Solved Computer shutting down when trying to run Avast!, MWB, and SAS

[Autumgurl]

Okay, I've scanned your posts and see similar problems, but with one difference.
2 years ago I got an email that I thought was from my daughter, on a friends computer, who happened to have the same name as the virus. Stephanie Adams. I saved the email because it said, "I love you mom" or "I miss you mom".
Recently my son told my other daughter she had sent him spam. Assuming it must have went to my email as well, I checked and there was this same email again. My youngest daughter then informed me this was one of her email accounts that her older sister did not have access to. I deleted both, but have been having real issues with this computer.
I inserted the disc and restored the computer to it's original state, then downloaded Avast!, MWB, and SAS. I followed the instructions, ran the scans in the order suggested. One took out 88 threats, the other 53, and the other 3. I still had problems so I tried to do it in safe mode, (which I'm not comfortable with) but every time I try to run the scan the computer shuts down.
I ran them again in normal mode and Avast! took out 3 threats, SAS 33. Tried running Avast! in safe mode and got a warning. It shows a large red X and says "Warning Unsecured, your system is not protected Please use the fix button to start protecting your system." The one below says, "Urgent Avast! Service stopped AV program has been stopped or is in an inconsistent state please restart the program to resume protecting your system. I tried hitting the fix button and it wouldn't do anything, and the same happened when I hit the restart program button. So I tried scanning and this time, this particular program got 3/4 of the way through and shut down.
I saw one of your posts that had a program to download, but you had to disable the other three first.
In comes the big problem....I do not have administrator rights on this computer, therefore cannot disable the programs in order to download the program you recommended. I have tried contacting tech support but it's been two weeks, 4 phone calls and no reply.
I'm not a computer guru but can get around okay. Is there anything I can do to get this, annoying, virus out of my computer? I had thought about using the disc again and starting over but am afraid of making a mistake.
Oh, and when I used the disc and restored the computer, Spyware Blaster was still installed in the computer? My previous programs were SB, Spybot and AVG.
Oh and where do I find my system specs? I always forget this.
Thank you in advance.

 

[Broni]

Welcome aboard

I do not have administrator rights on this computer

Why?

 

[Autumgurl]

Administrator rights

I'm sorry, I meant to put that in there. My daughter uses this for online school. The last time we actually managed to talk to their tech support we were told to insert the disc they sent us to restore the computer. We've tried 4 times or so in the last two weeks to get a hold of someone but all I get is an answering machine and no return phone calls.
We've ran into this before with their tech support, but we never had a problem like this and were able to figure the other stuff out on our own. They were usually simple and were where to find things she needed to submit work, or the mail they had set up to send the work in wasn't working and they didn't want the work sent through email. I was able to get most things from her teachers. But this is a tough one and I just can't seem to get a hold of a person.
My daughter is still able to do her work on our desktop, it just conflicts with work we need to get done. If it can't be done I may just mail the thing back to them with a letter, that might get a response.
Anyway, thanks for your response, even if there is nothing you can do. It was worth a try. Tired of beating my head against the wall.

 

[Broni]

I still don't understand.
Is it your computer, or school's computer?

 

[Autumgurl]

Administrator rights

The computer belongs to the school. That's why I've been trying to contact them. Posting this is just a last ditch effort. I've decided that if I don't hear from them by the end of the week, I am just sending a letter with the computer back to them. I don't know what else to do.
I was feeling bad about sending it back with a virus, but if they would just call me I know we could fix this.
The first year she was with this school, we had a similar problem, but not as bad. It took them a week to get back to us and we didn't have a second computer at that time, but at least they finally replied. So we'll see. I really didn't think you could do much since I don't actually own the computer, but I thought I'd at least, give it a shot.
I did run SAS in safe mode this morning and it ran all the way through, but found nothing. The minute I clicked on MWB, the computer shut down.
I've made an effort, it's on them now.

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

[Autumgurl]

A few questions before I start

Okay, before I get started. I'm thinking the anti-virus I downloaded was disabled at some point as it will run like normal in normal mode, but when I try to run it in safe mode it tells me something is wrong with it and nothing happens when I click the buttons it tells me to. This computer also has Office Scan from Trend Micro could that be causing conflicts?
I had already downloaded MWB, but am not sure if I checked the two boxes for update and launch.
Would it be better to put it the disc to restore the computer to its original state or not?
Thank you.

