Solved Sick puter

[CarolinaChuck]

Hello,

First problem stared with an random ding dong sound like I pluged in a USB device. I tried to figure it out on my own by removing unused aplication in Add/Remove Progams and msconfig start up; I may have done more harm than good. After a week, Internet Explorer 8 started to redirect me when opening links and then started to open new windows and going to sell/medical/BS type sites on its own. Also, AVG threats while off line WINDOW\system32\ping.exe

To keep it short, here are the logs:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.14.07
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: SUPER-CHUCKIE [administrator]
6/14/2012 11:50:51 AM
mbam-log-2012-06-14 (11-50-51).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 224426
Time elapsed: 11 minute(s), 20 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 4
C:\Win.Msi (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AntispywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AntispywareBot\Log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AntispywareBot\Settings (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
Files Detected: 5
C:\Win.Msi\3proxy.cfg (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Win.Msi\alg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AntispywareBot\rs.dat (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AntispywareBot\Log\2009 Jan 20 - 01_29_47 AM_453.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AntispywareBot\Settings\ScanResults.pie (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-06-14 12:45:06
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5 WDC_WD2500YD-01NVB1 rev.10.02E01
Running: 6ncm6eom.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agtorfod.sys

---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Ntfs \Ntfs InCDRec.sys (InCD File System Recognizer/Nero AG)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat InCDRec.sys (InCD File System Recognizer/Nero AG)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Processes - GMER 1.0.15 ----
Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 3892
---- EOF - GMER 1.0.15 ----
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Administrator at 12:57:24 on 2012-06-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2773 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\dKEYUSBCradle\SyncService.exe
C:\dKEYUSBCradle\ProxyDaemon.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\dKEYUSBCradle\stunnel-4.10.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\dKEYUSBCradle\SyncInfoApp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Start WingMan Profiler] "c:\program files\logitech\profiler\lwemon.exe" /noui
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [PowerArchiver Tray] c:\program files\powerarchiver\PASTARTER.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [WheelMouse] c:\program files\ocz technology\mouse\Amoumain.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1449.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\displa~1.lnk - c:\dkeyusbcradle\SyncInfoApp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
LSP: mswsock.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227396431828
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0l4hw7l5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6d1b5&v=6.010.006.004&I=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_32.dll
FF - plugin: c:\program files\java\jre6\bin\npoji610.dll
FF - plugin: c:\windows\system32\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 AvgLdx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
R1 AvgMfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 AvgTdiX;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 silabenm;GE Supra DisplayKey USB Cradle Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2011-7-6 24584]
R3 silabser;GE Supra DisplayKey USB Cradle Driver;c:\windows\system32\drivers\silabser.sys [2011-7-6 69256]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-11 136176]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 257224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-11 136176]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
=============== Created Last 30 ================
.
2012-06-14 15:46:02 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-06-14 15:38:19 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-06-14 15:38:18 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-14 15:38:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-13 13:34:01 1409 ----a-w- c:\windows\QTFont.for
2012-06-12 16:30:30 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-06-12 16:30:30 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-08 15:30:35 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PCHealth
2012-06-08 15:28:26 -------- dc-h--w- c:\windows\ie8
2012-06-08 14:52:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-08 14:52:47 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-06 16:39:18 -------- d-----w- c:\documents and settings\administrator\application data\AVG
