Inactive AVG Antivirus problem. Please help!

J

jo122

Posts: 26   +0
I downloaded AVG free edition and if I click on a google link, it redirects me to some random page. Not only that but if I uninstall the spyware programs, a small balloon with an X keeps on popping up saying there is malicious hardware or corruption or something so I've had to resort to keeping the AVG installed.

If you know about this, please help! It's very annoying!
 
Welcome to TechSpot! I'll help with the problem.

Tell me about the AVG download:
1. Did you have an antivirus program on the system before you downloaded AVG?
2. What site did you download AVG from?
3. Are you saying that these "annoying" malware problems started after you downloaded AVG?
4. You have fake spyware on the system. It will give you popup 'alerts' saying the system is infected but to remove it, you have to click on their popup to remove? Do not click on anything!

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Yes, malware can be "annoying"- but the only thing to do it find it and remove it!
 
Hi Bobbye. Thanks for the welcome.

I had downloaded Avast! and it always redirected me to another link as well. So, I deleted Avast! thinking AVG would be different, but it's doing the same thing. I downloaded the AVG 2011 free version from Downloads(dot)com.
 
When I deleted the Avast! I was able to go into any site I wanted. But this annoying red balloon with the X on it would make a popping sound every other second or so with "you have no more space in C drive" then a box would appear saying "if you want to clean up disk space, download...etcetc."

I will do the Preliminary Virus and Malware Removal and report back with the logs.
 
Bobbye, sorry for the late reply.

I had to remove the AGV so I will redo the logs and send. Even after having deleted it, whenever I click a link, it continues to redirect me to random sites.

Thanks for the patience.
 
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

11/8/2010 11:43:55 PM
mbam-log-2010-11-08 (23-43-55).txt

Scan type: Quick scan
Objects scanned: 122385
Time elapsed: 7 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-09 01:12:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1b WDC_WD1600BB-22FTA0 rev.15.05R15
Running: i1fsh055.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\pgddyuod.sys


---- System - GMER 1.0.15 ----

SSDT F7E3E7A6 ZwCreateKey
SSDT F7E3E79C ZwCreateThread
SSDT F7E3E7AB ZwDeleteKey
SSDT F7E3E7B5 ZwDeleteValueKey
SSDT F7E3E7BA ZwLoadKey
SSDT F7E3E788 ZwOpenProcess
SSDT F7E3E78D ZwOpenThread
SSDT F7E3E7C4 ZwReplaceKey
SSDT F7E3E7BF ZwRestoreKey
SSDT F7E3E7B0 ZwSetValueKey

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wdfmgr.exe[172] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0093B48B
.text C:\WINDOWS\system32\wdfmgr.exe[172] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0093B028
.text C:\WINDOWS\system32\wdfmgr.exe[172] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0093B33D
.text C:\WINDOWS\system32\wdfmgr.exe[172] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0093B109
.text C:\WINDOWS\system32\wdfmgr.exe[172] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0093B1DC
.text C:\WINDOWS\system32\winlogon.exe[668] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 015B2946
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1484] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 018AB48B
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1484] WS2_32.dll!send 71AB4C27 5 Bytes JMP 018AB028
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1484] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 018AB33D
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1484] WS2_32.dll!recv 71AB676F 5 Bytes JMP 018AB109
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1484] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 018AB1DC
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1852] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0229B48B
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1852] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0229B028
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1852] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0229B33D
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1852] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0229B109
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1852] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0229B1DC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D3B48B
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D3B028
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D3B33D
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D3B109
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D3B1DC
.text C:\Program Files\Bonjour\mDNSResponder.exe[1884] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0080B48B
.text C:\Program Files\Bonjour\mDNSResponder.exe[1884] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0080B028
.text C:\Program Files\Bonjour\mDNSResponder.exe[1884] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0080B33D
.text C:\Program Files\Bonjour\mDNSResponder.exe[1884] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0080B109
.text C:\Program Files\Bonjour\mDNSResponder.exe[1884] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0080B1DC
.text C:\WINDOWS\System32\alg.exe[2664] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00AFB48B
.text C:\WINDOWS\System32\alg.exe[2664] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00AFB028
.text C:\WINDOWS\System32\alg.exe[2664] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00AFB33D
.text C:\WINDOWS\System32\alg.exe[2664] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00AFB109
.text C:\WINDOWS\System32\alg.exe[2664] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00AFB1DC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3324] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Avira\AntiVir Desktop\avcenter.exe[3576] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01AFB48B
.text C:\Program Files\Avira\AntiVir Desktop\avcenter.exe[3576] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01AFB028
.text C:\Program Files\Avira\AntiVir Desktop\avcenter.exe[3576] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01AFB33D
.text C:\Program Files\Avira\AntiVir Desktop\avcenter.exe[3576] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01AFB109
.text C:\Program Files\Avira\AntiVir Desktop\avcenter.exe[3576] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01AFB1DC