 

[Broni]

Would it be better to put it the disc to restore the computer to its original state or not?

That must be your decision.
Let me know.

 

[Autumgurl]

Logs

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Student at 18:17:05 on 2011-09-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2813.2250 [GMT -4:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {19369770-8059-4EC3-8084-1A3F64128496}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\GY499A.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://schools.connectionsacademy.com/
uDefault_Page_URL = hxxp://schools.connectionsacademy.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Name] c:\windows\system32\cas\msname.vbs
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [CARPService] carpserv.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoNetConnectDisconnect = 1 (0x1)
uPolicies-explorer: NoManageMyComputerVerb = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoCloseDragDropBands = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoLogoff = 1 (0x1)
uPolicies-explorer: NoThemesTab = 1 (0x1)
uPolicies-explorer: NoPropertiesMyDocuments = 1 (0x1)
uPolicies-explorer: NoSetTaskbar = 1 (0x1)
uPolicies-explorer: NoPropertiesRecycleBin = 1 (0x1)
uPolicies-explorer: RestrictCpl = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
uPolicies-system: DisableLockWorkstation = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: aim.com\www
Trusted Zone: aol.com\iknowthat.school
Trusted Zone: aolatschool.com\www
Trusted Zone: atwola.com\ar
Trusted Zone: atwola.com\www.ar
Trusted Zone: brainpop.com\www
Trusted Zone: connectionsacademy.com
Trusted Zone: connectionsacademy.com\schools
Trusted Zone: D
Trusted Zone: edgate.com\www
Trusted Zone: letsgolearn.com\www
Trusted Zone: msnbc.com
Trusted Zone: passport.net\login
Trusted Zone: schoolnotes.com
Trusted Zone: teacherweb.com
Trusted Zone: worldbookonline.com\www
Trusted Zone: connectionsacademy.com\schools
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxp://10.1.0.17:8180/officescan/ClientInstall/WinNTChk.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxp://10.1.0.65:8080/officescan/console/html/ClientInstall/setup.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxp://10.1.0.65:8080/officescan/console/html/root/AtxEnc.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxp://10.1.0.17:8180/officescan/clientinstall/RemoveCtrl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226096417281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1 204.186.110.76 216.144.187.37 216.144.187.199
TCP: Interfaces\{6D304090-4CEA-4F39-9825-61439B592402} : DhcpNameServer = 10.1.5.101 10.1.5.102
TCP: Interfaces\{B3093FAB-0A84-4C76-849D-C6CC479D0E3D} : DhcpNameServer = 192.168.2.1 204.186.110.76 216.144.187.37 216.144.187.199
TCP: Interfaces\{B4AB9F22-46C9-4326-B049-87C9B783EB56} : DhcpNameServer = 192.168.254.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 69.7.71.11 www.limewire.com
Hosts: 69.7.71.11 www.zango.com
Hosts: 69.7.71.11 www.myspace.com
.
============= SERVICES / DRIVERS =.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/7/2007 10:01:23 PM
System Uptime: 9/7/2011 6:05:13 PM (0 hours ago)
.
Motherboard: Hewlett-Packard | | 30E3
Processor: AMD Turion(tm)X2 Ultra DualCore Mobile ZM-82 | Unknown | 2200/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 39 GiB total, 24.184 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP94: 9/7/2011 4:43:46 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
.
Acrobat.com
Adobe Acrobat Connect Add-in
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Presenter 6.2
Adobe Reader 9.1
Adobe Shockwave Player 11
Agere Systems HDA Modem
AMD Driver Support for HP 3D DriverGuard
Application Installer 4.00.B6
ATI Catalyst Control Center
ATI Display Driver
Broadcom 802.11 Wireless LAN Adapter
Broadcom NetXtreme Ethernet Controller
BufferChm
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
CYBERsitter 10
DeviceManagementQFolder
Embedded Security for HP ProtectTools Driver
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Help and Support
HP Imaging Device Functions 7.0
HP Integrated Module with Bluetooth wireless technology
HP Notebook Accessories Product Tour
HP PCMCIA Smart Card Reader
HP Photosmart and Deskjet 7.0 Software
HP Quick Launch Buttons 6.00 G2
HP Update
HP User Guides 0022
HP Wireless Assistant 2.00 F1
hph_software_req
HpSdpAppCoreApp
InterVideo DVD Check
InterVideo Register Manager
InterVideo WinDVD
Java(TM) 6 Update 14
Java(TM) 6 Update 5

 

[Broni]

Go on.....

