Solved Get to step 4 start scan, blue screen, and shut down

Status
Not open for further replies.
B

blairman

Posts: 146   +1
hello, and thanks to anybody willing to help, i have a gateway vtx400 running xp.
have successfully installed avira and scanned. successfuly run temp file cleaner.
updated java, adobe and link to microsoft did not work, so pushed on.
downloaded malwarebyte anti malware, select quick scan, push start,
25 or so seconds in, i get blue screen of death, only stays for a second not long enough to read, and the laptop reboots.
any ideas?????
blairman
 
Try running this first:

Please download randmbam.exe

It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

Once done, try running a scan again

The continue with the other scans.
 
i got my camera out and took a picture of the blue screen of death.
it says
"a problem has been detected and windows has been shut down to protect your computer
PAGE_FAULT_IN _NONPAGED_AREA
then the rest of the blah blah blah blue screen stuff.
i hope this helps
 
Did you run the program I asked you to? Did you still get the BSOD when trying to run Mbam?

BTW, there a nifty way to 'take a picture' of what's on the screen. Press the 'Print Screen' key and paste it into Notepad.
 
Bobbye said:
Did you run the program I asked you to? Did you still get the BSOD when trying to run Mbam?

BTW, there a nifty way to 'take a picture' of what's on the screen. Press the 'Print Screen' key and paste it into Notepad.
Click to expand...

PrintScreen is nifty but it only works when Windows is running (so it can't be used to capture a blue screen when Windows has crashed) :)

And i think you meant to say "paste it into Paint" ;)
 
Bobbye, thanks so much for your help. i will try your suggestion, hopefully this afternoon. i ran out of time for messing with this yesterday. i will try it and report back. also thanks for the print screen key, idea, i will remember that. i do not know if it would have worked here, i got the BSOD for literally less than one second, and the the power shut off and rebooting started. maybe it would have delayed that.
anyhow, will report back later today after some appt's get handled.
blair
 
blair, or course Lookin Around is right- you can't do a Print Screen if the system is down. Excuse me for that. But I don't use Paint- I should have said Wordpad instead of Notepad. Messed that one up didn't I!:eek:
 
Bobbye said:
blair, or course Lookin Around is right- you can't do a Print Screen if the system is down. Excuse me for that. But I don't use Paint- I should have said Wordpad instead of Notepad. Messed that one up didn't I!:eek:
Click to expand...

No worries.... I have a long list of my own personal bloopers :p
 
Bobbye and Lookinaround,
downloaded and ran randmbam. that appears to just be a sneakyway to open malwarebyte anti malware program. i was always able to open malwarebyte. i would select quick scan and select run scan. the process window tells me that it is enumerating registry items. this time i got a minute and 20 seconds into it befor the BSOD ended my forward progress.
some notes.... the 'security essentials 2010' pop ups have stopped, and i was able to delete the shortcut from the desk, and the file from program files. which i was not able to do at the height of my infestation.
i am able to start system restore now, however i can only go back 5 days, not back to january or february before all this crap started.
when i try to go to windowsupdate.microsoft.com, i get a 'internet explorer cannot display the webpage' with a button to diagnose connection problems, however, if i open another internet explorer page, my connection to msn.com is just fine.
i try to backdoor the update by going to microsoft's home page, and selecting updates, then i get a red x saying the website has encountered a problem and cannot display the page you are trying to view'
then tried firefox browser and safari browser to get to microsoft update. all get blocked, yet can go any other place on the net.
i hate to be putting this kind of effort into a laptop that would fetch $60 max on ebay, buy i am letting my brother in law use it because he has limited mobility and it helps him retreive email , and surf net with out changing floors at his house.
a really appreciatte your help but lets not kill ourselves over this either.
thanks again
blairman
 
i am able to start system restore now, however i can only go back 5 days
Click to expand...

Once the restore points have been removed, they're gone. Think about it> how could you restore to the way your system was 3 months ago? It's like tearing a page out of a book- it's gone!

Had you stuck with us, I could have removed any remains of Security Essentials for you. Users don't understand that malware cleaning has to be an orderly process.

You must use IE to get the updates. People frequently complain about not being able to access the update page. I just tell them to try at another time.

I have no intention of 'killing myself' over this.' We help clean malware off systems here- it's not our job to troubleshoot system problems unless they are directly related to the malware.