2012-06-06 16:31:25 -------- d-----w- c:\documents and settings\administrator\application data\AVG2012
2012-06-06 16:29:51 -------- d-----w- c:\windows\system32\drivers\AVG
2012-06-06 16:29:51 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2012-06-06 15:31:02 131072 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2012-05-31 17:48:56 -------- d-----w- c:\program files\EZ Fonts
.
==================== Find3M ====================
.
2012-06-13 17:44:44 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 17:44:44 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-08 14:52:35 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-19 08:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-03-19 09:17:28 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
.
============= FINISH: 12:57:49.76 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/22/2008 4:55:26 PM
System Uptime: 6/14/2012 12:17:45 PM (0 hours ago)
.
Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | MS-7550
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5400+ | CPU1 | 2800/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 66.875 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP881: 3/17/2012 2:09:56 AM - System Checkpoint
RP882: 3/18/2012 2:37:54 AM - System Checkpoint
RP883: 3/19/2012 3:35:03 AM - System Checkpoint
RP884: 3/20/2012 3:37:54 AM - System Checkpoint
RP885: 3/21/2012 4:37:54 AM - System Checkpoint
RP886: 3/22/2012 5:37:57 AM - System Checkpoint
RP887: 3/23/2012 6:37:54 AM - System Checkpoint
RP888: 3/24/2012 7:57:43 AM - System Checkpoint
RP889: 3/25/2012 8:38:59 AM - System Checkpoint
RP890: 3/26/2012 9:37:54 AM - System Checkpoint
RP891: 3/27/2012 6:39:42 PM - System Checkpoint
RP892: 3/28/2012 8:34:13 PM - System Checkpoint
RP893: 3/29/2012 8:37:51 PM - System Checkpoint
RP894: 3/30/2012 9:44:43 PM - System Checkpoint
RP895: 3/31/2012 10:27:14 PM - System Checkpoint
RP896: 4/1/2012 11:27:14 PM - System Checkpoint
RP897: 4/2/2012 11:28:36 PM - System Checkpoint
RP898: 4/4/2012 12:36:10 AM - System Checkpoint
RP899: 4/5/2012 2:36:41 AM - System Checkpoint
RP900: 4/6/2012 3:11:30 AM - System Checkpoint
RP901: 4/7/2012 4:11:30 AM - System Checkpoint
RP902: 4/8/2012 5:11:09 AM - System Checkpoint
RP903: 4/9/2012 5:11:30 AM - System Checkpoint
RP904: 4/10/2012 6:11:25 AM - System Checkpoint
RP905: 4/11/2012 7:11:25 AM - System Checkpoint
RP906: 4/12/2012 8:11:25 AM - System Checkpoint
RP907: 4/13/2012 8:21:16 AM - System Checkpoint
RP908: 4/14/2012 9:11:25 AM - System Checkpoint
RP909: 4/15/2012 10:56:03 AM - System Checkpoint
RP910: 4/16/2012 4:22:30 PM - System Checkpoint
RP911: 4/16/2012 6:50:17 PM - Removed HP Software Update
RP912: 4/16/2012 7:23:44 PM - Printer Driver HP Officejet 4500 G510n-z fax Installed
RP913: 4/17/2012 7:44:45 PM - System Checkpoint
RP914: 4/18/2012 8:51:19 PM - System Checkpoint
RP915: 4/19/2012 10:27:09 PM - System Checkpoint
RP916: 4/20/2012 11:51:29 PM - System Checkpoint
RP917: 4/22/2012 12:44:45 AM - System Checkpoint
RP918: 4/23/2012 12:46:09 AM - System Checkpoint
RP919: 4/24/2012 2:00:36 AM - System Checkpoint
RP920: 4/25/2012 2:57:11 AM - System Checkpoint
RP921: 4/26/2012 3:44:41 AM - System Checkpoint
RP922: 4/27/2012 4:44:41 AM - System Checkpoint
RP923: 4/28/2012 5:44:41 AM - System Checkpoint
RP924: 4/29/2012 6:44:43 AM - System Checkpoint
RP925: 4/30/2012 7:44:41 AM - System Checkpoint
RP926: 5/1/2012 2:30:31 PM - System Checkpoint
RP927: 5/2/2012 6:58:18 PM - System Checkpoint
RP928: 5/3/2012 7:45:22 PM - System Checkpoint
RP929: 5/4/2012 8:44:22 PM - System Checkpoint
RP930: 5/5/2012 9:57:52 PM - System Checkpoint
RP931: 5/6/2012 10:44:22 PM - System Checkpoint
RP932: 5/8/2012 12:36:53 AM - System Checkpoint
RP933: 5/9/2012 12:56:25 AM - System Checkpoint
RP934: 5/10/2012 1:44:25 AM - System Checkpoint
RP935: 5/11/2012 2:44:25 AM - System Checkpoint
RP936: 5/12/2012 3:44:25 AM - System Checkpoint
RP937: 5/13/2012 4:44:25 AM - System Checkpoint
RP938: 5/14/2012 5:44:25 AM - System Checkpoint
RP939: 5/15/2012 5:45:30 AM - System Checkpoint
RP940: 5/16/2012 6:44:24 AM - System Checkpoint
RP941: 5/17/2012 7:44:25 AM - System Checkpoint
RP942: 5/18/2012 8:57:25 AM - System Checkpoint
RP943: 5/19/2012 9:44:25 AM - System Checkpoint
RP944: 5/28/2012 11:49:42 AM - System Checkpoint
RP945: 5/29/2012 3:24:08 PM - System Checkpoint
RP946: 5/30/2012 8:18:44 PM - System Checkpoint
RP947: 5/31/2012 9:17:29 PM - System Checkpoint
RP948: 6/1/2012 10:17:29 PM - System Checkpoint
RP949: 6/2/2012 11:17:30 PM - System Checkpoint
RP950: 6/4/2012 12:17:30 AM - System Checkpoint
RP951: 6/5/2012 1:17:30 AM - System Checkpoint
RP952: 6/6/2012 1:40:38 AM - System Checkpoint
RP953: 6/6/2012 12:19:30 PM - Removed Ask Toolbar.
RP954: 6/6/2012 12:29:17 PM - Installed AVG 2012
RP955: 6/6/2012 12:29:34 PM - Installed AVG 2012
RP956: 6/7/2012 2:05:31 PM - System Checkpoint
RP957: 6/8/2012 10:35:17 AM - Restore Operation
RP958: 6/8/2012 10:52:09 AM - Removed Java(TM) 6 Update 23
RP959: 6/8/2012 10:52:30 AM - Installed Java(TM) 6 Update 32
RP960: 6/8/2012 11:24:36 AM - Software Distribution Service 3.0