 

[Autumgurl]

Logs

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7673

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/7/2011 6:04:08 PM
mbam-log-2011-09-07 (18-04-08).txt

Scan type: Quick scan
Objects scanned: 187795
Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Value: NoFolderOptions -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer (PUM.Disable.MCProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-07 18:13:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9160411AS rev.HP15
Running: kmp4cn56.exe; Driver: C:\DOCUME~1\Student\LOCALS~1\Temp\kflyakoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

---- EOF - GMER 1.0.15 ----

 

[Broni]

I still need Attach.txt part of DDS.

 

[Autumgurl]

log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/7/2007 10:01:23 PM
System Uptime: 9/7/2011 7:13:39 PM (3 hours ago)
.
Motherboard: Hewlett-Packard | | 30E3
Processor: AMD Turion(tm)X2 Ultra DualCore Mobile ZM-82 | Unknown | 2200/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 39 GiB total, 23.885 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP94: 9/7/2011 4:43:46 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
.
Acrobat.com
Adobe Acrobat Connect Add-in
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Presenter 6.2
Adobe Reader 9.1
Adobe Shockwave Player 11
Agere Systems HDA Modem
AMD Driver Support for HP 3D DriverGuard
Application Installer 4.00.B6
ATI Catalyst Control Center
ATI Display Driver
Broadcom 802.11 Wireless LAN Adapter
Broadcom NetXtreme Ethernet Controller
BufferChm
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
CYBERsitter 10
DeviceManagementQFolder
Embedded Security for HP ProtectTools Driver
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Help and Support
HP Imaging Device Functions 7.0
HP Integrated Module with Bluetooth wireless technology
HP Notebook Accessories Product Tour
HP PCMCIA Smart Card Reader
HP Photosmart and Deskjet 7.0 Software
HP Quick Launch Buttons 6.00 G2
HP Update
HP User Guides 0022
HP Wireless Assistant 2.00 F1
hph_software_req
HpSdpAppCoreApp
InterVideo DVD Check
InterVideo Register Manager
InterVideo WinDVD
Java(TM) 6 Update 14
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
LightScribe 1.4.84.1
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB925673)
SCR3xxx Smart Card Reader
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic DLA
Sonic Express Labeler
Sonic Update Manager
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
SpywareBlaster 4.2
Swiff Player 1.1
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Toolbox
Trend Micro OfficeScan Client
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
9/7/2011 4:45:56 PM, error: Service Control Manager [7000] - The Communication Services service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================

 

[Broni]

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=============================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Autumgurl]

slight problem

I couldnKt get anything done yesterday as I was under the weather. I completed the first step with no problem, but am trying to disable Micro. Not easy since I don't know the password, and again could not get anyone by phone. Just wanted to let you know I am working on it.

 

[Broni]

OK....................

 

[Autumgurl]

Trend

Looks like my only option is to run Combofix with Trend open. I don't want to delete a password, I only wanted to temporarily disable it but can not, safely figure that out.

 

[Broni]

I still need aswMBR log.

Run Combofix from safe mode.

 

[Autumgurl]