It's a nice thing you want to do for your brother. Why not get over your impatience and do it right? Identify the problem, determine if it's fixable and if it is, fix it!

Please download VEW and save it to your Desktop:

Setting up the program

Double-click VEW.exe to run.

  • Select log to query, select
  • Application
  • System

    Under Select type to list, select:
  • Critical (Vista only)
  • Error

    Click the radio button for Number of events
  • Type 20 in the 1 to 20 box
  • Then click the Run button.
  • Notepad will open with the output log.

    Load the log
  • In Notepad, click Edit> Select all
  • Then press Edit > Copy
  • Press Ctrl+V on your keyboard to paste the log to your next reply.

(Courtesy rev-Olie)

After checking this, if I can't offer a solution, I will refer you to the correct forum.
 
Bobbye, thanks for your help, i am not quite given up on this, i just sometimes question the time-money factor, and right now i have more time than money, at least for the next couple of weeks.
i did not mean to sound like i was giving up, i just feel bad about saints like you that spend time helping those of us with limited skills.
so, having said that, i gather that you think it is just an issue with microsoft's update page not being able to handle the traffic, rather than my thoughts, that something, part of a virus or malware is keeping the computer from accessing that page.
recap, i run malwarebyte and select quick scan, and after 25 to75 seconds i get the BSOD.

i will move forward and download vew, follow the instruction you left and post the log on my next reply.
thanks again
blairman
 
If you can find the Error that corresponds to the time of the BSOD, there may be something to work on. Here is a shorter, more direct version of the Even Viewer. Errors are time-coded, so if you check the time on the computer clock when it happens, then do the following, you should be able to find the corresponding error event:


Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES
  • You can ignore Warnings and Information Events.
  • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
  • You don't need to include the lines of code in the box below the Description, if any.
  • Please do not copy the entire Event log.

This is the same procedure as what I gave you previously, but this path allows you to look for error at specific times. See if that works better for you.
 
bobbye, i fired up the laptop today, decided to run malwarebytes one more time for grins, and it worked. below is the log, i am rebooting.
do you still want me to run vew and eventvwr, i will wait to hear from you
thanks
blairman
log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4132

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/26/2010 10:47:02 AM
mbam-log-2010-05-26 (10-47-02).txt

Scan type: Quick scan
Objects scanned: 125530
Time elapsed: 12 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 14
Folders Infected: 0
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\SE2010 (Rogue.Securityessentials2010) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\drivers\4DW4R3PrNJaTBasp.sys (Malware.Packer) -> Delete on reboot.
C:\WINNT\system32\drivers\4DW4R3.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3gHyXVxxPcF.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3ilCduxtHFR.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3InTFXMlEPw.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3ISpUVoQaHx.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3jjyluCbrTr.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3msnBJyccQO.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3PwEYPOtWFU.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3rEppbYTsDu.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3ryNHVoPTHi.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3spBvwRpwsR.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3tDEYQrnHsb.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3tImBKgwmHL.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3tqxQSQabKD.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3vOtavkSgxX.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3vyjofaRIDW.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\4DW4R3whAWmEODvx.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Security essentials 2010.lnk (Rogue.SecurityEssentials2010) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3BeGrUWCCFm.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3beISbctLBl.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3buhOWxWwIy.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3BvhXislwwQ.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3c.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3FElMrrkOlm.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3ICSrydMdTP.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3igWAYEbERm.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3KEXBHlisuY.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3ktPpjRMOME.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3NbiGarwbat.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3pxlDYrXkSf.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3pxNXgKqAsM.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3sBRLKXunJs.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3sSoDixRlql.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3TSmOLnLnnj.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3VkGKLIYxjM.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\4DW4R3WvSMyqVHNW.dll (Rootkit.Agent) -> Delete on reboot.
 
well i push on with gmer. kind of interesting when i started the program it would scan automtically. i then brought all of the tabs and selected rootkit\malware and selected scan.
did this 3times, it would only go so far and lock up on .....drivers/atapi.
so i went back to TFC, ran malwarebyte again and ran gmer. it did its auto scan, and below is the log. what next please????
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-27 07:28:13
Windows 5.1.2600 Service Pack 3
Running: vll7j8my.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwrcrkod.sys