RP961: 6/8/2012 11:29:54 AM - Installed Windows Internet Explorer 8.
RP962: 6/8/2012 11:30:46 AM - Software Distribution Service 3.0
RP963: 6/8/2012 4:07:07 PM - Restore Operation
RP964: 6/8/2012 4:14:48 PM - Installed AVG 2012
RP965: 6/8/2012 4:14:59 PM - Removed AVG 2012
RP966: 6/8/2012 4:19:17 PM - Installed AVG 2012
RP967: 6/8/2012 4:19:27 PM - Removed AVG 2012
RP968: 6/12/2012 12:29:44 PM - Restore Operation
RP969: 6/12/2012 1:19:01 PM - Installed AVG 2012
RP970: 6/12/2012 1:19:12 PM - Removed AVG 2012
RP971: 6/12/2012 6:29:16 PM - Installed AVG 2012
RP972: 6/12/2012 6:29:29 PM - Removed AVG 2012
RP973: 6/13/2012 7:38:22 AM - Installed AVG 2012
RP974: 6/13/2012 7:38:38 AM - Installed AVG 2012
.
==== Installed Programs ======================
.
7200
7200_Help
7200Trb
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe Acrobat 8.1.4 Professional
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 11 ActiveX
Adobe Flash Player 9 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AGEIA PhysX v2.3.3
AHV content for Acrobat and Flash
AiO_Scan
AiOSoftware
AMD Processor Driver
Ask Toolbar
ATI - Software Uninstall Utility
ATI Display Driver
AVG 2012
Bing Bar Platform
BufferChm
Call of Duty(R) 2
Call of Duty(TM) Game of the Year Edition
Chinese Traditional Fonts Support For Adobe Reader 9
Compatibility Pack for the 2007 Office system
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CutePDF Writer 2.8
DD Tournament Poker 1.2
Destinations
Director
DisplayKEY USB Cradle
dKeyUSBCradleDriver_x86
DocProc
DocumentViewer
DVD Suite
Fax
File Uploader
Ghost Recon Advanced Warfighter
Google Chrome
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Image Zone 4.7
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPSystemDiagnostics
InstantShare
Java Auto Updater
Java(TM) 6 Update 29
Just Learn Morse Code
LightScribe System Software 1.12.29.2
LightScribe Template Designs - 9 to 5 Pack 1
LightScribe Template Designs - Bonus Pack 1
LightScribe Template Designs - Fantasy Pack 1
LightScribe Template Designs - Kids Korner Pack 1
LightScribe Template Designs - Mythology Pack 1
LightScribe Template Designs - Tattoo Pack 1
LightScribeTemplateLabeler
Logitech Gaming Software
Malwarebytes Anti-Malware version 1.61.0.1400
Marine Aquarium 2, Sharks & Carousel Bundle
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox (3.5.5)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NASCAR® Racing 2003 Season
Nero 7 Essentials
neroxml
Nikon Message Center
Nikon Message Center 2
Nikon Movie Editor
Nikon Transfer
Notepad++
OCZ Technology Laser Gaming Mouse
PanoStandAlone
PC Wizard 2008.1.87
PDF Settings
PhotoGallery
Picture Control Utility
PowerArchiver 2009
PowerDVD
PowerProducer
ProductContext
QFolder
QuickTime
Readme
RealFlight G2 Simulator
Realtek High Definition Audio Driver
Scan
ScannerCopy
SecurDisc Viewer
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SkinsHP1
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
ViewNX
ViewNX 2
WebFldrs XP
WebReg
Windows Driver Package - GE Security (silabenm) Ports (12/10/2008 5.4.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
6/14/2012 2:38:49 AM, error: Service Control Manager [7034] - The AVGIDSAgent service terminated unexpectedly. It has done this 1 time(s).
6/13/2012 8:41:37 AM, error: DCOM [10000] - Unable to start a DCOM Server: {ABC01078-F197-4B0B-ADBC-CFE684B39C82}. The error: "%3" Happened while starting this command: "C:\Program Files\Google\Update\1.3.21.65\GoogleUpdateOnDemand.exe" -Embedding
6/13/2012 3:03:54 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
6/13/2012 12:05:49 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 002185995894 has been denied by the DHCP server 192.168.254.254 (The DHCP Server sent a DHCPNACK message).
6/13/2012 1:30:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
6/13/2012 1:30:32 PM, error: Service Control Manager [7001] - The AVG Free8 E-mail Scanner service depends on the AVG Free8 WatchDog service which failed to start because of the following error: The system cannot find the path specified.
6/13/2012 1:30:32 PM, error: Service Control Manager [7000] - The SeaPort service failed to start due to the following error: The system cannot find the path specified.
6/13/2012 1:30:32 PM, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: The system cannot find the file specified.
6/13/2012 1:30:32 PM, error: Service Control Manager [7000] - The Nero Registry InCD Service service failed to start due to the following error: The system cannot find the file specified.
6/13/2012 1:30:32 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/13/2012 1:30:32 PM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The system cannot find the path specified.
6/12/2012 12:32:05 PM, error: Service Control Manager [7001] - The AVG Free8 E-mail Scanner service depends on the AVG Free8 WatchDog service which failed to start because of the following error: The system cannot find the file specified.
6/12/2012 12:32:05 PM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================