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----
 
DDS (Ver_10-11-09.01) - NTFSx86
Run by user at 1:18:54.25 on Tue 11/09/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.105 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Documents and Settings\user\My Documents\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\about.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [15946828] c:\docume~1\user\locals~1\temp\15946828.exe
uRun: [990eb1] c:\docume~1\user\locals~1\temp\990eb1.exe
uRun: [98f630] c:\docume~1\user\locals~1\temp\98f630.exe
uRun: [98b30b] c:\docume~1\user\locals~1\temp\98b30b.exe
uRun: [98d51b] c:\docume~1\user\locals~1\temp\98d51b.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Motive SmartBridge] c:\progra~1\verizo~1\smartb~1\MotiveSB.exe
mRun: [t`~y?:MBVhfk?{)c:\program files\istsvc\istsvc.exe] c:\windows\ltumps.exe
mRun: [" ??DnR???OV?c:\program files\istsvc\istsvc.exe] c:\windows\ltumps.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: ShaPlus Google Translator - c:\program files\shaplus google translator\GoogleTranslator.dll/HTML/IE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1102057589921
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231385990072&h=a893fcc300960c50eda68b9f36afd1b9/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup152.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\9218o7z1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\9218o7z1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\user\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\user\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-11-8 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-8 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-8 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-8 60936]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-1 135664]
S3 Mnmnuxxg;Mnmnuxxg; [x]

=============== Created Last 30 ================

2010-11-09 07:27:31 -------- d-----w- c:\docume~1\user\applic~1\Avira
2010-11-09 07:00:46 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-09 07:00:45 -------- d-----w- c:\program files\Avira
2010-11-09 07:00:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-11-05 06:38:28 -------- d--h--w- C:\$AVG
2010-11-05 05:56:52 -------- d-----w- c:\docume~1\user\applic~1\AVG10
2010-11-05 05:52:48 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-11-05 05:47:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-11-05 05:46:31 -------- d-----w- c:\program files\AVG
2010-11-05 05:37:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-30 17:52:33 -------- d-----w- c:\program files\iPod
2010-10-30 17:52:10 -------- d-----w- c:\program files\iTunes
2010-10-30 17:39:03 -------- d-----w- c:\program files\Bonjour
2010-10-20 23:26:28 -------- d-----w- C:\ComboFix
2010-10-13 08:09:24 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 08:09:24 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 08:08:58 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-13 06:57:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

==================== Find3M ====================

2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 18:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 1:19:49.07 ===============
 
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-09.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/9/2004 6:58:11 PM
System Uptime: 11/8/2010 11:30:10 PM (2 hours ago)

Motherboard: ASUSTek Computer INC. | | Kelut
Processor: AMD Athlon(tm) XP 3000+ | Socket A | 2166/167mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 79.293 GiB free.
D: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 10/4/2010 8:08:59 AM - System Checkpoint
RP2: 10/5/2010 3:00:31 AM - Software Distribution Service 3.0
RP3: 10/6/2010 4:23:21 AM - System Checkpoint
RP4: 10/7/2010 7:06:06 AM - System Checkpoint
RP5: 10/8/2010 7:23:36 AM - System Checkpoint
RP6: 10/9/2010 7:58:47 AM - System Checkpoint
RP7: 10/10/2010 8:12:44 AM - System Checkpoint
RP8: 10/11/2010 8:13:50 AM - System Checkpoint
RP9: 10/12/2010 11:07:53 AM - System Checkpoint
RP10: 10/12/2010 11:57:32 PM - avast! Free Antivirus Setup
RP11: 10/13/2010 3:03:14 AM - Software Distribution Service 3.0
RP12: 10/14/2010 3:52:10 AM - System Checkpoint
RP13: 10/15/2010 4:14:33 AM - System Checkpoint
RP14: 10/16/2010 6:55:34 AM - System Checkpoint
RP15: 10/17/2010 10:42:54 AM - System Checkpoint
RP16: 10/18/2010 10:53:20 AM - System Checkpoint
RP17: 10/19/2010 1:19:59 PM - System Checkpoint
RP18: 10/20/2010 2:52:20 PM - System Checkpoint
RP19: 10/23/2010 12:11:46 AM - System Checkpoint
RP20: 10/24/2010 12:15:25 AM - System Checkpoint
RP21: 10/25/2010 3:04:26 AM - System Checkpoint
RP22: 10/26/2010 10:53:56 AM - System Checkpoint
RP23: 10/27/2010 12:08:29 PM - System Checkpoint
RP24: 10/28/2010 7:02:29 PM - System Checkpoint
RP25: 10/29/2010 10:51:42 PM - System Checkpoint
RP26: 10/31/2010 1:17:28 PM - System Checkpoint
RP27: 11/1/2010 8:03:58 PM - System Checkpoint
RP28: 11/4/2010 6:40:32 PM - System Checkpoint
RP29: 11/4/2010 10:11:39 PM - avast! Free Antivirus Setup
RP30: 11/4/2010 10:46:30 PM - Installed AVG 2011
RP31: 11/4/2010 10:47:20 PM - Installed AVG 2011
RP32: 11/6/2010 1:30:49 AM - System Checkpoint
RP33: 11/7/2010 5:50:01 AM - System Checkpoint
RP34: 11/8/2010 6:00:10 AM - System Checkpoint
RP35: 11/8/2010 10:31:36 PM - Removed AVG 2011
RP36: 11/8/2010 10:38:38 PM - Removed AVG 2011
RP37: 11/8/2010 10:42:24 PM - Removed AVG 2011