---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 81A55A9A

---- Files - GMER 1.0.15 ----

File C:\WINNT\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
 
thru step 7

i pushed on and ran dds so all the logs are now posted. thanks again.
dds notepad

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 7:39:05.13 on Thu 05/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.246.40 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINNT\System32\svchost.exe -k imgsvc
C:\WINNT\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\winnt\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
mRun: [GWMDMMSG] GWMDMMSG.exe
mRun: [GWMDMpi] c:\winnt\GWMDMpi.exe
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [POINTER] point32.exe
mRun: [ViewMgr] c:\program files\viewpoint\viewpoint manager\ViewMgr.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [OOBEDDDemise] cmd /x /c erase c:\winnt\system32\oobe\msoobe.exe
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ma521c~1.lnk - c:\program files\netgear\ma521 configuration utility\wlancfg5.exe
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winnt\system32\Shdocvw.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\gateway\do more\DoMoreRunExe.CAB
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\n6lflqy7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-22 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-22 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-22 267432]
R2 avgntflt;avgntflt;c:\winnt\system32\drivers\avgntflt.sys [2010-5-22 60936]
R3 FLASHREADER;USB Reader;c:\winnt\system32\drivers\camusb.sys [1980-1-1 24192]
S3 BWNDIS5;BWNDIS5 NDIS Protocol Driver;\??\c:\winnt\system32\bwndis5.sys --> c:\winnt\system32\BWNDIS5.SYS [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?]
S3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;c:\winnt\system32\drivers\MA521nd5.sys [2006-7-17 158848]

=============== Created Last 30 ================

2010-05-27 11:44:53 1602 ----a-w- c:\winnt\OEM.tmp
2010-05-23 11:59:23 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-05-23 11:58:59 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-05-23 11:58:55 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-05-23 11:58:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-23 11:58:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 11:39:25 73728 ----a-w- c:\winnt\system32\javacpl.cpl
2010-05-23 11:39:24 411368 ----a-w- c:\winnt\system32\deployJava1.dll
2010-05-23 07:56:09 0 ----a-w- c:\winnt\system32\14604.exe
2010-05-23 07:35:46 0 ----a-w- c:\winnt\system32\32391.exe
2010-05-23 07:15:18 0 ----a-w- c:\winnt\system32\5436.exe
2010-05-23 06:13:08 0 ----a-w- c:\winnt\system32\2995.exe
2010-05-23 02:05:27 0 d-----w- c:\winnt\system32\NtmsData
2010-05-23 01:58:08 0 d-----w- c:\docume~1\owner\applic~1\Avira
2010-05-23 01:30:57 60936 ----a-w- c:\winnt\system32\drivers\avgntflt.sys
2010-05-23 01:30:48 0 d-----w- c:\program files\Avira
2010-05-23 01:30:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-05-22 17:23:21 21504 ----a-w- c:\winnt\system32\hidserv.dll
2010-05-22 17:23:21 21504 ----a-w- c:\winnt\system32\dllcache\hidserv.dll

==================== Find3M ====================

2010-05-27 12:19:38 96512 ----a-w- c:\winnt\system32\drivers\atapi.sys
2010-05-27 12:19:38 96512 ----a-w- c:\winnt\system32\dllcache\atapi.sys
2006-08-21 14:35:42 34164437 ----a-w- c:\program files\NAV061220.exe
2006-03-15 19:47:14 780 ----a-w- c:\program files\Spyware Doctor.lnk
2009-11-20 02:15:04 32768 --sha-w- c:\winnt\system32\config\systemprofile\local settings\history\history.ie5\mshist012009111920091120\index.dat

============= FINISH: 7:41:37.27 ===============

dds attach notes

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/22/2003 4:38:44 PM
System Uptime: 5/27/2010 7:22:38 AM (0 hours ago)

Motherboard: Gateway | | Gateway 400VTX
Processor: Mobile Intel(R) Celeron(R) CPU 2.20GHz | uFCPGA2 | 2191/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 28 GiB total, 20.301 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Communications Port
Device ID: ROOT\PORTS\0000
Manufacturer: (Standard port types)
Name: Communications Port (COM4)
PNP Device ID: ROOT\PORTS\0000
Service: Serial