aswMBR log

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-08 16:32:33
-----------------------------
16:32:33.656 OS Version: Windows 5.1.2600 Service Pack 3
16:32:33.656 Number of processors: 2 586 0x301
16:32:33.656 ComputerName: CA-CNU9193LH1 UserName: Student
16:32:34.140 Initialize success
16:38:50.250 AVAST engine defs: 11090802
16:39:31.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:39:31.062 Disk 0 Vendor: ST9160411AS HP15 Size: 152627MB BusType: 3
16:39:33.187 Disk 0 MBR read successfully
16:39:33.250 Disk 0 MBR scan
16:39:33.328 Disk 0 unknown MBR code
16:39:33.484 Disk 0 scanning sectors +117917100
16:39:33.609 Disk 0 scanning C:\WINDOWS\system32\drivers
16:40:10.218 Service scanning
16:40:11.921 Modules scanning
16:40:31.218 Disk 0 trace - called modules:
16:40:31.515 KERNL1.EXE CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll Amddfltr.sys ACPI.sys atapi.sys pciide.sys PCIIDEX.SYS
16:40:31.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8acb6ab8]
16:40:31.750 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> [0x8ad23d58]
16:40:31.890 5 hpdskflt.sys[f7508fe1] -> nt!IofCallDriver -> [0x8acb7a48]
16:40:32.031 7 Amddfltr.sys[f77200b6] -> nt!IofCallDriver -> \Device\00000094[0x8acbd3b8]
16:40:32.203 9 ACPI.sys[f743e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ad29940]
16:40:35.937 AVAST engine scan C:\WINDOWS
16:41:03.906 AVAST engine scan C:\WINDOWS\system32
16:41:16.437 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Student\Desktop\MBR.dat"
16:41:16.609 The log file has been saved successfully to "C:\Documents and Settings\Student\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-08 16:32:33
-----------------------------
16:32:33.656 OS Version: Windows 5.1.2600 Service Pack 3
16:32:33.656 Number of processors: 2 586 0x301
16:32:33.656 ComputerName: CA-CNU9193LH1 UserName: Student
16:32:34.140 Initialize success
16:38:50.250 AVAST engine defs: 11090802
16:39:31.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:39:31.062 Disk 0 Vendor: ST9160411AS HP15 Size: 152627MB BusType: 3
16:39:33.187 Disk 0 MBR read successfully
16:39:33.250 Disk 0 MBR scan
16:39:33.328 Disk 0 unknown MBR code
16:39:33.484 Disk 0 scanning sectors +117917100
16:39:33.609 Disk 0 scanning C:\WINDOWS\system32\drivers
16:40:10.218 Service scanning
16:40:11.921 Modules scanning
16:40:31.218 Disk 0 trace - called modules:
16:40:31.515 KERNL1.EXE CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll Amddfltr.sys ACPI.sys atapi.sys pciide.sys PCIIDEX.SYS
16:40:31.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8acb6ab8]
16:40:31.750 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> [0x8ad23d58]
16:40:31.890 5 hpdskflt.sys[f7508fe1] -> nt!IofCallDriver -> [0x8acb7a48]
16:40:32.031 7 Amddfltr.sys[f77200b6] -> nt!IofCallDriver -> \Device\00000094[0x8acbd3b8]
16:40:32.203 9 ACPI.sys[f743e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ad29940]
16:40:35.937 AVAST engine scan C:\WINDOWS
16:41:03.906 AVAST engine scan C:\WINDOWS\system32
16:41:16.437 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Student\Desktop\MBR.dat"
16:46:27.437 AVAST engine scan C:\WINDOWS\system32\drivers
16:47:23.906 AVAST engine scan C:\Documents and Settings\Student
16:50:19.093 AVAST engine scan C:\Documents and Settings\All Users
16:50:27.437 Scan finished successfully
16:51:01.656 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Student\Desktop\MBR.dat"
16:51:01.828 The log file has been saved successfully to "C:\Documents and Settings\Student\Desktop\aswMBR.txt"

 

[Autumgurl]

ComboFix

When I tried to run ComboFix the computer shut down part way through just as MWB did before I contacted you. Question...when I download a fresh one and rename it, still run it in safe mode after Rkill?

 

[Broni]

Yes...........

 

[Autumgurl]

Rkill

Rkill failed, all 3 times

 

[Broni]

Just run Combofix.

 

[Autumgurl]

ComboFix Log

This is the best I could get...


ComboFix 11-09-09.04 - Student 09/10/2011 9:11.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2813.2550 [GMT -4:00]
Running from: c:\documents and settings\Student\Desktop\Judy.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {19369770-8059-4EC3-8084-1A3F64128496}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini
c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\SL200.tmp.fea0b243.ini
c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\SLCD.tmp.985c2cc2.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL200.tmp.fea0b243.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SLCD.tmp.985c2cc2.ini
c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory\SL200.tmp.fea0b243.ini
c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory\SLCD.tmp.985c2cc2.ini
c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini
c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\SL200.tmp.fea0b243.ini
c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\SLCD.tmp.985c2cc2.ini
c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\uccc.exe.8ab524e5.ini
c:\windows\IMAGE.EXE.LOG
.
.
((((((((((((((((((((((((( Files Created from 2011-08-10 to 2011-09-10 )))))))))))))))))))))))))))))))
.
.
2011-09-10 03:28 . 2011-09-10 03:31 -------- d-----w- C:\Judy
2011-09-08 12:36 . 2011-09-08 12:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-09-07 22:26 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-09-07 22:25 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-09-07 22:25 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-09-07 22:24 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-09-07 22:24 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-09-07 22:23 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-09-07 22:23 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-09-07 22:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2011-09-07 22:18 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-07 22:18 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-07 22:09 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2011-09-07 21:58 . 2011-06-23 18:36 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-09-07 21:56 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-07 21:55 . 2011-09-07 21:55 -------- d-----w- c:\documents and settings\Student\Application Data\Malwarebytes
2011-09-07 21:55 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-09-07 21:55 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-07 21:55 . 2011-09-07 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-07 21:55 . 2011-09-07 21:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-07 21:55 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-03 10:17 . 2011-09-03 10:17 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-02-28 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2004-08-04 08:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-03-28 454656]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-04-21 40960]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"Name"="c:\windows\system32\cas\msname.vbs" [2003-03-24 603]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-12-11 710000]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-12-11 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
"DisableLockWorkstation"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoNetConnectDisconnect"= 1 (0x1)
"NoManageMyComputerVerb"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoCloseDragDropBands"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoLogoff"= 1 (0x1)
"NoPropertiesMyDocuments"= 1 (0x1)
"NoSetTaskbar"= 1 (0x1)
"NoPropertiesRecycleBin"= 1 (0x1)
"RestrictCpl"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
.
R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [3/19/2009 7:27 PM 15416]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 10:14 AM 24064]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/21/2005 7:19 AM 44800]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\caschools\Software\VCD\VCdRom.sys --> c:\caschools\Software\VCD\VCdRom.sys [?]
S2 CCOMSVC;Communication Services;c:\windows\CComSvc.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc --> c:\windows\CComSvc.exe [?]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [8/16/2008 3:00 AM 249424]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [8/16/2008 3:00 AM 36432]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [5/22/2008 2:33 PM 33024]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [4/27/2007 9:35 PM 575064]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://schools.connectionsacademy.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: aim.com\www
Trusted Zone: aol.com\iknowthat.school
Trusted Zone: aolatschool.com\www
Trusted Zone: atwola.com\ar
Trusted Zone: atwola.com\www.ar
Trusted Zone: brainpop.com\www
Trusted Zone: connectionsacademy.com
Trusted Zone: connectionsacademy.com\schools
Trusted Zone: D
Trusted Zone: edgate.com\www
Trusted Zone: letsgolearn.com\www
Trusted Zone: msnbc.com
Trusted Zone: passport.net\login
Trusted Zone: schoolnotes.com
Trusted Zone: teacherweb.com
Trusted Zone: worldbookonline.com\www
Trusted Zone: connectionsacademy.com\schools
TCP: DhcpNameServer = 192.168.2.1 204.186.110.76 216.144.187.37 216.144.187.199
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-DrvLsnr - c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe
HKLM-Run-IgfxTray - c:\windows\System32\igfxtray.exe
HKLM-Run-HotKeysCmds - c:\windows\System32\hkcmd.exe
HKLM-Run-HPDJ Taskbar Utility - c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
HKLM-Run-CARPService - carpserv.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-10 09:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????,?@? ????\??????R?@?????,?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCOMSVC]
"ImagePath"="c:\windows\CComSvc.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(260)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-09-10 09:30:50
ComboFix-quarantined-files.txt 2011-09-10 13:30
.
Pre-Run: 26,409,934,848 bytes free
Post-Run: 26,999,697,408 bytes free
.
- - End Of File - - 10F2B048DAFE201265FDD1D0AEEB2294

 

[Broni]

Looks good

How is computer doing?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.