[Solved] Problem laptop

[Biolund]

This forum helped me out tremendously recently (Broni helped me with another computer of mine). I am hoping you can take a crack at this one.

My wife's laptop has been acting up for a long time and it recently refused to install coral draw. Today I tried to update windows without luck and I can see that most updates the last year has failed. I ran Malwarebytes', which was installed and it did not find anything, but I noticed that there was a file in quarantine with the name "Hijack.StartMenu".

I began doing the 8-step preliminary removal instructions, but did not get very far. I was unable to unstall an antivirus program. I did the temporary file cleaner succesfully. The GMER froze my computer after 1 hour and on the next try I got "the blue screen of death". Please help me with this one!

 

[Biolund]

Forgot to mention that the OS is Windows Vista home edition and it is a Gateway laptop

 

[Bobbye]

It's going to be more helpful to both of us if you can finish running steps in the Preliminary Virus and Malware Removal thread HERE.

For GMER, try either of these:
1. Uncheck Devices and see if it will scan.
2. If not, boot into Safe Mode and try the GMER scan.

I was unable to unstall an antivirus program.

I'm not sure whether you meant 'install' or 'uninstall' an antivirus program. You do not nee to uninstall or disable an antivirus program for these scans, but you should have n AV program running.

When you have finished, please paste the logs into your next reply. It's okay if you need to split a log to include all of the content.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[Biolund]

Thanks Bobbye

I will attempt to do the scans and get back to you.

In my first post I meant I was unable to install an anti virus program. I tried to install Avira Free, but was unable to, so I could not do the anti virus scan.

 

[Biolund]

Here are some logs.

Malwarebytes'

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4375

Windows 6.0.6000
Internet Explorer 7.0.6000.16512

7/31/2010 11:22:01 PM
mbam-log-2010-07-31 (23-22-01).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 280190
Time elapsed: 1 hour(s), 4 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-01 22:51:06
Windows 6.0.6000
Running: un2zjr3b.exe; Driver: C:\Users\wner\AppData\Local\Temp\kgroapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by wner at 22:55:43.30 on Sun 08/01/2010
Internet Explorer: 7.0.6000.16512
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1332 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\wner\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=ML6714
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=ML6714
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=ML6714
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [Sidebar] "c:\program files\windows sidebar\Sidebar.exe" /autorun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [BigFix] c:\program files\bigfix\bigfix.exe /atstartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\wner\appdata\roaming\mozilla\firefox\profiles\v7e9mvy0.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\users\wner\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\wner\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\wner\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\wner\appdata\roaming\move networks\plugins\npqmp071701000002.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2007-10-15 251904]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-10-15 30192]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================


==================== Find3M ====================

2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2008-10-03 20:59:12 51200 ----a-w- c:\windows\inf\infpub.dat
2008-10-03 20:59:08 86016 ----a-w- c:\windows\inf\infstrng.dat
2008-10-03 20:59:08 86016 ----a-w- c:\windows\inf\infstor.dat
2008-10-02 18:21:00 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:50:50 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-17 01:52:54 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-10-17 01:52:54 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-10-17 01:52:54 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 22:56:25.53 ===============

Attach.txt is attached

 

[Bobbye]

In my first post I meant I was unable to install an anti virus program. I tried to install Avira Free, but was unable to, so I could not do the anti virus scan.

There is an entry for LiveUpdate 3.3 (Symantec Corporation) which means at some point Norton was on the system. But I don't see anything for it running. You need to get an antivirus program on the system- now.

There are no System Restore Points. Is it turned on? Were restore points removed?
The logs show nothing was= Created Last 30 =

So the logs aren't showing malware entries, but are showing system problems. But unless you can get a working antivirus program on the system, there is no point in cleaning it. Do you understand that the AV program doesn't have to be changed if it's current and working? We suggest the following to be used if there is no AV at all. Please try again- I don't need a scan but the system need protection if I send you to download programs to run!
Both of the following programs are free and known to be good:
Avira Free
Avast Home

Please reboot the system when done.
===============================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I will have you update the Java and remove the old versions later.