==== System Restore Points ===================

RP499: 5/22/2010 12:28:56 PM - Removed Microsoft Silverlight
RP500: 5/22/2010 12:30:43 PM - Removed Microsoft .NET Framework (English)
RP501: 5/22/2010 12:32:27 PM - Configured iTunes
RP502: 5/22/2010 12:59:42 PM - Software Distribution Service 3.0
RP503: 5/23/2010 6:38:07 AM - Installed Java(TM) 6 Update 20
RP504: 5/25/2010 7:48:28 AM - Installed Safari
RP505: 5/26/2010 5:40:55 PM - System Checkpoint

==== Installed Programs ======================

Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Apple Application Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Do More 7.0
DVD
Easy CD Creator 5 Basic
FreeCEO(www.freeceo.com) 802.11 Wireless LAN Adapter
Gateway Rhapsody
GTW V.92 Voicemodem
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hoyle Casino 2004
Intel(R) Extreme Graphics Driver
Intel(R) PRO Ethernet Adapter and Software
Java Auto Updater
Java(TM) 6 Update 20
Junk Mail filter update
Lexmark Z25-Z35
MA521 Configuration Utility
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft IntelliPoint 4.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Learning and Research Plus Support Files
Microsoft National Language Support Downlevel APIs
Microsoft Picture It! Photo 7.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox (1.5)
MSN Internet Software
MSVCRT
PC-Doctor for Windows
pressplay
QuickTime
RealPlayer Basic
Safari
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Segoe UI
Shockwave
upapp
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Service Pack 3
WinPhlash
Works Suite OS Pack

==== Event Viewer Messages From Past Week ========

5/27/2010 6:41:44 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
5/26/2010 11:01:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: adpu160m agp440 iaStor IntelIde ultra ViaIde
5/26/2010 10:58:11 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
5/25/2010 6:16:22 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
5/25/2010 6:16:22 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/23/2010 8:31:40 AM, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.
5/23/2010 7:21:34 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.101 with the system having network hardware address 00:24:2C:24:1E:56. Network operations on this system may be disrupted as a result.
5/23/2010 5:54:33 AM, error: Service Control Manager [7031] - The Avira AntiVir Guard service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
5/23/2010 5:54:32 AM, error: Service Control Manager [7031] - The Avira AntiVir Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
5/23/2010 5:54:20 AM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
5/22/2010 9:33:36 PM, error: VolSnap [25] - The shadow copy of volume C: was aborted because the diff area file could not grow in time. Consider reducing the IO load on this system to avoid this problem in the future.
5/22/2010 9:13:04 PM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
5/22/2010 8:27:30 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
5/22/2010 8:27:30 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
5/22/2010 8:27:30 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
5/22/2010 7:40:35 PM, error: Microsoft Antimalware [2001] -
5/22/2010 7:37:35 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/22/2010 7:37:35 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
5/22/2010 12:29:19 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
5/22/2010 12:18:27 PM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0014A5C493A9 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
 
It!'s easy to see why you're having the problems! Mbam found and remove a significant amount of malware entries. But I suspect there will be more- skip the Error VIEWER for now and follow with this:

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=====================================
After you've installed and run Combofix, follow with:

Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:

Code: 
File::

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe

Folder::
Registry::
Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Then Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Leave these logs in your next reply.
 
combofix results more coming

ComboFix 10-05-27.01 - Owner 05/27/2010 17:30:02.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.246.47 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\14604.exe
c:\winnt\system32\2995.exe
c:\winnt\system32\32391.exe
c:\winnt\system32\5436.exe

Infected copy of c:\winnt\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))))))
.