I hope you can help

 

[Bobbye]

Welcome to TechSpot! I'll help with the malware.

Does any of this sound familiar?

1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
2. Clicking on any executable loads the malware
3. Display fake security alerts on the infected computer.
4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

To fix #5, you start here: Download a Registry file that will fix these changes.
Please download FixNCR.regand save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

• Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
• Double click the FixNCR.reg file
• You should now be able to run the .exe files.

-------------------------------------
To end the processes that belong to the rogue program:
Please click on RKill

• At the download page, click on Download now button for iExplore.exe download link and save to the desktop
• Double click on the iExplore.exe icon
• Please be patient- it may take a bit.
• The black Window will close when through and you can continue.

Note: If you get a message that RKill is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after running RKill as the malware programs will start again.
================================
Update and rescan with Malwarebytes:

• Select Perform Full Scan on the Scanner tab
• Click on the Scan button.
• When scan has finished, you will see this image:
  
  
• Click on OK to close box and continue.
• Click on the Show Results button.
• Click on the Remove Selected button to remove all the listed malware.
• At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

==============================
This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
4. Continue with the directions.
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
====================================================
There are also some toolbars(TB) and browser helper objects(BHO) that we will need to remove as they ill give you ads and possibly spyware:
======================================================
I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Microsoft Security Essentials
Comodo AV
Avast! Free Antivirus
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------

• 
  Download Combofix from HERE or HERE and save to the desktop
  • Double click combofix.exe
    
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    

    The Recovery Console was successfully installed.

  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• Close any open browsers.
• Before you run the Combofix scan, please disable any security software you have running.
  (If you need help with this, please see HERE)
• Click on Yes, to continue scanning for malware
• If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1o not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
=====================================================
Please leave any logs generated in your next reply.
====================================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.

 

[CarolinaChuck]

I ran the first two, Fix and Kill, but the full scan on Malwarebytes has stoped twice with a message box stating it encountered a problem and needed to stop. The following is the rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 06/15/2012 at 4:46:39.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 06/15/2012 at 4:46:52.


AVG has asked me twice to either move to vault or heal detected threats-which I did. My other option would have been to close out of the notice...

Chuck

 

[Bobbye]

Okay, stop where you are. Instead of going on to the Malwarebytes Full Scan, do the following:

I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. Click on Next after choice has been made
5. Check the AVG program you want to uninstall
6. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Microsoft Security Essentials
Comodo AV
Avast! Free Antivirus
=============================
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
4. Continue with the directions.
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=================================================
We will pick up as needed after I review Combofix.

 

[CarolinaChuck]

Ok,

I have done something wrong. First, let me thank you for your time; it is nice to have a place to go.

I uninstalled AVG with AppRemover.

I then put on Avast.

Next I went on to the ESETOnlineScan and Avast went insane and would not let go throught it. Avast wanted to do a scan so I let it. It found Sirefef all over and I put the files in Avast vault; also a ping.exe that I had to ignore. When the system rebooted I now have no connection to the internet (Local Area Connection).

I would send the log from Avast, but I do not know where to find it. Only the internet connect is not working at this time. Avast also did a restore point before it scanned???

I imagine I can do ComboFix viva a USB thumb drive, but wanted to tell you what has transpired. I am now on the laptop to post. Sorry, I screwed the pooch.

I am real sorry for messing this up

Chuck

 

[Bobbye]

You're suppose to disble the resident AV when you run the online Eset scan. I don't need the log from Avast.

We'll break a rule here and see if we can get the connection back. Use the restore point that Avast set before the scan. After the system restores, see if the connection is back- okay?

There is a variant of the malware that seems to either cause a constant rebooting or loss of the internet connection. I'd like to see how much of it we can remove> after the restore, go ahead and run Combofix. Use either direct download if connection is back or the flash drive to download Combofix then run on problem system.

Hold on the Eset scan until I check Combofix.

I noticed this in your first logs- I think it is contributing to the instability:

RP963: 6/8/2012 4:07:07 PM - Restore Operation
RP964: 6/8/2012 4:14:48 PM - Installed AVG 2012
RP965: 6/8/2012 4:14:59 PM - Removed AVG 2012
RP966: 6/8/2012 4:19:17 PM - Installed AVG 2012
RP967: 6/8/2012 4:19:27 PM - Removed AVG 2012
RP968: 6/12/2012 12:29:44 PM - Restore Operation
RP969: 6/12/2012 1:19:01 PM - Installed AVG 2012
RP970: 6/12/2012 1:19:12 PM - Removed AVG 2012
RP971: 6/12/2012 6:29:16 PM - Installed AVG 2012
RP972: 6/12/2012 6:29:29 PM - Removed AVG 2012
RP973: 6/13/2012 7:38:22 AM - Installed AVG 2012
RP974: 6/13/2012 7:38:38 AM - Installed AVG 2012

If you actually did what the restore point was set for, In 4 days, the system was restored twice, AVG was installed 6 times and AVG was uninstalled 4 time and again today. This is tough on any system and more so in one that has malware.