==== Installed Programs ======================

µTorrent
32 Bit HP CIO Components Installer
Adobe Acrobat Reader 3.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.1.0
Adobe Reader Korean Fonts
Adobe Shockwave Player
Agere Systems PCI Soft Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
BufferChm
C4700
Corel Applications
Counter-Strike: Source
Coupon Printer for Windows
Destinations
DeviceDiscovery
DivX Web Player
DVD Shrink 3.1.7
FLAC 1.2.1b (remove only)
FretPro V.2.00
Functional Ear Trainer - Advanced 1.0
Functional Ear Trainer - Basic 1.2
GOM Player
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService2
GuitarTab.co.uk Simulator
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Imaging Device Functions 14.0
HP Memories Disc
HP Photo Creations
HP Photosmart C4700 All-in-One Driver Software 14.0 Rel. 6
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
HPProductAssistant
Interval Trainer
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_13
Java(TM) 6 Update 11
LimeWire 5.1.2
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Move Media Player
Mozilla Firefox (3.6.3)
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Network
NoteCard
PS_AIO_06_C4700_SW_Min
QuickTime
QuickTransfer
Rhapsody Player Engine
RoboGuru Guitar Tools 1.4
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Scan
Search Toolbar
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
ShaPlus Google Translator 2.0
Shockwave
SmartWebPrinting
SolutionCenter
Status
STDU Viewer version 1.5.221.0
Steam(TM)
Toolbox
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Verizon High Speed Internet
Verizon Online
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WavePad Sound Editor
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinZip

==== Event Viewer Messages From Past Week ========

11/9/2010 12:09:02 AM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort2.
11/8/2010 11:14:26 PM, information: Windows File Protection [64004] - The protected system file winlogon.exe could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5512 The specific error code is 0x00000000 [The operation completed successfully. ].
11/8/2010 11:14:26 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file winlogon.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.5512, the version of the system file is 5.1.2600.5512.
11/8/2010 11:14:20 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file winlogon.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
11/8/2010 11:12:34 PM, information: Windows File Protection [64021] - The system file c:\windows\explorer.exe could not be copied into the DLL cache. The specific error code is 0x800b0100 [No signature was present in the subject. ]. This file is necessary to maintain system stability.
11/8/2010 11:12:07 PM, information: Windows File Protection [64004] - The protected system file explorer.exe could not be restored to its original, valid version. The file version of the bad file is 6.0.2900.5512 The specific error code is 0x00000000 [The operation completed successfully. ].
11/8/2010 11:12:07 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file explorer.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.5512.
11/8/2010 11:12:01 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file explorer.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
11/8/2010 11:11:17 PM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
11/7/2010 9:02:39 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer SCOTT that believes that it is the master browser for the domain on transport NetBT_Tcpip_{2F4D8685-2F01-4B4A-9A0. The master browser is stopping or an election is being forced.
11/6/2010 3:33:12 AM, error: atapi [9] - The device, \Device\Ide\IdePort2, did not respond within the timeout period.
11/6/2010 3:13:47 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
11/6/2010 3:13:47 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/6/2010 3:11:37 AM, error: Service Control Manager [7000] - The Mnmnuxxg service failed to start due to the following error: The system cannot find the path specified.
11/6/2010 2:40:18 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
11/6/2010 2:40:18 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2010 2:40:18 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2010 2:40:18 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/2/2010 2:28:26 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avast! Mail Scanner service.
11/2/2010 2:28:26 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avast! Antivirus service.

==== End Of File ===========================
 
Also, btw, when I deleted AVG, I downloaded Avira instead and my desktop disappeared. Any idea as to how to fix this glitch?

Thanks for the assistance Bobbye.
 
Here's what happened> Restore points show:
RP29: 11/4/2010 10:11:39 PM - avast! Free Antivirus Setup>> it appears that you didn't run the program, just downloaded the setup.
Home site: http://www.avast.com/free-antivirus-download
When you click on Download for the free version, you get a promo to get the Security Center at a discount. When you click on the X to close that window, you get the download page:
http://download.cnet.com/Avast-Free...0019223.html?part=dl-85737&subj=dl&tag=button.
When you click on 'Download Now', depending on your browser, you may have to click on 'Allow' at top right to load the page. This is normal- it's not what we call the redirect in searching- I use Firefox and get this frequently- it's just security against being directed to a page you don't want.

Now you downloaded and installed AVG twice>
RP30: 11/4/2010 10:46:30 PM - Installed AVG 2011
RP31: 11/4/2010 10:47:20 PM - Installed AVG 2011

And 4 days later, you uninstalled AVG 3 times!
RP35: 11/8/2010 10:31:36 PM - Removed AVG 2011
RP36: 11/8/2010 10:38:38 PM - Removed AVG 2011
RP37: 11/8/2010 10:42:24 PM - Removed AVG 2011

Then you decided to download Avira and lost the desktop! This isn't a glitch- You most likely have entries from 3 antivirus programs at this point because Avast and AVG most likely didn't get correctly uninstalled- not deleted- uninstalled.

Not only that but if I uninstall the spyware programs, a small balloon with an X keeps on popping up saying there is malicious hardware or corruption or something
Click to expand...

Unless you're downloading these AV programs from a bad site, they didn't have anything to do with the X and the balloon alerting you to an infection. You got adware or spyware and doing what you did with 3 AV programs left the system unprotected and with left over entries.

