MCDF&pc=B8MC&src=IE-SearchBox
    IE - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "about:blank"
    FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1
    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@ei.MarineAquarium3Free_57.com/Plugin: C:\Program Files\MarineAquarium3Free_57EI\Installr\1.bin\NP57EISB.dll (Marine Aquarium Lite)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/01/19 12:41:24 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

    [2013/01/01 10:49:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eddie\Application Data\Mozilla\Extensions
    [2013/01/01 10:49:49 | 000,000,000 | ---D | M] (Special Savings) -- C:\Documents and Settings\Eddie\Application Data\Mozilla\Extensions\specialsavings@vshsolutions.com
    [2013/01/19 12:41:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2013/01/16 15:11:06 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2013/01/16 15:10:30 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2013/01/16 15:10:30 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2013/01/23 17:38:25 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O3 - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
    O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe (HP)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
    O4 - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003..\Run: [PhotoShow Deluxe Media Manager] C:\Program Files\Ahead\Ahead\data\Xtras\mssysmgr.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-1214440339-1060284298-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1358616790875 (WUWebControl Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4DB724E9-649D-4A5F-B1C5-BA0AF7FC0F6E}: DhcpNameServer = 75.75.75.75 75.75.76.76
    O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2011/12/29 18:40:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/01/24 17:55:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
    [2013/01/24 17:55:12 | 000,000,000 | ---D | C] -- C:\JRT
    [2013/01/24 17:47:34 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eddie\Desktop\OTL.exe
    [2013/01/24 17:47:27 | 000,499,147 | ---- | C] (Oleg N. Scherbakov) -- C:\Documents and Settings\Eddie\Desktop\JRT.exe
    [2013/01/24 14:04:47 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
    [2013/01/23 18:17:58 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2013/01/23 17:45:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2013/01/23 17:40:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2013/01/23 17:13:10 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2013/01/23 17:11:54 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2013/01/23 17:11:54 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2013/01/23 17:11:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2013/01/23 17:11:54 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2013/01/23 17:11:42 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2013/01/23 17:11:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
    [2013/01/22 18:25:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eddie\Desktop\RK_Quarantine
    [2013/01/21 17:45:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eddie\My Documents\My Videos
    [2013/01/21 17:45:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eddie\Start Menu\Programs\Administrative Tools
    [2013/01/19 15:08:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eddie\Application Data\Malwarebytes
    [2013/01/19 15:08:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2013/01/19 14:34:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    [2013/01/19 13:13:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2013/01/19 12:41:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eddie\Local Settings\Application Data\Mozilla
    [2013/01/19 12:41:27 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
    [2013/01/19 12:41:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
    [2013/01/19 12:41:21 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
    [2013/01/16 08:52:38 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eddie\Recent
    [2013/01/07 16:40:44 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
    [2013/01/07 15:42:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
    [2013/01/07 10:00:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\AVG
    [2013/01/04 09:58:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eddie\Application Data\AVG
    [2013/01/04 09:57:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG
    [2013/01/04 09:57:12 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
    [2013/01/01 10:49:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eddie\Application Data\Mozilla
    [2013/01/01 10:47:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
    [2013/01/01 10:47:17 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
    [2013/01/01 10:47:01 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
    [2013/01/01 10:44:52 | 000,000,000 | ---D | C] -- C:\2c2bd26be38239c57f4297a4c4
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2013/01/24 18:06:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2013/01/24 18:03:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
    [2013/01/24 17:55:45 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\Final Media Player Update Checker.job
    [2013/01/24 17:52:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2013/01/24 17:52:44 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2013/01/24 17:52:44 | 000,000,394 | ---- | M] () -- C:\WINDOWS\tasks\ProgramUpdateCheck.job
    [2013/01/24 17:52:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2013/01/24 17:50:53 | 000,578,255 | ---- | M] () -- C:\Documents and Settings\Eddie\Desktop\adwcleaner.exe
    [2013/01/24 17:21:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
    [2013/01/24 13:22:13 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Eddie\Desktop\EMAIL.lnk
    [2013/01/24 09:46:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eddie\Desktop\OTL.exe
    [2013/01/24 09:46:36 | 000,499,147 | ---- | M] (Oleg N. Scherbakov) -- C:\Documents and Settings\Eddie\Desktop\JRT.exe
    [2013/01/23 17:46:04 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
    [2013/01/23 17:38:25 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2013/01/23 17:13:15 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2013/01/22 08:05:42 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Eddie\Desktop\Microsoft Office Word 2003.lnk
    [2013/01/19 15:29:19 | 000,000,974 | ---- | M] () -- C:\Documents and Settings\Eddie\Desktop\Shortcut to iexplore.exe.lnk
    [2013/01/19 14:09:17 | 000,186,719 | ---- | M] () -- C:\Documents and Settings\Eddie\Local Settings\Application Data\census.cache
    [2013/01/19 14:09:10 | 000,166,190 | ---- | M] () -- C:\Documents and Settings\Eddie\Local Settings\Application Data\ars.cache
    [2013/01/19 14:02:49 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Eddie\Local Settings\Application Data\housecall.guid.cache
    [2013/01/19 13:14:31 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2013/01/19 12:41:28 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Eddie\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2013/01/19 12:41:28 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2013/01/19 12:23:59 | 000,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2013/01/19 12:23:58 | 000,475,594 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2013/01/19 12:23:58 | 000,076,628 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2013/01/08 21:45:22 | 000,000,249 | ---- | M] () -- C:\Documents and Settings\Eddie\Desktop\knoxville garage & moving sales classifieds - craigslist.url
    [2013/01/07 16:40:47 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
    [2013/01/07 15:41:03 | 000,000,830 | ---- | M] () -- C:\WINDOWS\System32\InstallUtil.InstallLog
    [2013/01/03 19:14:22 | 000,000,653 | ---- | M] () -- C:\Documents and Settings\Eddie\Desktop\Oak Ridge, TN Map MapQuest.url
    [2013/01/02 14:53:28 | 000,311,584 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2013/01/01 10:46:18 | 000,001,487 | ---- | M] () -- C:\Documents and Settings\Eddie\Desktop\Windows Explorer.lnk
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2013/01/24 17:50:34 | 000,578,255 | ---- | C] () -- C:\Documents and Settings\Eddie\Desktop\adwcleaner.exe
    [2013/01/23 17:55:58 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
    [2013/01/23 17:46:04 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
    [2013/01/23 17:45:58 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2013/01/23 17:13:15 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2013/01/23 17:13:12 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2013/01/23 17:11:54 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2013/01/23 17:11:54 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2013/01/23 17:11:54 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2013/01/23 17:11:54 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2013/01/23 17:11:54 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2013/01/19 15:29:19 | 000,000,974 | ---- | C] () -- C:\Documents and Settings\Eddie\Desktop\Shortcut to iexplore.exe.lnk
    [2013/01/19 15:21:33 | 000,001,487 | ---- | C] () -- C:\Documents and Settings\Eddie\Desktop\Windows Explorer.lnk
    [2013/01/19 14:09:17 | 000,186,719 | ---- | C] () -- C:\Documents and Settings\Eddie\Local Settings\Application Data\census.cache
    [2013/01/19 14:09:10 | 000,166,190 | ---- | C] () -- C:\Documents and Settings\Eddie\Local Settings\Application Data\ars.cache
    [2013/01/19 14:02:49 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Eddie\Local Settings\Application Data\housecall.guid.cache
    [2013/01/19 12:41:28 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Eddie\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2013/01/19 12:41:28 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
    [2013/01/19 12:41:28 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2013/01/19 12:04:11 | 000,004,566 | ---- | C] () -- C:\WINDOWS\imsins.BAK
    [2013/01/07 16:40:47 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
    [2012/11/09 14:32:28 | 001,531,954 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1214440339-1060284298-1417001333-1003-0.dat
    [2012/11/09 07:22:05 | 000,255,554 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
    [2012/05/01 21:11:01 | 000,034,814 | ---- | C] () -- C:\Documents and Settings\Eddie\Local Settings\Application Data\dt.dat
    [2012/02/15 03:29:44 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2011/12/31 17:58:09 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Eddie\Application Data\PFP120JPR.{PB
    [2011/12/31 17:58:09 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Eddie\Application Data\PFP120JCM.{PB
    [2011/12/31 11:54:56 | 000,000,030 | ---- | C] () -- C:\WINDOWS\Iedit.INI
    [2011/12/31 11:14:57 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/12/31 10:57:31 | 000,000,510 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
    [2011/12/31 10:53:41 | 000,007,268 | ---- | C] () -- C:\WINDOWS\hpdj3740.ini
    [2011/12/29 19:00:24 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2011/12/29 18:42:46 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2011/12/29 18:37:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2011/12/29 13:33:22 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2011/12/29 13:32:14 | 000,311,584 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

    ========== ZeroAccess Check ==========

    [2013/01/01 10:40:37 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 05:42:06 | 001,499,136 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 05:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    ========== LOP Check ==========

    [2013/01/04 09:59:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG
    [2013/01/23 17:29:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2013
    [2011/12/29 20:29:41 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2013/01/23 17:29:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2012/11/11 21:27:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
    [2013/01/04 09:57:12 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
    [2013/01/11 08:08:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\TuneUp Software
    [2013/01/04 09:58:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eddie\Application Data\AVG
    [2012/12/13 11:23:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eddie\Application Data\AVG2013
    [2012/01/26 14:51:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eddie\Application Data\FinalMediaPlayer
    [2011/12/31 11:36:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eddie\Application Data\Snapfish
    [2012/12/13 11:01:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eddie\Application Data\TuneUp Software
    [2011/12/31 11:26:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eddie\Application Data\Ulead Systems
    [2013/01/07 10:00:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVG

    ========== Purity Check ==========



    < End of report >


    Extras.txt:

    OTL Extras logfile created on: 1/24/2013 6:04:53 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Eddie\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1014.07 Mb Total Physical Memory | 281.20 Mb Available Physical Memory | 27.73% Memory free
    2.38 Gb Paging File | 1.78 Gb Available in Paging File | 74.47% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.50 Gb Total Space | 56.46 Gb Free Space | 75.79% Space Free | Partition Type: NTFS

    Computer Name: BAILIFF-AB9682E | User Name: Eddie | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = htmlfile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\Easy Media Player\emp.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\Easy Media Player\emp.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 -- (Microsoft Corporation)
    "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 -- (Microsoft Corporation)
    "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)
    "C:\Program Files\FinalMediaPlayer\FMPCheckForUpdates.exe" = C:\Program Files\FinalMediaPlayer\FMPCheckForUpdates.exe:*:Enabled:Final Media Player Update Checker -- (Bitberry Software)
    "C:\Program Files\File Type Assistant\tsassist.exe" = C:\Program Files\File Type Assistant\tsassist.exe:*:Enabled:programUpdateCheck -- (Trusted Software ApS)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.5)
    "{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
    "{B81023A5-71ED-46EB-BE3B-9F974D1155F1}" = HP Software Update
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    "{F101C58C-15CC-42B3-83D1-536CFB960634}" = Ulead PhotoImpact 8
    "{F901CA6D-A074-42D3-A11D-33AAE6FFD0C1}" = HP Deskjet 3740
    "{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "CCleaner" = CCleaner
    "FinalMediaPlayer_is1" = Final Media Player 2012
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{F101C58C-15CC-42B3-83D1-536CFB960634}" = Ulead PhotoImpact 8
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "Mozilla Firefox 18.0.1 (x86 en-US)" = Mozilla Firefox 18.0.1 (x86 en-US)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "Nero PhotoShow Express" = Nero PhotoShow Express
    "NeroMultiInstaller!UninstallKey" = Nero Suite
    "Trusted Software Assistant_is1" = File Type Assistant
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 12/21/2012 10:23:54 PM | Computer Name = BAILIFF-AB9682E | Source = Application Hang | ID = 1002
    Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 12/26/2012 11:10:23 AM | Computer Name = BAILIFF-AB9682E | Source = Application Error | ID = 1000
    Description = Faulting application iedit.exe, version 8.0.0.0, faulting module msvcrt.dll,
    version 7.0.2600.5512, fault address 0x00037c89.

    Error - 1/2/2013 3:08:17 PM | Computer Name = BAILIFF-AB9682E | Source = .NET Runtime Optimization Service | ID = 1101
    Description = .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32)
    - Failed to compile: PresentationFramework, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
    . Error code = 0x80070020

    Error - 1/2/2013 3:54:39 PM | Computer Name = BAILIFF-AB9682E | Source = .NET Runtime Optimization Service | ID = 1103
    Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
    - Tried to start a service that wasn't the latest version of CLR Optimization service.
    Will shutdown

    Error - 1/3/2013 8:25:51 PM | Computer Name = BAILIFF-AB9682E | Source = Application Hang | ID = 1002
    Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 1/4/2013 11:05:42 AM | Computer Name = BAILIFF-AB9682E | Source = Application Hang | ID = 1002
    Description = Hanging application speeditupfree.exe, version 7.8.5.0, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 1/7/2013 2:16:10 PM | Computer Name = BAILIFF-AB9682E | Source = Microsoft Office 11 | ID = 1000
    Description = Faulting application outlook.exe, version 11.0.8169.0, stamp 465f28e3,
    faulting module outllib.dll, version 11.0.8169.0, stamp 465f2870, debug? 0, fault
    address 0x001b8f2c.

    Error - 1/11/2013 2:03:29 PM | Computer Name = BAILIFF-AB9682E | Source = .NET Runtime Optimization Service | ID = 1103
    Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
    - Tried to start a service that wasn't the latest version of CLR Optimization service.
    Will shutdown

    Error - 1/19/2013 4:06:12 PM | Computer Name = BAILIFF-AB9682E | Source = Application Error | ID = 1000
    Description = Faulting application sdcleaner.exe, version 2.0.12.110, faulting module
    , version 0.0.0.0, fault address 0x00000000.

    Error - 1/23/2013 6:45:56 PM | Computer Name = BAILIFF-AB9682E | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 4.1.522.0,
    P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

    [ System Events ]
    Error - 1/22/2013 7:48:52 PM | Computer Name = BAILIFF-AB9682E | Source = Service Control Manager | ID = 7006
    Description = The ScRegSetValueExW call failed for FailureActions with the following
    error: %%5

    Error - 1/22/2013 7:48:52 PM | Computer Name = BAILIFF-AB9682E | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security
    Center Service service to connect.

    Error - 1/22/2013 7:48:52 PM | Computer Name = BAILIFF-AB9682E | Source = Service Control Manager | ID = 7000
    Description = The Spybot-S&D 2 Security Center Service service failed to start due
    to the following error: %%1053

    Error - 1/23/2013 6:30:41 PM | Computer Name = BAILIFF-AB9682E | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security
    Center Service service to connect.

    Error - 1/23/2013 6:30:41 PM | Computer Name = BAILIFF-AB9682E | Source = Service Control Manager | ID = 7000
    Description = The Spybot-S&D 2 Security Center Service service failed to start due
    to the following error: %%1053

    Error - 1/23/2013 6:38:43 PM | Computer Name = BAILIFF-AB9682E | Source = Service Control Manager | ID = 7000
    Description = The Trend Micro RUBotted Service service failed to start due to the
    following error: %%2

    Error - 1/23/2013 6:38:43 PM | Computer Name = BAILIFF-AB9682E | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security
    Center Service service to connect.

    Error - 1/23/2013 6:38:43 PM | Computer Name = BAILIFF-AB9682E | Source = Service Control Manager | ID = 7000
    Description = The Spybot-S&D 2 Security Center Service service failed to start due
    to the following error: %%1053

    Error - 1/23/2013 7:20:37 PM | Computer Name = BAILIFF-AB9682E | Source = Service Control Manager | ID = 7000
    Description = The Trend Micro RUBotted Service service failed to start due to the
    following error: %%2

    Error - 1/24/2013 6:52:49 PM | Computer Name = BAILIFF-AB9682E | Source = Service Control Manager | ID = 7000
    Description = The Trend Micro RUBotted Service service failed to start due to the
    following error: %%2


    < End of report >
  25. pidjones

    pidjones Newcomer, in training Topic Starter Posts: 31

    I had removed the Trend Micro RUBotted package and Spybot S&D when installing MSSE. When this is finished, I would like a recommendation of what spyware, malware, etc. software to leave on it running. I know that some of them don't play well together. Their primary use is reading email and light web surfing (no porn or risky sites). I suspect that the source of their infection was an infected email attachment. They use Outlook 2003. I don't know if MSSE scans email and attachments, and of course the newest can always leak through. They do receive a few emails from overseas and I will warn them to avoid opening attachments from there without forwarding them to me to read on my Android tablet (yes, I know they are vulnerable too) first. Is there a good email scanner that is free?

    I hope that I can wrap this up tomorrow or Saturday, as Sunday is very busy for them and me both, and beginning Moday I become a zombie for two weeks, teaching for 16 hours straight each weekday. I'm too old for that now.

    Thanks for your diligent help!


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.