 

[CarolinaChuck]

Ok, it came back online...
Da log:

ComboFix 12-06-15.06 - Administrator 06/15/2012 23:42:12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2929 [GMT -4:00]
Running from: e:\tech_ware\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\$NtUninstallKB60926$
c:\windows\$NtUninstallKB60926$\1377903237
c:\windows\$NtUninstallKB60926$\3856140326\@
c:\windows\$NtUninstallKB60926$\3856140326\Desktop.ini
c:\windows\$NtUninstallKB60926$\3856140326\L\00000004.@
c:\windows\$NtUninstallKB60926$\3856140326\L\1afb2d56
c:\windows\$NtUninstallKB60926$\3856140326\L\201d3dde
c:\windows\$NtUninstallKB60926$\3856140326\L\pepjmhmo
c:\windows\$NtUninstallKB60926$\3856140326\U\00000004.@
c:\windows\$NtUninstallKB60926$\3856140326\U\00000008.@
c:\windows\$NtUninstallKB60926$\3856140326\U\000000cb.@
c:\windows\$NtUninstallKB60926$\3856140326\U\80000000.@
c:\windows\$NtUninstallKB60926$\3856140326\U\80000032.@
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\SET14A.tmp
c:\windows\system32\SET14B.tmp
c:\windows\system32\SET1A4.tmp
c:\windows\system32\SET1A6.tmp
c:\windows\system32\SET1B4.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-05-16 to 2012-06-16 )))))))))))))))))))))))))))))))
.
.
2012-06-16 02:48 . 2012-06-16 02:48 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-15 17:37 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-06-15 17:37 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-06-15 17:37 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-06-15 17:37 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-06-15 17:37 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-06-15 17:37 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-06-15 17:37 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-06-15 17:37 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-06-15 17:33 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-06-15 17:33 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-06-15 17:33 . 2012-06-15 17:33 -------- d-----w- c:\program files\AVAST Software
2012-06-15 17:33 . 2012-06-15 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-06-15 08:48 . 2012-06-15 09:26 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-14 15:46 . 2012-06-14 15:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-06-14 15:38 . 2012-06-14 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-14 15:38 . 2012-06-14 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-14 15:38 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:34 . 2012-06-13 13:34 1409 ----a-w- c:\windows\QTFont.for
2012-06-08 15:30 . 2012-06-08 15:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2012-06-08 15:28 . 2012-06-08 15:29 -------- dc-h--w- c:\windows\ie8
2012-06-08 14:53 . 2012-06-08 14:53 -------- d-----w- c:\program files\Common Files\Java
2012-06-08 14:52 . 2012-06-08 14:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-08 14:52 . 2012-06-08 14:52 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-08 14:52 . 2012-06-08 14:52 -------- d-----w- c:\program files\Java
2012-06-07 09:51 . 2012-06-07 09:51 664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\d3d9caps.tmp
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
2012-06-04 20:56 . 2012-06-04 20:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2012-05-31 17:48 . 2012-05-31 17:49 -------- d-----w- c:\program files\EZ Fonts
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-13 17:44 . 2012-04-05 06:12 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-13 17:44 . 2011-06-19 02:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-08 14:52 . 2010-12-16 03:16 472864 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-01 68856]
"Start WingMan Profiler"="c:\program files\Logitech\Profiler\lwemon.exe" [2004-04-23 77824]
"PowerArchiver Tray"="c:\program files\PowerArchiver\PASTARTER.EXE" [2008-11-30 148288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"WheelMouse"="c:\program files\OCZ Technology\Mouse\Amoumain.exe" [2006-12-28 196608]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2009-9-15 479232]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
DisplayKEY eSYNC Info.lnk - c:\dkeyusbcradle\SyncInfoApp.exe [2010-4-2 297472]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^DiskDoctor.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\DiskDoctor.lnk
backup=c:\windows\pss\DiskDoctor.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2008-02-18 19:36 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-02-27 18:03 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=
"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\\setup\\hpznui01.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R3 silabenm;GE Supra DisplayKey USB Cradle Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [7/6/2011 4:19 PM 24584]
R3 silabser;GE Supra DisplayKey USB Cradle Driver;c:\windows\system32\drivers\silabser.sys [7/6/2011 4:19 PM 69256]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 11:26 AM 136176]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 2:12 AM 257224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 11:26 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/15/2012 4:48 AM 40776]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.SYS [3/27/2005 11:26 PM 21696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 17:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 17:44]
.
2012-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 15:26]
.
2012-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 15:26]
.
2012-06-16 c:\windows\Tasks\User_Feed_Synchronization-{9C8C3BE7-D894-4540-AD52-1C1BE3AE0504}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
TCP: DhcpNameServer = 192.168.254.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0l4hw7l5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6d1b5&v=6.010.006.004&I=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
HKLM-Run-Bing Bar - c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
HKLM-Run-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
HKLM-Run-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
Notify-avgrsstarter - avgrsstx.dll
AddRemove-HP Photo & Imaging - c:\program files\HP\Digital Imaging\uninstall\hpzscr01.exe
AddRemove-Marine Aquarium 2, Sharks & Carousel Bundle - c:\program files\Prolific Publishing
AddRemove-Google Chrome - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\17.0.963.79\Installer\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-15 23:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1177238915-602162358-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4b,a9,fa,78,f6,9b,22,49,95,b6,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4b,a9,fa,78,f6,9b,22,49,95,b6,a0,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,b5,79,66,e0,6f,55,43,9f,15,d2,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY
*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11???\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"d:\\ati\\atidrv\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2312)
c:\windows\system32\WININET.dll
c:\program files\Logitech\Profiler\LWEHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\dkeyusbcradle\SyncService.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\dkeyusbcradle\ProxyDaemon.exe
c:\dkeyusbcradle\stunnel-4.10.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2012-06-15 23:55:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-16 03:55
.
Pre-Run: 73,559,621,632 bytes free
Post-Run: 74,725,367,808 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer
.
- - End Of File - - 50FB22110EB5FD453AC11ABACEC59C81
Chuck