2010-05-25 12:48 . 2010-05-25 12:49 -------- d-----w- c:\program files\Safari
2010-05-25 12:47 . 2010-05-25 12:47 -------- d-----w- c:\program files\Common Files\Apple
2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\program files\Apple Software Update
2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-23 11:59 . 2010-05-23 11:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-05-23 11:58 . 2010-04-29 20:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-05-23 11:58 . 2010-05-23 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-23 11:58 . 2010-04-29 20:39 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-05-23 11:58 . 2010-05-25 11:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 11:42 . 2010-05-23 11:42 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\msvcp71.dll
2010-05-23 11:42 . 2010-05-23 11:42 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\jmc.dll
2010-05-23 11:42 . 2010-05-23 11:42 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\msvcr71.dll
2010-05-23 11:41 . 2010-05-23 11:41 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73b12b92-n\decora-sse.dll
2010-05-23 11:41 . 2010-05-23 11:41 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73b12b92-n\decora-d3d.dll
2010-05-23 11:41 . 2010-05-23 11:41 -------- d-----w- c:\program files\Common Files\Java
2010-05-23 11:39 . 2010-05-23 11:38 411368 ----a-w- c:\winnt\system32\deployJava1.dll
2010-05-23 11:38 . 2010-05-23 11:38 -------- d-----w- c:\program files\Java
2010-05-23 11:04 . 2010-05-23 11:04 78 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows\Network\mspdb80.dll
2010-05-23 02:05 . 2010-05-27 12:11 -------- d-----w- c:\winnt\system32\NtmsData
2010-05-23 01:58 . 2010-05-23 01:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2010-05-23 01:30 . 2010-03-01 15:05 124784 ----a-w- c:\winnt\system32\drivers\avipbb.sys
2010-05-23 01:30 . 2010-02-16 19:24 60936 ----a-w- c:\winnt\system32\drivers\avgntflt.sys
2010-05-23 01:30 . 2009-05-11 17:49 45416 ----a-w- c:\winnt\system32\drivers\avgntdd.sys
2010-05-23 01:30 . 2009-05-11 17:49 22360 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys
2010-05-23 01:30 . 2010-05-23 01:30 -------- d-----w- c:\program files\Avira
2010-05-23 01:30 . 2010-05-23 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-05-22 17:23 . 2008-04-14 00:11 21504 ----a-w- c:\winnt\system32\hidserv.dll
2010-05-22 17:23 . 2008-04-14 00:11 21504 ----a-w- c:\winnt\system32\dllcache\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-27 12:19 . 2003-06-06 08:37 96512 ----a-w- c:\winnt\system32\drivers\atapi.sys
2010-05-27 11:44 . 2010-05-27 11:44 1602 ----a-w- c:\winnt\OEM.tmp
2010-05-25 12:49 . 2006-10-29 22:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-05-25 12:48 . 2006-10-29 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-22 17:34 . 2003-06-06 08:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-04 09:00 . 2010-03-04 09:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2006-08-21 14:35 . 2006-08-21 14:35 34164437 ----a-w- c:\program files\NAV061220.exe
2006-03-15 19:47 . 2006-07-21 22:47 780 ----a-w- c:\program files\Spyware Doctor.lnk
2006-07-21 22:15 . 2006-07-21 22:15 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-07-21 22:15 . 2006-07-21 22:15 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-07-21 22:15 . 2006-07-21 22:15 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 90112]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-01-24 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-01-24 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 684032]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-11 111816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-29 98304]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MA521 Configuration Utility.lnk - c:\program files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe [2006-7-17 380928]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/22/2010 8:31 PM 135336]
R3 FLASHREADER;USB Reader;c:\winnt\system32\drivers\camusb.sys [1/1/1980 24192]
S3 BWNDIS5;BWNDIS5 NDIS Protocol Driver;\??\c:\winnt\System32\BWNDIS5.SYS --> c:\winnt\System32\BWNDIS5.SYS [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;c:\winnt\system32\drivers\MA521nd5.sys [7/17/2006 8:02 PM 158848]
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = 127.0.0.1
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\gateway\Do More\DoMoreRunExe.CAB
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n6lflqy7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
HKLM-Run-POINTER - point32.exe
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-27 17:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OOBEDDDemise = cmd /x /c erase c:\winnt\System32\oobe\msoobe.exe????????????c?t?1f???d??????????? ??????????E?v?i??????????????????????????????????????????????????????P/??????????|??? ??????w???w|????????????i??|??????p?????????i???????1f??1f??????????????????????????????[?w???????????w???w?[?w????????????C

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-27 17:47:48
ComboFix-quarantined-files.txt 2010-05-27 22:47

Pre-Run: 21,719,203,840 bytes free
Post-Run: 21,697,175,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 9E1882456769399BB6153A1D5C042320
 
combofix results and with custom script eset coming

ComboFix 10-05-27.01 - Owner 05/27/2010 18:04:44.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.246.120 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))))))
.

2010-05-25 12:48 . 2010-05-25 12:49 -------- d-----w- c:\program files\Safari
2010-05-25 12:47 . 2010-05-25 12:47 -------- d-----w- c:\program files\Common Files\Apple
2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\program files\Apple Software Update
2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-23 11:59 . 2010-05-23 11:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-05-23 11:58 . 2010-04-29 20:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-05-23 11:58 . 2010-05-23 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-23 11:58 . 2010-04-29 20:39 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-05-23 11:58 . 2010-05-25 11:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 11:42 . 2010-05-23 11:42 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\msvcp71.dll
2010-05-23 11:42 . 2010-05-23 11:42 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\jmc.dll
2010-05-23 11:42 . 2010-05-23 11:42 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\msvcr71.dll
2010-05-23 11:41 . 2010-05-23 11:41 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73b12b92-n\decora-sse.dll
2010-05-23 11:41 . 2010-05-23 11:41 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73b12b92-n\decora-d3d.dll
2010-05-23 11:41 . 2010-05-23 11:41 -------- d-----w- c:\program files\Common Files\Java
2010-05-23 11:39 . 2010-05-23 11:38 411368 ----a-w- c:\winnt\system32\deployJava1.dll
2010-05-23 11:38 . 2010-05-23 11:38 -------- d-----w- c:\program files\Java
2010-05-23 11:04 . 2010-05-23 11:04 78 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows\Network\mspdb80.dll
2010-05-23 02:05 . 2010-05-27 12:11 -------- d-----w- c:\winnt\system32\NtmsData
2010-05-23 01:58 . 2010-05-23 01:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2010-05-23 01:30 . 2010-03-01 15:05 124784 ----a-w- c:\winnt\system32\drivers\avipbb.sys
2010-05-23 01:30 . 2010-02-16 19:24 60936 ----a-w- c:\winnt\system32\drivers\avgntflt.sys
2010-05-23 01:30 . 2009-05-11 17:49 45416 ----a-w- c:\winnt\system32\drivers\avgntdd.sys
2010-05-23 01:30 . 2009-05-11 17:49 22360 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys
2010-05-23 01:30 . 2010-05-23 01:30 -------- d-----w- c:\program files\Avira
2010-05-23 01:30 . 2010-05-23 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-05-22 17:23 . 2008-04-14 00:11 21504 ----a-w- c:\winnt\system32\hidserv.dll
2010-05-22 17:23 . 2008-04-14 00:11 21504 ----a-w- c:\winnt\system32\dllcache\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-27 12:19 . 2003-06-06 08:37 96512 ----a-w- c:\winnt\system32\drivers\atapi.sys
2010-05-27 11:44 . 2010-05-27 11:44 1602 ----a-w- c:\winnt\OEM.tmp
2010-05-25 12:49 . 2006-10-29 22:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-05-25 12:48 . 2006-10-29 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-22 17:34 . 2003-06-06 08:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-04 09:00 . 2010-03-04 09:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2006-08-21 14:35 . 2006-08-21 14:35 34164437 ----a-w- c:\program files\NAV061220.exe
2006-03-15 19:47 . 2006-07-21 22:47 780 ----a-w- c:\program files\Spyware Doctor.lnk
2006-07-21 22:15 . 2006-07-21 22:15 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-07-21 22:15 . 2006-07-21 22:15 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-07-21 22:15 . 2006-07-21 22:15 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 90112]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-01-24 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-01-24 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 684032]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-11 111816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-29 98304]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MA521 Configuration Utility.lnk - c:\program files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe [2006-7-17 380928]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/22/2010 8:31 PM 135336]
R3 FLASHREADER;USB Reader;c:\winnt\system32\drivers\camusb.sys [1/1/1980 24192]
S3 BWNDIS5;BWNDIS5 NDIS Protocol Driver;\??\c:\winnt\System32\BWNDIS5.SYS --> c:\winnt\System32\BWNDIS5.SYS [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;c:\winnt\system32\drivers\MA521nd5.sys [7/17/2006 8:02 PM 158848]
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = 127.0.0.1
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\gateway\Do More\DoMoreRunExe.CAB
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n6lflqy7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-27 18:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OOBEDDDemise = cmd /x /c erase c:\winnt\System32\oobe\msoobe.exe????????????c?t?1f???d??????????? ??????????E?v?i??????????????????????????????????????????????????????P/??????????|??? ??????w???w|????????????i??|??????p?????????i???????1f??1f??????????????????????????????[?w???????????w???w?[?w????????????C

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3648)
c:\winnt\system32\WININET.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\webcheck.dll
.
Completion time: 2010-05-27 18:19:12
ComboFix-quarantined-files.txt 2010-05-27 23:19
ComboFix2.txt 2010-05-27 22:47

Pre-Run: 21,699,637,248 bytes free
Post-Run: 21,690,773,504 bytes free

- - End Of File - - DC7EA49808CCD00B534A046C59CEFF1D
 
eset scan results

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d8a0a3c43fa70649bdd573f3902bc44a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-28 12:54:52
# local_time=2010-05-27 07:54:52 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775141 100 93 0 33150616 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=42039
# found=2
# cleaned=0
# scan_time=3777
C:\Qoobox\Quarantine\C\WINNT\system32\Drivers\atapi.sys.vir Win32/Olmarik.UI trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{14BCBB80-A370-4CAB-AD2A-E58B6914B467}\RP505\A0087214.sys Win32/Olmarik.UI trojan 00000000000000000000000000000000 I
 
Okay, you need to clear this up for me!
1. It says Windows XP, but it doesn't look like Windows XP.
2. There are processes from 2006 for Apply Computer.
3. You have something named ""AMBIT WinDis32 Protocol Driver for Windows" running which comes from the AMBIT Microsystems Corporation which mainly develops & distributes OEM/ODM intelligent power & connectivity solution to the computer & communications industries out of Taiwan.
4. You're running the OOBE Patch which removes the 'Activate Windows' link from the
start menu and makes the Activating Windows Dialog say 'Already Activated'.

So- I'm not sure what we're looking at or why you did multiple Combofix scans. I'd like you to run HijackThis and see what entries are found:

Download the HijackThis Installer HERE and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

I'll check this log then decide what to do. There is nothing in GMER and the 2 entries in Eset are not active in the system.
 
i'll try to answer bobbye

i got this laptop from a coworker that upgraded. he was having trouble with the power switch. than i handled. i pulled the circuit board with the on off switch and cleaned the sludge out of the switch, works great now.
runs on win xp. the safari (apple) i put on to try to get to microsoft update. if i do not need ambit, or oobe patch tell me how to send them packing.
i ran combo fix twice, which is what i thought your instructions told me to do. run it, then run it again with the custom script. maybe i misread your instructions.

i will run hijack and post the results first thing sat am. thanks for hanging in there with me on this. there is no love for any programs on this thing. i just want an operating system, and the ability for my brother in law to get his email, which is msn, and he checks nhra drag race results. big race fan. so something that is not paying rent, gets evicted!!!
hijack with morning coffee sat mornining.
blairman
 
If you open the DDS log that has the Attach.txt, you will see a list of the installed programs. There will also be a listing in the HijackThis log but it might not show as complete. Look up any you don't know. Let me know what you want to keep and what you want to send packing and I'll help you get them off,

Do you know what all those Apple entries are from 2006?
 
saturday morning

bobbye, i ran hijack before i saw your last post,
i have no idea what the apple stuff was from 2006,i could only guess the prev owner was into music, or tried to sink with a cell phone or something. so not important.

i will post hijack log below, then go into dds and see if anything makes sense to me.;)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:53:35 AM, on 5/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: MA521 Configuration Utility.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

--
End of file - 5710 bytes
 
bobbye, i looked at dds running programs. now i do not know what actually needs to be running, i think it would be smart to retain the antivirus, and java is important, i think, but some thinks like roxio and quicktime can be started, don't need to run all of the time, svchost? lexpps? common files?netgear? and the rest? like i said "if they don't pay rent, kick 'em out!"
blairman
 
Status
Not open for further replies.

Similar threads

Cal Jeffrey
Microsoft had a "Cart of Death" to intentionally crash and debug early Windows USB infrastructure
Replies
2
Views
361
peacecloud
P
midian182
Windows 10 update deleting files and causing Blue Screen of Death errors
2 3 4
Replies
79
Views
10K
madboyv1
M
Scorpus
QR codes come to the Windows 10 Blue Screen of Death
Replies
9
Views
3K
MannerMauler
MannerMauler

Latest posts

Back