So now you have Avira protecting the system, but there are malware entries that are causing these problems.
=====================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
==========================================
I have a lot of entries to remove for you and I'd like you to do the following while I set up the script for that: I see that you installed Combofix:
2010-10-20 23:26:28 > C:\ComboFix
Please uninstall it as follows: Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    Now follow this with the new download and install:>>
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Please do not make any changes while I'm helping you. I will see and can remove the 'left overs' for you but I need the system to stay stable.
 
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=49153
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9c1adffbe8fd264788372cc2b493a850
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-10 01:56:20
# local_time=2010-11-10 05:56:20 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 1518393 1518393 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 25807194 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=67487
# found=5
# cleaned=0
# scan_time=4345
C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.EQ trojan 00000000000000000000000000000000 I
C:\Documents and Settings\user\My Documents\XvidSetup.exe a variant of Win32/Adware.HotBar.H application 00000000000000000000000000000000 I
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EQ trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\dllcache\winlogon.exe Win32/Bamital.EQ trojan 00000000000000000000000000000000 I
${Memory} Win32/Bamital.EQ trojan 00000000000000000000000000000000 I
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9c1adffbe8fd264788372cc2b493a850
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-11 07:50:19
# local_time=2010-11-10 11:50:19 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 1580419 1580419 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 25869220 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=67220
# found=5
# cleaned=0
# scan_time=6751
C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.EQ trojan 00000000000000000000000000000000 I
C:\Documents and Settings\user\My Documents\XvidSetup.exe a variant of Win32/Adware.HotBar.H application 00000000000000000000000000000000 I
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EQ trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\dllcache\winlogon.exe Win32/Bamital.EQ trojan 00000000000000000000000000000000 I
${Memory} Win32/Bamital.EQ trojan 00000000000000000000000000000000 I
 
I can't seem to find the log to ComboFix even though I ran the scan and since my desktop disappeared, I can't go to search and look for it since I don't see Start either.

Is there a way I can find it through the Ctrl/Alt+Delete option?
 
Right click on [combofix.exe[/b] on the desktop> Rename> type in jotoday.exe then run Combofix again:
B] [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.[/B]
===================================
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Processes	

:Files 
C:\Documents and Settings\All Users\Documents\Server\hlp.dat 
C:\Documents and Settings\user\My Documents\XvidSetup.exe 
C:\WINDOWS\system32\winlogon.exe 
C:\WINDOWS\system32\dllcache\winlogon.exe 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
 
ComboFix 10-11-10.02 - user 11/11/2010 11:24:26.3.1 - x86
Running from: c:\documents and settings\user\My Documents\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\All Users\Documents\Server\server.dat
c:\documents and settings\user\Recent\hpothb07.dat
c:\documents and settings\user\Recent\hpothb07.tif
c:\documents and settings\user\Recent\Scan0001.tif
c:\documents and settings\user\Recent\Scan0002.tif
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe

-- Previous Run --

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe

--------

.
((((((((((((((((((((((((( Files Created from 2010-10-11 to 2010-11-11 )))))))))))))))))))))))))))))))
.

2010-11-10 12:35 . 2010-11-10 12:35 -------- d-----w- c:\program files\ESET
2010-11-09 07:27 . 2010-11-09 07:27 -------- d-----w- c:\documents and settings\user\Application Data\Avira
2010-11-09 07:00 . 2010-08-03 00:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-09 07:00 . 2010-08-03 00:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-09 07:00 . 2010-06-17 23:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-09 07:00 . 2010-06-17 23:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-09 07:00 . 2010-11-09 07:00 -------- d-----w- c:\program files\Avira
2010-11-09 07:00 . 2010-11-09 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-11-05 06:38 . 2010-11-05 06:38 -------- d-----w- C:\$AVG
2010-11-05 05:56 . 2010-11-05 05:56 -------- d-----w- c:\documents and settings\user\Application Data\AVG10
2010-11-05 05:52 . 2010-11-05 05:52 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-05 05:47 . 2010-11-09 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-11-05 05:46 . 2010-11-05 05:46 -------- d-----w- c:\program files\AVG
2010-11-05 05:37 . 2010-11-05 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-30 17:52 . 2010-10-30 17:52 -------- d-----w- c:\program files\iPod
2010-10-30 17:52 . 2010-10-30 17:53 -------- d-----w- c:\program files\iTunes
2010-10-30 17:39 . 2010-10-30 17:39 -------- d-----w- c:\program files\Bonjour
2010-10-16 17:09 . 2010-10-23 09:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-10-13 08:09 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 08:09 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 08:08 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-13 06:57 . 2010-10-13 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-13 06:57 . 2010-10-13 06:57 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-03-31 12:00 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-03-31 12:00 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2004-08-24 03:32 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2003-03-31 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 15:57 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2003-03-31 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2003-03-31 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2003-03-31 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2003-03-31 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 20:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2003-03-31 12:00 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-12-04 00:35 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

c:\windows\explorer.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 68856]
"Steam"="c:\program files\Steam\Steam.exe" [2010-09-11 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"t`~y?:MBVhfk?{)c:\program files\ISTsvc\istsvc.exe"="c:\windows\ltumps.exe" [?]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2004-12-08 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-08 136600]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\ymditd\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5869:TCP"= 5869:TCP:Services
"5870:TCP"= 5870:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"9212:TCP"= 9212:TCP:Services
"9211:TCP"= 9211:TCP:Services
"6820:TCP"= 6820:TCP:Services
"6821:TCP"= 6821:TCP:Services
"4210:TCP"= 4210:TCP:Services
"6920:TCP"= 6920:TCP:Services
"8831:TCP"= 8831:TCP:Services
"8832:TCP"= 8832:TCP:Services

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/8/2010 11:00 PM 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/1/2010 3:48 AM 135664]
S3 Mnmnuxxg;Mnmnuxxg; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 11:48]

2010-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 11:48]

2010-11-11 c:\windows\Tasks\System Restore.job
- c:\windows\system32\Restore\rstrui.exe [2004-10-10 00:12]

2010-11-11 c:\windows\Tasks\Volume Control.job
- c:\windows\system32\sndvol32.exe [2004-10-10 12:00]

2010-11-11 c:\windows\Tasks\Windows Update.job
- c:\windows\system32\wupdmgr.exe [2003-03-31 12:00]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\about.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: ShaPlus Google Translator - c:\program files\ShaPlus Google Translator\GoogleTranslator.dll/HTML/IE
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\9218o7z1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\9218o7z1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\user\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\user\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Spyware Doctor - c:\program files\Spyware Doctor\swdoctor.exe
HKLM-Run-c:\windows\ltumps.exe - (no file)
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-11 11:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\" ??DnR???OV?c:\\Program Files\\ISTsvc\\istsvc.exe"="c:\\WINDOWS\\ltumps.exe"
.
Completion time: 2010-11-11 11:37:42
ComboFix-quarantined-files.txt 2010-11-11 19:37
ComboFix2.txt 2010-04-05 22:56

Pre-Run: 87,623,970,816 bytes free
Post-Run: 87,594,696,704 bytes free

- - End Of File - - 7DE12CDFBE5ED076EFD44DB61DC1B5E3
 
All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Documents and Settings\All Users\Documents\Server\hlp.dat moved successfully.
C:\Documents and Settings\user\My Documents\XvidSetup.exe moved successfully.
Item C:\WINDOWS\system32\winlogon.exe is whitelisted and cannot be moved.
File/Folder C:\WINDOWS\system32\dllcache\winlogon.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 61280898 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 13540 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 928200 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 59.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 11112010_114214

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\$$$dq3e scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\$67we.$ scheduled to be moved on reboot.
File C:\WINDOWS\temp\HPSLPSVC0001.log not found!

Registry entries deleted on Reboot...
 
You have adware named ISTbar which modifies the browser.

Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\windows\ltumps.exe
Folder::
C:\$AVG
c:\docume~1\user\applic~1\AVG10
c:\docume~1\alluse~1\applic~1\Common Files
c:\docume~1\alluse~1\applic~1\AVG10
c:\program files\AVG

DDS::
uLocal Page = c:\windows\about.htm
uURLSearchHooks: H - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [15946828] c:\docume~1\user\locals~1\temp\15946828.exe
uRun: [990eb1] c:\docume~1\user\locals~1\temp\990eb1.exe
uRun: [98f630] c:\docume~1\user\locals~1\temp\98f630.exe
uRun: [98b30b] c:\docume~1\user\locals~1\temp\98b30b.exe
uRun: [98d51b] c:\docume~1\user\locals~1\temp\98d51b.exe
mRun: [t`~y?:MBVhfk?{)c:\program files\istsvc\istsvc.exe] c:\windows\ltumps.exe
mRun: [" ??DnR???OV?c:\program files\istsvc\istsvc.exe] c:\windows\ltumps.exe
mRun: [<NO NAME>] 
DPF: {CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

Extra::
File::
c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
Firefox::
Firefox-: - Profile- c:\docume~1\user\applic~1\mozilla\firefox\profiles\9218o7z1.default\

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"t`~y?:MBVhfk?{)c:\program files\ISTsvc\istsvc.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Driver::
Mnmnuxxg
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Follow with
Download the HijackThis Installer and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

When we have finished with cleaning, you will need to update both Java and the Adobe Reader.
 
ComboFix 10-11-10.02 - user 11/11/2010 17:18:18.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.274 [GMT -8:00]
Running from: c:\documents and settings\user\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}"
"c:\program files\viewpoint\viewpoint media player\npViewpoint.dll"
"c:\windows\ltumps.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\$AVG
c:\$avg\$VAULT\V_00000001.fil
c:\$avg\$VAULT\V_00000002.fil
c:\$avg\$VAULT\vvfolder.idx
c:\docume~1\alluse~1\applic~1\AVG10
c:\docume~1\alluse~1\applic~1\AVG10\Chjw\be4cddeb4cdd9f09\avgcchff.dat
c:\docume~1\alluse~1\applic~1\AVG10\Chjw\be4cddeb4cdd9f09\avgcchfi.dat
c:\docume~1\alluse~1\applic~1\AVG10\Chjw\be4cddeb4cdd9f09\avgcchmf.dat
c:\docume~1\alluse~1\applic~1\AVG10\Chjw\be4cddeb4cdd9f09\avgcchmi.dat
c:\docume~1\alluse~1\applic~1\AVG10\Chjw\be4cddeb4cdd9f09\f0f34b4b-0deb-4e34-8467-d853ef48293c
c:\docume~1\alluse~1\applic~1\AVG10\Chjw\be4cddeb4cdd9f09\f6511b71-4c04-4322-a377-0749eec8584e
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcfg.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcfg.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcfgex.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcfgex.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgchjw.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgchjw.log.1
c:\docume~1\alluse~1\applic~1\AVG10\log\avgchjw.log.2
c:\docume~1\alluse~1\applic~1\AVG10\log\avgchjw.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgchjwsrv.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgchjwsrv.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcore.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcore.log.1
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcore.log.2
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcore.log.3
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcore.log.4
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcore.log.5
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcore.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcsl.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcsl.log.1
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcsl.log.2
c:\docume~1\alluse~1\applic~1\AVG10\log\avgcsl.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgemc.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgemc.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgexc.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgexc.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgldr.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgldr.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avglng.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avglng.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgns.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgns.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgpostinst.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgpostinst.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log.1
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log.10
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log.2
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log.3
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log.4
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log.5
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log.6
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log.7
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log.8
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log.9
c:\docume~1\alluse~1\applic~1\AVG10\log\avgrs.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgscan.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgscan.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsched.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsched.log.1
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsched.log.2
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsched.log.3
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsched.log.4
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsched.log.5
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsched.log.6
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsched.log.7
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsched.log.8
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsched.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsrm.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsrm.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsrmac.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgsrmac.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgtdi.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgtdi.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgual.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgual.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log.1
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log.10
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log.2
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log.3
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log.4
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log.5
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log.6
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log.7
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log.8
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log.9
c:\docume~1\alluse~1\applic~1\AVG10\log\avgui.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgupd.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgupd.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log.1
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log.10
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log.2
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log.3
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log.4
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log.5
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log.6
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log.7
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log.8
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log.9
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwd.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwdsvc.log
c:\docume~1\alluse~1\applic~1\AVG10\log\avgwdsvc.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\avgxobniinstaller.log
c:\docume~1\alluse~1\applic~1\AVG10\log\commonpriv.log
c:\docume~1\alluse~1\applic~1\AVG10\log\commonpriv.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\fixcfg.log
c:\docume~1\alluse~1\applic~1\AVG10\log\fixcfg.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\log\history.xml
c:\docume~1\alluse~1\applic~1\AVG10\log\vault.log
c:\docume~1\alluse~1\applic~1\AVG10\log\vault.log.lock
c:\docume~1\alluse~1\applic~1\AVG10\lsdb\prev\prvcache.dat
c:\docume~1\alluse~1\applic~1\AVG10\lsdb\prev\prvglbl.dat
c:\docume~1\alluse~1\applic~1\AVG10\scanlogs\I_00000001.log
c:\docume~1\alluse~1\applic~1\AVG10\scanlogs\I_00000004.log
c:\docume~1\alluse~1\applic~1\AVG10\scanlogs\I_00000008.log
c:\docume~1\alluse~1\applic~1\AVG10\scanlogs\I_00000009.log
c:\docume~1\alluse~1\applic~1\AVG10\scanlogs\I_00000010.log
c:\docume~1\alluse~1\applic~1\AVG10\scanlogs\I_00000011.log
c:\docume~1\alluse~1\applic~1\AVG10\scanlogs\srm.idx
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\AntiRkx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\Antivirx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\Avgx86.msi
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\AVIsx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\basex.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\COREx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\COREx86.msi
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\Emailsx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\GUIx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\idatx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\IDPx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\lng_usx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\OnlnScx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\ResShldx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\SrchSrfx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\SSHttpBx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\TDIDrvx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\TuneUpx.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\Update2x.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\Updatex.cab
c:\docume~1\alluse~1\applic~1\AVG10\SetupBackup\xplx.cab
c:\docume~1\alluse~1\applic~1\Common Files
c:\docume~1\alluse~1\applic~1\Common Files\B00E8F0D-DF1B-30AE-E08F-1A98DCE6CE0F.dat
c:\docume~1\user\applic~1\AVG10
c:\docume~1\user\applic~1\AVG10\cfgall\usergui.cfg
c:\program files\AVG
c:\program files\AVG\AVG10\avgfree_zh.mht
c:\program files\AVG\AVG10\avgfree_zt.mht
c:\program files\AVG\AVG10\Notification\avgxobni_installerxTE.exe
c:\program files\AVG\AVG10\Notification\XobniMiniAVGSetup.exe
c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MNMNUXXG
-------\Service_Mnmnuxxg


((((((((((((((((((((((((( Files Created from 2010-10-12 to 2010-11-12 )))))))))))))))))))))))))))))))
.

2010-11-11 19:42 . 2010-11-11 19:42 -------- d-----w- C:\_OTM
2010-11-10 12:35 . 2010-11-10 12:35 -------- d-----w- c:\program files\ESET
2010-11-09 07:27 . 2010-11-09 07:27 -------- d-----w- c:\documents and settings\user\Application Data\Avira
2010-11-09 07:00 . 2010-08-03 00:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-09 07:00 . 2010-08-03 00:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-09 07:00 . 2010-06-17 23:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-09 07:00 . 2010-06-17 23:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-09 07:00 . 2010-11-09 07:00 -------- d-----w- c:\program files\Avira
2010-11-09 07:00 . 2010-11-09 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-11-05 05:37 . 2010-11-05 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-30 17:52 . 2010-10-30 17:52 -------- d-----w- c:\program files\iPod
2010-10-30 17:52 . 2010-10-30 17:53 -------- d-----w- c:\program files\iTunes
2010-10-30 17:39 . 2010-10-30 17:39 -------- d-----w- c:\program files\Bonjour
2010-10-16 17:09 . 2010-10-23 09:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-10-13 08:09 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 08:09 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 08:08 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-13 06:57 . 2010-10-13 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-13 06:57 . 2010-10-13 06:57 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-03-31 12:00 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-03-31 12:00 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2004-08-24 03:32 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2003-03-31 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 15:57 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2003-03-31 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2003-03-31 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2003-03-31 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2003-03-31 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 20:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2003-03-31 12:00 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-12-04 00:35 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

c:\windows\explorer.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-11-11_19.33.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-12 01:02 . 2010-11-12 01:02 16384 c:\windows\Temp\Perflib_Perfdata_210.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 68856]
"Steam"="c:\program files\Steam\Steam.exe" [2010-09-11 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"t`~y?:MBVhfk?{)c:\program files\ISTsvc\istsvc.exe"="c:\windows\ltumps.exe" [?]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2004-12-08 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-08 136600]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\ymditd\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5869:TCP"= 5869:TCP:Services
"5870:TCP"= 5870:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"9212:TCP"= 9212:TCP:Services
"9211:TCP"= 9211:TCP:Services
"6820:TCP"= 6820:TCP:Services
"6821:TCP"= 6821:TCP:Services
"4210:TCP"= 4210:TCP:Services
"6920:TCP"= 6920:TCP:Services
"8831:TCP"= 8831:TCP:Services
"8832:TCP"= 8832:TCP:Services
"3345:TCP"= 3345:TCP:Services
"5190:TCP"= 5190:TCP:Services
"6515:TCP"= 6515:TCP:Services
"6516:TCP"= 6516:TCP:Services

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/8/2010 11:00 PM 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/1/2010 3:48 AM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 11:48]

2010-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 11:48]

2010-11-12 c:\windows\Tasks\System Restore.job
- c:\windows\system32\Restore\rstrui.exe [2004-10-10 00:12]

2010-11-12 c:\windows\Tasks\Volume Control.job
- c:\windows\system32\sndvol32.exe [2004-10-10 12:00]

2010-11-12 c:\windows\Tasks\Windows Update.job
- c:\windows\system32\wupdmgr.exe [2003-03-31 12:00]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: ShaPlus Google Translator - c:\program files\ShaPlus Google Translator\GoogleTranslator.dll/HTML/IE
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\9218o7z1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\9218o7z1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\user\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\user\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-c:\windows\ltumps.exe - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-11 17:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\" ??DnR???OV?c:\\Program Files\\ISTsvc\\istsvc.exe"="c:\\WINDOWS\\ltumps.exe"
.
Completion time: 2010-11-11 17:31:06
ComboFix-quarantined-files.txt 2010-11-12 01:31
ComboFix2.txt 2010-11-11 19:37
ComboFix3.txt 2010-04-05 22:56

Pre-Run: 87,588,888,576 bytes free
Post-Run: 87,571,976,192 bytes free

- - End Of File - - 0682113A31ACE08F0CE91FEA06784389
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:36:20 PM, on 11/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [t`~y?:MBVhfk?{)C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ltumps.exe
O4 - HKLM\..\Run: [" ??DnR???OV?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ltumps.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: ShaPlus Google Translator - res://C:\Program Files\ShaPlus Google Translator\GoogleTranslator.dll/HTML/IE
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon High Speed Internet Installer.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JS...9/&filename=jinstall-6u11-windows-i586-jc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: (no name) - http://www.cheesecake-recipes.com/images/bg.gif

--
End of file - 8469 bytes
 
Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O4 - HKLM\..\Run: [t`~y?:MBVhfk?{)C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ltumps.exe
O4 - HKLM\..\Run: [" ??DnR???OV?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ltumps.exe
O24 - Desktop Component 0: (no name) - http://www.cheesecake-recipes.com/images/bg.gif

Close all Windows except HijackThis and click on "FixChecked."

Start> Control Panel> Display> Desktop> Customize Desktop> Web tab> uncheck and delete everything you find in there (except for "My current home page")> Also remove the check mark from the the Lock Desktop Items box if it is checked> Apply> OK> Close.
==========================================
Please run this Custom CFScrip

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"65533:TCP"=- 
"52344:TCP"=- 
"5869:TCP"=-
"5870:TCP"=-
"3389:TCP"=-
"9212:TCP"=-
"9211:TCP"=-
"6820:TCP"=-
"6821:TCP"=-
"4210:TCP"=-
"6920:TCP"=-
"8831:TCP"=-
"8832:TCP"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Suggest you remove these items from Sheduled Tasks: What kind of task do you do for volume control?
2010-11-11 c:\windows\Tasks\Volume Control.job
- c:\windows\system32\sndvol32.exe [2004-10-10 12:00]

2010-11-11 c:\windows\Tasks\Windows Update.job: You can set this in the Security Center in the Control Panel
- c:\windows\system32\wupdmgr.exe [2003-03-31 12:00]

Do you have the CD for the operating system? You may have to replace explorer.exe

Please rescan with HijackThis and the Eset Online scanner.
 
ComboFix 10-11-10.02 - user 11/12/2010 17:47:28.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.250 [GMT -8:00]
Running from: c:\documents and settings\user\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-10-13 to 2010-11-13 )))))))))))))))))))))))))))))))
.

2010-11-12 01:35 . 2010-11-12 01:35 388096 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-12 01:35 . 2010-11-12 01:35 -------- d-----w- c:\program files\Trend Micro
2010-11-11 19:42 . 2010-11-11 19:42 -------- d-----w- C:\_OTM
2010-11-10 12:35 . 2010-11-10 12:35 -------- d-----w- c:\program files\ESET
2010-11-09 07:27 . 2010-11-09 07:27 -------- d-----w- c:\documents and settings\user\Application Data\Avira
2010-11-09 07:00 . 2010-08-03 00:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-09 07:00 . 2010-08-03 00:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-09 07:00 . 2010-06-17 23:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-09 07:00 . 2010-06-17 23:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-09 07:00 . 2010-11-09 07:00 -------- d-----w- c:\program files\Avira
2010-11-09 07:00 . 2010-11-09 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-11-05 05:37 . 2010-11-05 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-30 17:52 . 2010-10-30 17:52 -------- d-----w- c:\program files\iPod
2010-10-30 17:52 . 2010-10-30 17:53 -------- d-----w- c:\program files\iTunes
2010-10-30 17:39 . 2010-10-30 17:39 -------- d-----w- c:\program files\Bonjour
2010-10-16 17:09 . 2010-10-23 09:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-03-31 12:00 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-03-31 12:00 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2004-08-24 03:32 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2003-03-31 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 15:57 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2003-03-31 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2003-03-31 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2003-03-31 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2003-03-31 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 20:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2003-03-31 12:00 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-12-04 00:35 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

c:\windows\explorer.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-11-11_19.33.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-12 01:02 . 2010-11-12 01:02 16384 c:\windows\Temp\Perflib_Perfdata_210.dat
+ 2010-11-12 01:35 . 2010-11-12 01:35 1094656 c:\windows\Installer\1fc7c1.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 68856]
"Steam"="c:\program files\Steam\Steam.exe" [2010-09-11 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"t`~y?:MBVhfk?{)c:\program files\ISTsvc\istsvc.exe"="c:\windows\ltumps.exe" [?]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2004-12-08 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-08 136600]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\ymditd\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5869:TCP"= 5869:TCP:Services
"5870:TCP"= 5870:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"9212:TCP"= 9212:TCP:Services
"9211:TCP"= 9211:TCP:Services
"6820:TCP"= 6820:TCP:Services
"6821:TCP"= 6821:TCP:Services
"4210:TCP"= 4210:TCP:Services
"6920:TCP"= 6920:TCP:Services
"8831:TCP"= 8831:TCP:Services
"8832:TCP"= 8832:TCP:Services
"3345:TCP"= 3345:TCP:Services
"5190:TCP"= 5190:TCP:Services
"6515:TCP"= 6515:TCP:Services
"6516:TCP"= 6516:TCP:Services

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/8/2010 11:00 PM 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/1/2010 3:48 AM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 11:48]

2010-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 11:48]

2010-11-12 c:\windows\Tasks\System Restore.job
- c:\windows\system32\Restore\rstrui.exe [2004-10-10 00:12]

2010-11-12 c:\windows\Tasks\Volume Control.job
- c:\windows\system32\sndvol32.exe [2004-10-10 12:00]

2010-11-12 c:\windows\Tasks\Windows Update.job
- c:\windows\system32\wupdmgr.exe [2003-03-31 12:00]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: ShaPlus Google Translator - c:\program files\ShaPlus Google Translator\GoogleTranslator.dll/HTML/IE
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\9218o7z1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\9218o7z1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\user\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\user\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-c:\windows\ltumps.exe - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-12 17:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\" ??DnR???OV?c:\\Program Files\\ISTsvc\\istsvc.exe"="c:\\WINDOWS\\ltumps.exe"
.
Completion time: 2010-11-12 18:02:00
ComboFix-quarantined-files.txt 2010-11-13 02:01
ComboFix2.txt 2010-11-12 01:31
ComboFix3.txt 2010-11-11 19:37
ComboFix4.txt 2010-04-05 22:56

Pre-Run: 87,467,077,632 bytes free
Post-Run: 87,452,696,576 bytes free

- - End Of File - - F6B1A832D49539D66CDBFFB8193CEEB3
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:22:00 PM, on 11/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [t`~y?:MBVhfk?{)C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ltumps.exe
O4 - HKLM\..\Run: [" ??DnR???OV?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ltumps.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: ShaPlus Google Translator - res://C:\Program Files\ShaPlus Google Translator\GoogleTranslator.dll/HTML/IE
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon High Speed Internet Installer.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JS...9/&filename=jinstall-6u11-windows-i586-jc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 8263 bytes
 
It's not deleting:
O4 - HKLM\..\Run: [t`~y?:MBVhfk?{)C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ltumps.exe
O4 - HKLM\..\Run: [" ??DnR???OV?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ltumps.exe

Do I have to provide you with the 2nd ESET scan log too? and where do I find scheduled tasks? My desktop is still currently non-existant.
 

Similar threads

Shawn Knight
This YouTube video can help flush water out of your smartphone
Replies
1
Views
274
p51d007
p51d007
midian182
Avast Free Antivirus: Testing its features and learning about the six layers of protection
Replies
0
Views
744
midian182
midian182
grvalderrama
Keyboard and mouse don't work after POST
Replies
2
Views
3K
grvalderrama
grvalderrama

Latest posts

Back