 

[Bobbye]

Some things to keep in mind:

1. Your hard drive has only about 50% free> C: is FIXED (NTFS) - 112 GiB total, 66.875 GiB free.
It is best to run with as close to 80% free as possible. Take a look in Add/Rmove Progrms and uninstall any programs you don't use or need.
2. Always check download screens for pre-checked items. These will be for toolbrs and browser helper objects, usually unrelated to what you're downloading. These should always be unchecked- before the download.
3. If you are given a choice of Custom or Srandard instll, always choose Custom. That will help you prevent some useless bundled programs from being installed with the download.
=============================================

The scanners cannot read this. This appears to be the driver for the ATI SMBUS Controller but the source is questionable. It may be a part of your problem.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY
*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11???\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"d:\\ati\\atidrv\\sbdrv\\smbus\\smbusati.inf\00"

====================================================
Please see if you can pick up at the Full Scan with Malwarebytes.
Follow with the Ese scan> Disable the resident antivirus before running the scan.
=====================================================
The directions for Combofix say to do this:

Download Combofix from HERE or HERE and save to the desktop

But the Combofix header shows Running from: e:\tech_ware\ComboFix.exe
What or where is this. I have script to run through Combofix but it is saved to the desktop. If Combofix isn't on the desktop, you will not be able to drag the script into it.
===================================================
If able to run, leave new Mbam log and Eset log if there is one in your next reply. Please detail what problems remain.

 

[Bobbye]

Some things to keep in mind:

1. Your hard drive has only about 50% free> C: is FIXED (NTFS) - 112 GiB total, 66.875 GiB free.
It is best to run with as close to 80% free as possible. Take a look in Add/Rmove Progrms and uninstall any programs you don't use or need.
2. Always check download screens for pre-checked items. These will be for toolbrs and browser helper objects, usually unrelated to what you're downloading. These should always be unchecked- before the download.
3. If you are given a choice of Custom or Srandard instll, always choose Custom. That will help you prevent some useless bundled programs from being installed with the download.
=============================================

The scanners cannot read this. This appears to be the driver for the ATI SMBUS Controller but the source is questionable. It may be a part of your problem.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY
*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11???\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"d:\\ati\\atidrv\\sbdrv\\smbus\\smbusati.inf\00"

====================================================
Please see if you can pick up at the Full Scan with Malwarebytes.
Follow with the Ese scan> Disable the resident antivirus before running the scan.
=====================================================
The directions for Combofix say to do this:

Download Combofix from HERE or HERE and save to the desktop

But the Combofix header shows Running from: e:\tech_ware\ComboFix.exe
What or where is this. I have script to run through Combofix but it is saved to the desktop. If Combofix isn't on the desktop, you will not be able to drag the script into it.
===================================================
If able to run, leave new Mbam log and Eset log if there is one in your next reply. Please detail what problems remain.

 

[CarolinaChuck]

OK,

ComboFix is now on desk top, the E: was my USB thumb drive. I'll ask about that when we finish this clean up.

Here are the logs from full scan and ESet:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.15.02
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: SUPER-CHUCKIE [administrator]
6/16/2012 9:53:57 PM
mbam-log-2012-06-16 (21-53-57).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 380944
Time elapsed: 38 minute(s), 19 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

ESet log:

C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP951\A0080557.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP956\A0082031.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP957\A0082212.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP962\A0082538.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP962\A0082629.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP962\A0082655.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP962\A0082758.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP963\A0082782.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082816.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082826.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082839.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082851.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082863.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP967\A0082875.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP968\A0082897.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP970\A0083897.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP970\A0083915.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP975\A0084495.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP976\A0084527.sys Win32/Sirefef.DA trojan

As far as what is not working-AVast is in and unsecured state and not respononding to the fix all button or the individuial start now buttons.

Chuck

 

[Bobbye]

Good! Mbam is clean. Eset has no new entries. 'System Volume is where there restore points are. Those entries are no longer active. When we have finisned, I'll have you set new, clean restore point and remove all of the old ones.

I asked about how much RAM is installed??
And about what problems you are now having??

Please run Combofix again and I'll write the script from that log.'

Did you want to disinfect the flash drive??

• Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
• Install and run it.
• Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

 

[CarolinaChuck]

Ok,

I have 4 Gig of ram in this machine.