 

[Biolund]

I am not sure about the restore points since I did not set up the computer and my wife has used it since we got it.

I was able to install Avast AV, but it would not start. I got the message " the application has failed to start because of its side-by-side configuration is incorrect. Please see application event log for more detail"

I did run Eset NOD32 Online AntiVirus scan. Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=3f39a13077c67844b6a602ca52997e87
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-05 02:42:35
# local_time=2010-08-04 10:42:35 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=6.0.6000 NT
# compatibility_mode=5892 16776573 100 100 0 117578197 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=157472
# found=0
# cleaned=0
# scan_time=5507

 

[Broni]

Message from Bobbye:

Due to family matters that require my time and efforts, I am unable to continue helping with malware cleaning at this time. If and when these matters are resolved, I will return to the board.

Since the only other helper in the Virus and Malware forum is Broni, I will ask him to pickup the open threads I have going, if and when he can.

========================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Biolund]

Bobbye - Thank you for helping me and countless others on this forum - your work is greatly appreciated!! I hope everything works out for the best for you.

Broni - thank you for taking over where Bobbye left. I ran the ComboFix. Here is the log:

ComboFix 10-08-06.01 - wner 08/06/2010 19:46:29.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.989 [GMT -4:00]
Running from: c:\users\wner\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\setup.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.

2010-08-05 01:02 . 2010-08-05 01:02 -------- d-----w- c:\program files\ESET
2010-08-05 00:49 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-05 00:49 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-05 00:49 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-05 00:49 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-05 00:49 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-08-05 00:47 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-05 00:47 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-05 00:46 . 2010-08-05 00:46 -------- d-----w- c:\programdata\Alwil Software
2010-08-05 00:46 . 2010-08-05 00:46 -------- d-----w- c:\program files\Alwil Software
2010-08-03 12:59 . 2010-08-03 12:59 -------- d-----w- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 00:50 . 2007-10-16 00:24 -------- d-----w- c:\program files\Google
2010-06-22 17:31 . 2010-06-22 17:31 50354 ----a-w- c:\users\wner\AppData\Roaming\Facebook\uninstall.exe
2010-06-22 17:31 . 2010-06-22 17:31 -------- d-----w- c:\users\wner\AppData\Roaming\Facebook
2010-06-19 01:45 . 2010-06-19 01:45 -------- d-----w- c:\users\wner\AppData\Roaming\Malwarebytes
2010-06-19 01:45 . 2010-06-19 01:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-19 01:45 . 2010-06-19 01:45 -------- d-----w- c:\programdata\Malwarebytes
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\users\wner\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-06-06 16:21 . 2007-12-21 21:28 103832 ----a-w- c:\users\wner\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-21 18:14 . 2009-10-18 06:39 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-12-04 17:50 . 2010-01-03 12:28 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2008-01-10 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-10-16 1006264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-01 129560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-01 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-01 154136]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-04 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-05 136176]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-04 30192]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-05-24 251904]

.
Contents of the 'Scheduled Tasks' folder

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-05 00:49]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-05 00:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=ML6714
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\wner\AppData\Roaming\Mozilla\Firefox\Profiles\v7e9mvy0.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\wner\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\wner\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\wner\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe
HKLM-Run-BigFix - c:\program files\Bigfix\bigfix.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 19:51
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-08-06 19:53:21
ComboFix-quarantined-files.txt 2010-08-06 23:53

Pre-Run: 52,113,498,112 bytes free
Post-Run: 52,095,594,496 bytes free

- - End Of File - - A9820896521DF3517826DF099CE09914

 

[Broni]

You're very welcome

Combofix log looks good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Biolund]

Here is the OLT.txt (attached)

 

[Biolund]

...and here is the Extras.txt (the OLT.txt was too long for copy/paste):

OTL Extras logfile created on: 8/6/2010 8:16:39 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\wner\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.69 Gb Total Space | 48.54 Gb Free Space | 35.00% Space Free | Partition Type: NTFS
Drive D: | 10.36 Gb Total Space | 3.87 Gb Free Space | 37.39% Space Free | Partition Type: NTFS
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-PC
Current User Name: wner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1B2B62A9-E380-444A-B565-E176979ACC02}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{1C5B07A9-ACB6-4896-B551-91BB2436666D}" = rport=138 | protocol=17 | dir=out | app=system |
"{2DB233E9-60DD-4415-AADE-5C293BDB4AA9}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{31E509EA-2DAF-43D7-BFFD-1ECCA2214E12}" = rport=137 | protocol=17 | dir=out | app=system |
"{5818B398-7379-47A2-9C01-E9A57AA3A897}" = lport=137 | protocol=17 | dir=in | app=system |
"{5B1E8EB3-551B-4F6D-A1D2-9A665000BDE1}" = rport=445 | protocol=6 | dir=out | app=system |
"{65D031F3-4A79-4BF8-AA62-79E4E317B484}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{7B474FA3-919E-4132-BD5E-896350EF1A8C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{875F73F2-C96A-47F3-BEA6-6241B6EFBC3C}" = lport=445 | protocol=6 | dir=in | app=system |
"{917DD9AC-1DC2-44B0-B808-829C82D62B81}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{944BF2D0-B75A-42F4-ABA7-04BB2B9C6DFA}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{A9B787B7-DA84-48E4-A54B-FDCC6409FF00}" = rport=139 | protocol=6 | dir=out | app=system |
"{B1817131-D209-46E4-B58D-08E53C3EE720}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BB31A7DE-8A5C-4368-A3BB-0AEFAA8BCC53}" = rport=2869 | protocol=6 | dir=out | app=system |
"{BDCB8FE4-9B49-4FAD-9593-C85C260EFB1A}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{C22CB836-490A-4813-9FC6-2A6679B44A58}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{CA2B5D01-3214-44BF-8831-C5D594F00E4C}" = lport=139 | protocol=6 | dir=in | app=system |
"{DD78E8FB-90C8-4009-ABDE-7B64C7CF0B82}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{E493C4F1-9AAF-41A2-838F-E2BE0EA8F252}" = lport=138 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0316F610-20C2-49AB-B068-4783074D944C}" = protocol=1 | dir=out | [email protected],-28544 |
"{1EF025C8-B810-41FF-8A18-48667C6EF790}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{58478FDE-765C-4DC7-8461-6BEC81B6BCE6}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{616D8960-E156-42E8-A46F-0A011B369242}" = protocol=58 | dir=in | [email protected],-148 |
"{639719B0-3B93-4938-8F05-15BBFF4735CA}" = protocol=1 | dir=in | [email protected],-28543 |
"{68443134-71B8-4FF4-AE8F-66A3EBCBC1F6}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{71718F87-A8F1-4B6C-A47A-38088E22EBC5}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{80E87CAF-DC94-4480-9E25-824EBAF443CE}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{97B53A52-E079-4E14-920E-44C9F90E55E1}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{A49BF55E-2D90-465E-9D38-CF5E29884314}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{B348E9A4-6436-4819-998C-7A99130AB9D7}" = protocol=58 | dir=in | [email protected],-28545 |
"{B7B7B470-36CC-4F64-BCFE-FF654C1C9DB4}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{DE4BF297-AF41-497F-A52C-381F180065EE}" = protocol=58 | dir=out | [email protected],-28546 |
"TCP Query User{576B2BE6-DBDF-4497-8A85-2A18D75308E2}C:\program files\java\jre1.6.0_01\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre1.6.0_01\bin\javaw.exe |
"UDP Query User{FF2969DA-10D4-4B66-A307-D8C1259B9E49}C:\program files\java\jre1.6.0_01\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre1.6.0_01\bin\javaw.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06FE1146-4FF8-45DF-B0D9-CBA8E38C708C}" = REALTEK USB Wireless LAN Driver
"{0E0479F8-180F-4054-B4F7-17EE657F90BF}" = TIPCI
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 5.0
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{5B35C417-2649-11D6-83D1-0050FC01225C}" = FirstClass® Client
"{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}" = Microsoft Money Shared Libraries
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6ABA3523-4F11-4787-8839-C249BBF0B8D1}" = Rosetta Stone 2.2.0.0A
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}" = Gateway Recovery Center Installer
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{EE5EEDAF-F932-462B-A2CB-EEBDF819D5F5}" = Gateway Connect
"{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}" = Microsoft WSE 2.0 SP3 Runtime
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast5" = avast! Free Antivirus
"ENTERPRISER" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"FAA Test Prep" = FAA Test Prep
"FAA Test Prep 2006 Edition" = Gleim's FAA Test Prep 2006 Edition
"Gateway Game Console" = Gateway Game Console
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{0E0479F8-180F-4054-B4F7-17EE657F90BF}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{6ABA3523-4F11-4787-8839-C249BBF0B8D1}" = Rosetta Stone 2.2.0.0A
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Money2007b" = Microsoft Money Essentials
"Mozilla Firefox (3.5.11)" = Mozilla Firefox (3.5.11)
"SMSERIAL" = Motorola SM56 Data Fax Modem
"SynTPDeinstKey" = Synaptics Pointing Device Driver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/6/2010 7:53:26 PM | Computer Name = Owner-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Alwil Software\Avast5\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 8/6/2010 7:53:26 PM | Computer Name = Owner-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Alwil Software\Avast5\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 8/6/2010 7:53:27 PM | Computer Name = Owner-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Alwil Software\Avast5\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 8/6/2010 8:09:49 PM | Computer Name = Owner-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Alwil Software\Avast5\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 8/6/2010 8:11:21 PM | Computer Name = Owner-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe".
Dependent
Assembly Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 8/6/2010 8:11:59 PM | Computer Name = Owner-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Alwil Software\Avast5\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 8/6/2010 8:12:01 PM | Computer Name = Owner-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Alwil Software\Avast5\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 8/6/2010 8:12:01 PM | Computer Name = Owner-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Alwil Software\Avast5\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 8/6/2010 8:12:06 PM | Computer Name = Owner-PC | Source = Application Error | ID = 1000
Description = Faulting application sidebar.exe, version 6.0.6000.16615, time stamp
0x4764fba1, faulting module ole32.dll, version 6.0.6000.16386, time stamp 0x4549bd92,
exception code 0xc0000005, fault offset 0x0005882c, process id 0xe30, application
start time 0x01cb35c5278e7897.

Error - 8/6/2010 8:16:18 PM | Computer Name = Owner-PC | Source = WerSvc | ID = 5007
Description =

[ System Events ]
Error - 3/15/2008 10:32:29 AM | Computer Name = Owner-PC | Source = Microsoft-Windows-Servicing | ID = 4385
Description =

Error - 3/15/2008 10:32:34 AM | Computer Name = Owner-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 3/15/2008 10:33:06 AM | Computer Name = Owner-PC | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 3/15/2008 10:33:06 AM | Computer Name = Owner-PC | Source = Microsoft-Windows-Servicing | ID = 4385
Description =

Error - 3/15/2008 10:33:11 AM | Computer Name = Owner-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 3/15/2008 10:35:29 AM | Computer Name = Owner-PC | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 3/15/2008 10:35:29 AM | Computer Name = Owner-PC | Source = Microsoft-Windows-Servicing | ID = 4385
Description =

Error - 3/15/2008 10:35:29 AM | Computer Name = Owner-PC | Source = Microsoft-Windows-Servicing | ID = 4385
Description =

Error - 3/15/2008 10:35:29 AM | Computer Name = Owner-PC | Source = Microsoft-Windows-Servicing | ID = 4385
Description =

Error - 3/15/2008 10:35:34 AM | Computer Name = Owner-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =


< End of report >

 

[Broni]

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

=====================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  SRV - [2009/07/13 12:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
  DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\PublicProfile]
  "EnableFirewall" =dword:00000001
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
  "AntiVirusOverride" =-
  
  :Files
  C:\Program Files\Symantec
  C:\Program Files\Common Files\Symantec Shared
  
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[Biolund]

Results of the fix log:

All processes killed
========== OTL ==========
Service LiveUpdate stopped successfully!
Service LiveUpdate deleted successfully!
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE moved successfully.
Service SYMREDRV stopped successfully!
Service SYMREDRV deleted successfully!
File C:\Windows\System32\Drivers\SYMREDRV.SYS not found.
Service SPBBCDrv stopped successfully!
Service SPBBCDrv deleted successfully!
File C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\PublicProfile\\"EnableFirewall" |dword:00000001 /E : value set successfully!
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusOverride scheduled to be deleted on reboot.
========== FILES ==========
C:\Program Files\Symantec\Symantec Endpoint Protection folder moved successfully.
C:\Program Files\Symantec\LiveUpdate folder moved successfully.
C:\Program Files\Symantec folder moved successfully.
C:\Program Files\Common Files\Symantec Shared\SRTSP folder moved successfully.
C:\Program Files\Common Files\Symantec Shared\SPManifests folder moved successfully.
C:\Program Files\Common Files\Symantec Shared\Help folder moved successfully.
C:\Program Files\Common Files\Symantec Shared\COH folder moved successfully.
C:\Program Files\Common Files\Symantec Shared folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: wner
->Temp folder emptied: 117704 bytes
->Temporary Internet Files folder emptied: 3303569 bytes
->Java cache emptied: 23305 bytes
->FireFox cache emptied: 37179972 bytes
->Flash cache emptied: 3506 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 12972 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 39.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: wner
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08062010_205442

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusOverride scheduled to be deleted on reboot.

 

[Broni]

...and...

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

You can just attach the file.

 

[Biolund]

Here it is

 

[Broni]

Good

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[Biolund]

Here is the checkup.txt. I will followe step 2 & 3 now.

Results of screen317's Security Check version 0.99.5
Windows Vista (UAC is disabled!)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
avast! Free Antivirus
ESET Online Scanner v3
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Adobe Flash Player 10.0.42.34
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.11) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````

 

[Broni]

You don't have any service pack installed.
It's dangerous.
As soon, as Kaspersky will show a clean computer, please install SP2.

==========================================================================

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

 

[Biolund]

Broni

Part of my problem with this computer is that windows update fails to install most updates. I tried to install SP2 recently and was unable to do so. I suspected that perhaps Malware were at play.

 

[Broni]

Very possible. Let's see, if you can do it, when we're done...

 

[Biolund]

Here is the Kaspersky log. It looks like it is clean:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, August 7, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 06, 2010 18:25:52
Records in database: 4135745
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 157654
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 03:28:20

No threats found. Scanned area is clean.

Selected area has been scanned.

 

[Biolund]

Windows update is still not cooperating. Also found out that the computer does not even have service pack 1. I downloaded SP1 and attempted to manually install it without any luck. The install was stopped almost immediately with the message:

An internal error occurred while installing the service pack
Error code 0x80073712. See
http://go.microsoft.com/fwlink/?LinkId=101139 for details

 

[Broni]

Let's run last steps first...

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=========================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current (skip this one).

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

=================================================================

Now...

Try here: http://support.microsoft.com/kb/971058
If the above doesn't work, try this: http://support.microsoft.com/kb/931712/
Do NOT use Method 2: Perform a system restore under any circumstances.

 

[Biolund]

Broni - THANK YOU for cleaning my computer!!!. I am still working on the update issue. Have tried step 1 without success. Will try step 2 and report back.