As per problems I see; AVast is unresponsive, browser seemes to work fine and no redirects or random windows opening. Right now this machine has no working AV

New log:

ComboFix 12-06-16.02 - Administrator 06/17/2012 14:11:52.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2597 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
c:\program files\Mozilla Firefox\Plugins\npqtplugin2.dll
c:\program files\Mozilla Firefox\Plugins\npqtplugin3.dll
c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
c:\program files\Mozilla Firefox\Plugins\npqtplugin7.dll
c:\program files\QuickTime\Plugins\npqtplugin2.dll
c:\program files\QuickTime\Plugins\npqtplugin3.dll
c:\program files\QuickTime\Plugins\npqtplugin4.dll
c:\program files\QuickTime\Plugins\npqtplugin5.dll
c:\program files\QuickTime\Plugins\npqtplugin6.dll
c:\program files\QuickTime\Plugins\npqtplugin7.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-17 to 2012-06-17 )))))))))))))))))))))))))))))))
.
.
2012-06-17 03:07 . 2012-06-17 03:07 -------- d-----w- c:\program files\ESET
2012-06-16 02:48 . 2012-06-16 02:48 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-15 17:37 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-06-15 17:37 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-06-15 17:37 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-06-15 17:37 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-06-15 17:37 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-06-15 17:37 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-06-15 17:37 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-06-15 17:37 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-06-15 17:33 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-06-15 17:33 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-06-15 17:33 . 2012-06-15 17:33 -------- d-----w- c:\program files\AVAST Software
2012-06-15 17:33 . 2012-06-15 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-06-14 15:46 . 2012-06-14 15:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-06-14 15:38 . 2012-06-14 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-14 15:38 . 2012-06-14 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-14 15:38 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:34 . 2012-06-13 13:34 1409 ----a-w- c:\windows\QTFont.for
2012-06-08 15:30 . 2012-06-08 15:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2012-06-08 15:28 . 2012-06-08 15:29 -------- dc-h--w- c:\windows\ie8
2012-06-08 14:53 . 2012-06-08 14:53 -------- d-----w- c:\program files\Common Files\Java
2012-06-08 14:52 . 2012-06-08 14:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-08 14:52 . 2012-06-08 14:52 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-08 14:52 . 2012-06-08 14:52 -------- d-----w- c:\program files\Java
2012-06-07 09:51 . 2012-06-07 09:51 664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\d3d9caps.tmp
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
2012-06-04 20:56 . 2012-06-04 20:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2012-05-31 17:48 . 2012-05-31 17:49 -------- d-----w- c:\program files\EZ Fonts
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-13 17:44 . 2012-04-05 06:12 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-13 17:44 . 2011-06-19 02:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-08 14:52 . 2010-12-16 03:16 472864 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-16_03.52.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2002-09-03 19:51 . 2012-06-16 03:53 540594 c:\windows\system32\perfh009.dat
+ 2002-09-03 19:51 . 2012-06-16 03:56 540594 c:\windows\system32\perfh009.dat
+ 2002-09-03 19:51 . 2012-06-16 03:56 109994 c:\windows\system32\perfc009.dat
- 2002-09-03 19:51 . 2012-06-16 03:53 109994 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-01 68856]
"Start WingMan Profiler"="c:\program files\Logitech\Profiler\lwemon.exe" [2004-04-23 77824]
"PowerArchiver Tray"="c:\program files\PowerArchiver\PASTARTER.EXE" [2008-11-30 148288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"WheelMouse"="c:\program files\OCZ Technology\Mouse\Amoumain.exe" [2006-12-28 196608]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2009-9-15 479232]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
DisplayKEY eSYNC Info.lnk - c:\dkeyusbcradle\SyncInfoApp.exe [2010-4-2 297472]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^DiskDoctor.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\DiskDoctor.lnk
backup=c:\windows\pss\DiskDoctor.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2008-02-18 19:36 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-02-27 18:03 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\\setup\\hpznui01.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R3 silabenm;GE Supra DisplayKey USB Cradle Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [7/6/2011 4:19 PM 24584]
R3 silabser;GE Supra DisplayKey USB Cradle Driver;c:\windows\system32\drivers\silabser.sys [7/6/2011 4:19 PM 69256]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 11:26 AM 136176]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 2:12 AM 257224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 11:26 AM 136176]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.SYS [3/27/2005 11:26 PM 21696]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - MBAMSwissArmy
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 17:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 17:44]
.
2012-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 15:26]
.
2012-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 15:26]
.
2012-06-17 c:\windows\Tasks\User_Feed_Synchronization-{9C8C3BE7-D894-4540-AD52-1C1BE3AE0504}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
TCP: DhcpNameServer = 192.168.254.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0l4hw7l5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6d1b5&v=6.010.006.004&I=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-17 14:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1177238915-602162358-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4b,a9,fa,78,f6,9b,22,49,95,b6,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4b,a9,fa,78,f6,9b,22,49,95,b6,a0,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,b5,79,66,e0,6f,55,43,9f,15,d2,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY
*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11???\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"d:\\ati\\atidrv\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-06-17 14:19:53
ComboFix-quarantined-files.txt 2012-06-17 18:19
ComboFix2.txt 2012-06-16 03:55
.
Pre-Run: 84,137,861,120 bytes free
Post-Run: 84,129,132,544 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer
.
- - End Of File - - 66E558061BFDF9B4D215F0B2121B1F77
Chuck

 

[Bobbye]

Did you see my note about this in my Reply #9?

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY
*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11???\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"d:\\ati\\atidrv\\sbdrv\\smbus\\smbusati.inf\00"
.

==========================================

AVast is unresponsive

Right now this machine has no working AV

The above is not correct. You restored back to BEFORE Avast did the scan so these is nothing for it to remove! The program is on the system, but it has n oscan results. Do you understand?
==---------------------> What you did-------------------->>
1. I uninstalled AVG with AppRemover.
2. I then put on Avast.
3. Avast also did a restore point before it scanned.
4. Next I went on to the ESETOnlineScan and Avast went insane and would not let go throught it. Avast wanted to do a scan so I let it. It found Sirefef all over and I put the files in Avast vault; also a ping.exe that I had to ignore. When the system rebooted I now have no connection to the internet (Local Area Connection).

5. Remember, you restored back to the restore point BEORE Avast scanned. So on your system, it hasn't found anything yet!
============================================
Note an antivirus program does not distinguish 'location.' The Avast scan is most likely finding these entries:
C:\System Volume Information\_restore{1DD2A6AA-1B0B-4DDE-9895-5F72B4A3EFD2}\RP976\A0084527.sys Win32/Sirefef.DA trojan

But in it's 'dumbness', it can't distinguish that these entries are not active any longer. The System Volume folder is a protected system folder. These don't get 'quarantined' or 'deleted' in a security scan, even though you may see those words. As I told you, when the system is clean, I will have you set a new, clean restore point and remove the old one.

As I Mentioned, I made an exception and had you deliberately use the System Restore point made by Avast BEFORE it scanned.

There were no new or active entries in the Eset scan.
=======================================================

This is curious >>>> These were entries in first Combofix log: They are all QuickTime plugins.
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
2012-06-06 15:31 . 2012-06-06 15:31 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll

And deleted in the second scan:
c:\program files\Mozilla Firefox\Plugins\npqtplugin2.dll
c:\program files\Mozilla Firefox\Plugins\npqtplugin3.dll
c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
c:\program files\Mozilla Firefox\Plugins\npqtplugin7.dll

along with the following

c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
------------------------------------
c:\program files\QuickTime\Plugins\npqtplugin2.dll
c:\program files\QuickTime\Plugins\npqtplugin3.dll
c:\program files\QuickTime\Plugins\npqtplugin4.dll
c:\program files\QuickTime\Plugins\npqtplugin5.dll
c:\program files\QuickTime\Plugins\npqtplugin6.dll
c:\program files\QuickTime\Plugins\npqtplugin7.dll
.
Where did you get these plugins? All 3 sets are the same.

 

[CarolinaChuck]

Humm,

Not sure as I have not used the machine for anything other than this site and Eset....everything else has come in on the thumb drive when IE would not play; no thumb drive needed this go around. IE would not play with Eset so I used Mozilla to run Eset this last time-I don't use Mozilla often so I don't know if it brought it in or thought it needed it, either way I was not asked...All I have done is click on IE or Mozilla and closed them out. When I say IE would not play with ESet, it stopped responding when I tried to run ESet and required to be stopped using Ctl/Alt/Del (task managager).

As per the restore and the Avast; I am an ex Marine and I am good with critizism and following directions, It just does not allow me to read between the lines well. Sorry, I am not the sharpest knife in the drawer when it comes to computers.

HKEY_LOCAL_MACHINE refers to part of the registry, as such it is above my paygrade so to speak. ATI, I have an ATI video card in this machine. As I recall, when I put this machine together I had an issue loading the driver from the suplied CD. This entry may date back from that time (2006/2007). I just chocked it up to a bad CD and used the motherboards on board video capabilities and went on with the program pulling the driver off the web.

I appreciate your patience,
Chuck

 

[Bobbye]

IE would not play with Eset so I used Mozilla to run Eset this last time-

Chuck, for the Eset scan, did you realize the first set of instructions were in accordance with which browser you were using- or better sais> "Do this if you use IE or do this if you use a different browser. Once that distinction is made, the rest of the directions get picked up.

As for the Avast restore, my explanation was meant to put your mind at ease, nothing else. No criticism> just a 'this is how it went.' I thought it was kind of cool to know that what the Avast scan found was no longer 'found' because we did a time travel to before the scan was run. I'm sorry if I failed to do a better job with the explanation.
=================================================
Maybe the flash drive you used had the infected plugins already on it. So when you loaded it onto the already infected system, the plugins also loaded. I think it would be a good idea to disinfect the flash drive:

• Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
• Install and run it.
• Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

===============================================

Sorry I can't help anymore with th Regiatry entry: [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY
*]

Has there been any improvement in the system?

 

[CarolinaChuck]

Bobbye,

Your good, I was tryin to imply my short commings when it comes such matters; my wife thinks I am smart on tech things, but I know I am over my head. The military analogy fell flat on its face-let's try the another; I played with race cars in my days and learned straight off-the car does all the work, I am just the ******* along for the ride...

The computer seems back to the way it was. I find no issues. Let's go forward.

Chuck

 

[Bobbye]

Give yourself credit! You now have a clean, well running computer! Actually, about those cars: whether they were match book cars or real race cars, you were the one who had to make them work!

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
• Go back and follow the path to > System Tools.
• Choose Disc Cleanup
• Click "OK" to select the partition or drive you want.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin