Inactive Unable to access Control Panel for Add/Remove Programs

[MrEd]

Hello- I was trying to remove a program so went to Control panel from the start menu in XP and nothing happens when I click on it. Same issue with many desktop icons with no response so I usually right click start and open windows explorer which incidentally crashes and my desktop will clear of icons and reload them. Ran Hijack this after renaming per a post on here but that seemed old (2007) and I see not being used in your malware procedure.

Downloaded the Step 2: Malwarebytes Anti-Malware and tried to install but windows installer asks for "scan.msi" file which I cannot locate so won't install. I have an old Sony Vaio desktop from around 2002 BTW. Have had this scan.msi issue trying to run a scanner also.

Anyway, sorry so long winded but wondered if you might have any suggestions on how to proceed. I just ran updated Spybot Search and Destroy and AVG Free Antivirus.

Thank you very much!

 

[Bobbye]

Welcome to TechSpot! You're right- we don't use HijackThis to 'screen' for malware.

Are you connected to the internet when you attempt any of these?
1. Control Panel doesn't populate.
2. Shortcuts (icon) on desktop doesn't open program.
3. Windows Explorer causes system to crash

And if you're in Safe Mode, Malwarebytes isn't going to install.
============================================
If you have an HP system, you can find the missing scan.msi file HERE.
So while you're working on the steps, clarify this for me. IF this something that just began> What did you do before it started? Install new programs? Get updates? Change Registry entries?
================================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[MrEd]

Thanks for the Reply!

Are you connected to the internet when you attempt any of these? Yes but has been happening for months even when I would disconnect..FAfter i posted, Malwarebytes installed after I kept cancelling when windows installer asked for scan.msi file.BTW...wasn't in safe mode. Running Malwarebytes it now. Thanks for the HP msi. Don't have my original install disks for this pc. I see your procedure.No known file sharing on my PC. Please advise what you suggest. Thank you so much!
1. Control Panel doesn't populate.
2. Shortcuts (icon) on desktop doesn't open program.
3. Windows Explorer causes system to crash

 

[MrEd]

Posted Logs

Hello-Posting logs as instructed.Thank you for your analysis!Blessings!


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7312

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/28/2011 8:28:24 PM
mbam-log-2011-07-28 (20-28-09).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 509540
Time elapsed: 3 hour(s), 44 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> No action taken.
HKEY_CLASSES_ROOT\Eeshellx.ShellExt (Rogue.EvidenceEliminator) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Evidence Eliminator Quick Mode (Rogue.EvidenceEliminator) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Evidence Eliminator Safe Restart (Rogue.EvidenceEliminator) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Evidence Eliminator Safe Shutdown (Rogue.EvidenceEliminator) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Evidence Eliminator Safe Recycle (Rogue.EvidenceEliminator) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Evidence Eliminator (Rogue.EvidenceEliminator) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Evidence Eliminator (Rogue.EvidenceEliminator) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> Value: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> Value: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
c:\documents and settings\User\start menu\Programs\evidence eliminator (Rogue.EvidenceEliminator) -> No action taken.

Files Infected:
c:\program files\iobit toolbar\IE\4.5\iobittoolbarie.dll (PUP.Dealio.TB) -> No action taken.
d:\program files\EE Crack\Patch.exe (RiskWare.Tool.CK) -> No action taken.
d:\program files\evidence eliminator\Patch.exe (RiskWare.Tool.CK) -> No action taken.
c:\documents and settings\User\start menu\Programs\evidence eliminator\evidence eliminator help.lnk (Rogue.EvidenceEliminator) -> No action taken.
c:\documents and settings\User\start menu\Programs\evidence eliminator\evidence eliminator license agreement.lnk (Rogue.EvidenceEliminator) -> No action taken.
c:\documents and settings\User\start menu\Programs\evidence eliminator\evidence eliminator read me.lnk (Rogue.EvidenceEliminator) -> No action taken.
c:\documents and settings\User\start menu\Programs\evidence eliminator\evidence eliminator.lnk (Rogue.EvidenceEliminator) -> No action taken.
------------------------------------------------------------------------

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-07-29 12:44:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST380013A rev.3.54
Running: 38c1njzz.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pxtdqpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip socketlock.sys
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip UrlFilter.sys (URL Filter/IObit.com)
AttachedDevice \Driver\Tcpip \Device\Tcp socketlock.sys
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp UrlFilter.sys (URL Filter/IObit.com)
AttachedDevice \Driver\Tcpip \Device\Udp socketlock.sys
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp UrlFilter.sys (URL Filter/IObit.com)
AttachedDevice \Driver\Tcpip \Device\RawIp socketlock.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp UrlFilter.sys (URL Filter/IObit.com)

---- EOF - GMER 1.0.15 ----


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by User at 13:07:08 on 2011-07-29
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.245 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
svchost.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\Program Files\Backup SOS for Kingtston Thumb Drive 5-16-11\OverlayCache.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyServer = 127.0.0.1:8080
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mCustomizeSearch = hxxp://www.google.com
mURLSearchHooks: H - No File
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~2\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
TB: Powermarks: {e166b4a2-83e7-11d3-b4fd-004005a47aaa} - c:\progra~1\powerm~1.5\iec.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [IObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart
mRun: [<NO NAME>]
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WWllGOC1DSzdRRy05VUJVUi03U1VMUy00NEtSMi1GS1NV"&"inst=NzctNjU2MDA4ODY3LUJBKzEtVDEtVUNBTEwrMS1VQ0FMTDIrMi1UQjgrMi1GTCs4LUY4TTExQysxLVVQRysyMDExLUY4TTExRSsxLUZMMTArMS1MSUMrOTktU1AxUzIrMS1TUDFTMysxLVNVRCsxLVMxSSsxLVNVMysxLUREVCsw"&"prod=90"&"ver=10.0.1382
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\user\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\yankee~1.lnk - d:\program files\yankee clipper\YankClip.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\autorunsdisabled\quicken online backup taskbar icon.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - d:\program files\logitech mx 1000 mouseware\setpoint\KEM.exe
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: + Offline &Explorer: Download the link
IE: + Offline E&xplorer: Download the current page
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Customize Menu &4
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Logoff &5
IE: Open Link Target in Firefox
IE: Reset Fields &-
IE: Rf Options &O
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Set Fields &=
IE: Stop popups from this web page
IE: Translate this page
IE: View This Page in Firefox
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~2\spybot~1\SDHelper.dll
LSP: c:\program files\google\google desktop search\GoogleDesktopNetwork1.dll
Trusted Zone: linkshare.com
Trusted Zone: linksynergy.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: ppctlcab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - d:\program files\yahoo im 7.0\common\yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
DPF: {62789780-B744-11D0-986B-00609731A21D}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134210557440
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yuplapp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38486.9494212963
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/Typography/Utility/1/WXP/EN-US/clearadj.CAB
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} - hxxp://216.249.24.60/code/iPIX-ImageWell-ipix.cab
DPF: {FF054BED-D972-4215-897E-726C3488DDBB} - hxxp://supportcentral4.sel.sony.com/sdccommon/download/sonyctl.CAB
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\pjv41h00.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=642886&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=642886&p=
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 1088
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 1
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-6-23 13496]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-6-24 393112]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-6-23 821080]
R2 KDATA;KDATA;c:\windows\system32\drivers\Kdata.sys [2004-1-15 44504]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2006-2-23 45312]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2010-9-16 80896]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [2004-3-9 3712]
R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [2001-12-14 12032]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [2005-8-2 7196]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2006-2-23 55936]
R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-6-23 30368]
R3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-6-23 16080]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [2001-12-14 54271]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2011-5-5 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 Quicken Online BackupLauncher;Quicken Online Backup Launcher;d:\program files\quicken backup\OLLaunch.exe [2004-7-3 73794]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-6-11 27064]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [2001-12-14 593000]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2004-2-23 15576]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [2006-4-26 899884]
S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-6-23 239472]
.
=============== Created Last 30 ================
.
2011-07-28 19:03:56 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2011-07-28 19:02:34 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-28 19:02:32 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-28 19:02:21 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-28 18:46:04 -------- d-----w- c:\program files\Trend Micro
2011-07-18 22:39:47 -------- d-----w- c:\program files\IObit Toolbar
2011-07-17 00:55:29 -------- d-----w- c:\documents and settings\user\application data\Search Settings
2011-07-17 00:54:59 -------- d-----w- c:\program files\common files\Spigot
2011-07-17 00:54:59 -------- d-----w- c:\program files\Application Updater
.
==================== Find3M ====================
.
2011-06-19 16:15:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-19 15:04:50 4702 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 08:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 13:08:37.50 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/12/2003 9:22:48 PM
System Uptime: 7/29/2011 1:43:13 AM (12 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P4B266LM
Processor: Intel(R) Pentium(R) 4 CPU 1.60GHz | mPGA 478 | 1614/100mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 15 GiB total, 0.357 GiB free.
D: is FIXED (NTFS) - 60 GiB total, 22.078 GiB free.
E: is Removable
F: is CDROM ()
G: is CDROM ()
H: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_80EA104D&REV_10\4&1351887D&0&68F0
Manufacturer: Realtek
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_80EA104D&REV_10\4&1351887D&0&68F0
Service: rtl8139
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\10190728004603
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\10190728004603
Service: NIC1394
.
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&268D196D&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&268D196D&0
Service: i8042prt
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (ATW)
Device ID: ROOT\NET\0000
Manufacturer: America Online, Inc.
Name: WAN Miniport (ATW)
PNP Device ID: ROOT\NET\0000
Service: wanatw
.
==== System Restore Points ===================
.
RP361: 7/28/2011 6:42:40 AM - System Checkpoint
RP362: 7/29/2011 7:02:54 AM - System Checkpoint
.
==== Installed Programs ======================
.
1400
1400_Help
1400Trb
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.9
AI RoboForm (All Users)
AiO_Scan
AiOSoftware
AuctionSieve
AVG 2011
AVG PC Tuneup 2011
BufferChm
CleanUp!
Clear Cache feature for Internet Explorer
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
CueTour
CustomerResearchQFolder
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
Doc Scrubber v1.0
DocProc
DocumentViewer
DocumentViewerQFolder
Dropbox
DVDExpress
DVgate
eBible2
EBookPaper
eSupportQFolder
Excel Utilities 2.0
Express Burn
Express Scribe
Fax
File Scavenger 2.1v
Flash Movie Extract Pilot
FullDPAppQFolder
Google Chrome
Google Earth
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Image Zone 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
HTC BMP USB Driver
HTC Driver Installer
HTC Sync
HyperSnap-DX 5
ImageStation
ImageStation Demo
Index.DAT File Viewer
InstantShareDevices
IObit Malware Fighter
IObit Toolbar v4.5
IrfanView (remove only)
iRider
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java Auto Updater
Java(TM) 6 Update 26
Java(TM) 6 Update 3
Keyword Pad v1.0.112706
Listpics v2.0
Logitech MouseWare 9.79.1
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech SetPoint
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Shockwave Player
Malwarebytes' Anti-Malware version 1.51.1.1800
MarketResearch
Media Bar 3.2.12
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Convert Number Smart Tag
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Outlook Personal Folders Backup
Microsoft Picture It! Express 7.0
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft XML Spreadsheet Add-In for Access 2002
Microsoft® Measurement Smart Tag Converter
MixPad
Motion JPEG Software Decoder
Move Media Player
MovieShaker 3.3
Mozilla Firefox (1.5.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
NetAlyzer 0.3
NewCopy
NVIDIA Windows 2000/XP Display Drivers
Nvu 1.0
PanoStandAlone
PC-Linq
PDF Manual NW-S600/S700F Series
PhotoGallery
PicoPlayer
Powermarks 3.5
ProductContext
Quicken 2006
Quicken Online Backup (remove only)
QuickTime
RandMap
Read in Microsoft Reader Add-in for Microsoft Word
Readme
RegAlyzer 1.1
Remove Hidden Data Tool
Revo Uninstaller 1.80
Revo Uninstaller Pro 2.5.3
Samsung ML-2010 Series
SAPI 5.1 Text-to-Speech engine - English
Scan
ScannerCopy
Secure Tunnel
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
SetupPPUpdater
Sheer Notes v1.1
Simple Search-Replace
SkinsHP1
Smart Defrag 2
SocksCap V2
SolutionCenter
Sonic Foundry ACID 3.0g
Sonic_PrimoSDK
SonicStage 1.1.00
SonicStage CD-R Writing Module
Sony Certificate PCH
Sony Download Taxi 1.5.0.0
Sony DV Shared Library
Sony Sound Forge 7.0
SOS Online Backup
SoundTap Uninstall
Speed Typing
SpeedStream 2604 DSL/Cable Router
SpywareBlaster 4.1
Status
Super Mp3 Recorder Professional
Support Actions Win2K,WinXP
Text Workbench 4.5
Total Uninstall 2.34
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2541763)
Update for Windows XP (KB971029)
VAIO Brezza Wallpaper
VAIO Grid Wallpaper
VAIO Help & Support
VAIO Serenus Wallpaper
VAIO Support
VisualFlow 2.1
WebFldrs XP
WebReg
Window Washer 5
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Support Tools
Windows XP Service Pack 3
Word 2002 Support Template
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yankee Clipper III
.
==== Event Viewer Messages From Past Week ========
.
7/29/2011 1:45:25 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
.
==== End Of File ===========================

 

[Bobbye]

Please go back and update and rescan with Malwarebytes>> taking care to do this:

* When the scan is complete, click OK, then Show Results to view the results.
[*] Be sure that everything is checked, and click Remove Selected.

All those many malware entries show: No Action Taken.
Nothing was removed- all still on the system. Please do ASAP.


Edit: I was looking for information for the Evidence Eliminator. I found it, but I also note in your log that you pirated the program:
d:\program files\EE Crack\Patch.exe (RiskWare.Tool.CK) -> No action taken.

You can always expect to get malware when you use cracks and keygens. Remove it please.

 

[MrEd]

Malwarebytes

Hi-I checked all the boxes and clicked to remove them so it is odd it says no action taken. I even ran it again to make sure it didn't miss anything and it came up clean. Didn't save that log though so I will run again and resubmit the log. Thank you!

 

[MrEd]

Malwarebytes' Anti-Malware

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7323

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/30/2011 6:55:46 AM
mbam-log-2011-07-30 (06-55-44).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 509534
Time elapsed: 1 hour(s), 38 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Bobbye]

You have got numerous processes that need to be removed. Several are from either pre-checked items on a download screen or toolbars and browser helper objects that were bundled with download you did.

To clarify::
1. You have an HP PSC & OfficeJet 5.3.B When you try to use the scan feature, you get the scan.msi is missing message. The HP link that I left has 2 methods to replace the missing file. The second method is:

If you do not have the software CD that shipped with your product, follow these steps to download the file from the HP Web site, and then install it.

Method 2: Download the file from the HP website HERE.

2. When you tried to install Mbam you said you also got the scan.msi error. I don't know why, but the Windows Installer appears to have some dependency on scan.msi. Once you install it, I think both of these will be resolved.
========================================
You have multiple old versions of Java -All of the outdated versions are vulnerabilities to the system. The best way to handle that is to run the following: Note: I do not want this log!

Please download JavaRa and unzip it to your desktop.

Important!***Please close any instances of Internet Explorer before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that
  a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.

Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
===========================================
The system is badly set up. There are lines and lines in the addons section including the Active X objects that only have partial entries. I will remove them after you run Combofix. As they are now, there is information missing saying what the entry is.
=========================================
You will need to temporarily uninstall AVG to run Combofix: Please note the there are 2 options for an AV to use. Choose 1 of them so the system will be protected. Although the security should be disabled to run Combofix, you will be protected in between.
Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
================================================
Please slow down and take time to read all of the instructions. For instance, only a Quick Scan was directed for Malwarebytes. If I think any change is needed in scan directions, I will tell you.

 

[MrEd]

Combo Fix

Hello-Sorry about not being attentive enough to details. Had to use last faster USB port to check out the scan.msi on scanner and ran combofix the first time without plugging back in an external drive so I did that and ran it again thus two logs.Thx.

First Run

ComboFix 11-07-31.04 - User 07/31/2011 14:52:56.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.329 [GMT -4:00]
Running from: d:\program files\Combofix 7-31-11\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.VALUED-7B9600FA\WINDOWS
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Bubba.VALUED-7B9600FA\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\WINDOWS
c:\documents and settings\User\jaudio16k.tar
c:\documents and settings\User\Recent\Thumbs.db
c:\documents and settings\User\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\UNWISE.EXE
D:\install.exe
d:\mydocu~1\CDRIVE~1\PLANET~1\AUCTIO~1\AUCTIO~1\AUCTIO~2\AUCTio~1.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-31 )))))))))))))))))))))))))))))))
.
.
2011-07-31 18:28 . 2011-07-31 18:28 -------- d-----w- c:\documents and settings\User\Application Data\Avira
2011-07-31 17:08 . 2011-06-17 16:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-31 17:08 . 2011-06-17 16:37 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-07-31 17:08 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-07-31 17:08 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-07-31 17:08 . 2011-07-31 17:08 -------- d-----w- c:\program files\Avira
2011-07-31 17:08 . 2011-07-31 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-07-30 09:09 . 2011-07-30 09:09 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2011-07-28 19:03 . 2011-07-28 19:03 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-07-28 19:02 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-28 19:02 . 2011-07-28 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-28 19:02 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-28 18:46 . 2011-07-28 18:46 -------- d-----w- c:\program files\Trend Micro
2011-07-18 22:39 . 2011-07-18 22:39 -------- d-----w- c:\program files\IObit Toolbar
2011-07-17 00:55 . 2011-07-17 00:55 -------- d-----w- c:\documents and settings\User\Application Data\Search Settings
2011-07-17 00:54 . 2011-07-17 00:55 -------- d-----w- c:\program files\Application Updater
2011-07-17 00:54 . 2011-07-17 00:54 -------- d-----w- c:\program files\Common Files\Spigot
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-19 16:15 . 2011-06-11 19:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-19 15:04 . 2009-08-19 00:10 4702 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-06-02 14:02 . 2001-12-14 19:26 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 08:52 . 2010-05-05 22:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2008-01-26 02:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!1BackedupFileOverlay]
@="{3F1FB271-8290-4330-8069-310F32C030EF}"
[HKEY_CLASSES_ROOT\CLSID\{3F1FB271-8290-4330-8069-310F32C030EF}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!2LiveProtectedFileOverlay]
@="{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}"
[HKEY_CLASSES_ROOT\CLSID\{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!3ProtectedFileOverlay]
@="{A94C4834-6F18-491F-A205-3AFF24B16BC0}"
[HKEY_CLASSES_ROOT\CLSID\{A94C4834-6F18-491F-A205-3AFF24B16BC0}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!4SharedFileOverlay]
@="{C85F4084-C3E3-453c-B242-4BDABA8F58FB}"
[HKEY_CLASSES_ROOT\CLSID\{C85F4084-C3E3-453c-B242-4BDABA8F58FB}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!5SyncedFileOverlay]
@="{58605E40-AE20-45d7-887B-08F3D9FF3651}"
[HKEY_CLASSES_ROOT\CLSID\{58605E40-AE20-45d7-887B-08F3D9FF3651}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!6SyncingFileOverlay]
@="{06DF45CB-D312-4306-B97D-6CDA50A10B30}"
[HKEY_CLASSES_ROOT\CLSID\{06DF45CB-D312-4306-B97D-6CDA50A10B30}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!7ConflictedFileOverlay]
@="{D1542785-76CA-4d0c-9688-F290B1E77E01}"
[HKEY_CLASSES_ROOT\CLSID\{D1542785-76CA-4d0c-9688-F290B1E77E01}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-30 160328]
"Messenger (Yahoo!)"="d:\progra~2\YAHOOI~1.0\MESSEN~1\YahooMessenger.exe" [2011-06-16 6276408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-27 98304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-04-26 29696]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-01-27 585728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-06-01 4385112]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-06-24 534880]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\User\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
Yankee Clipper III.lnk - d:\program files\Yankee Clipper\YankClip.exe [2005-7-11 1368064]
.
c:\documents and settings\User\Start Menu\Programs\Startup\AutorunsDisabled
quicken online backup taskbar icon.lnk.disabled [2004-7-3 679]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech SetPoint.lnk - d:\program files\Logitech MX 1000 Mouseware\SetPoint\KEM.exe [2006-10-12 573440]
openURL.vbs [2011-7-31 131]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk.disabled
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
2004-04-29 14:08 896002 ----a-w- d:\progra~2\Evidence Eliminator\Ee.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2004-04-26 11:06 29696 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-02-27 09:32 98304 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlueSoleil Hid Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PestPatrolCL"=c:\progra~1\PESTPA~1\PestPatrolCL.exe c:\
"PestPatrol Control Center"=c:\progra~1\PESTPA~1\PPControl.exe
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_04\bin\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Yahoo IM 7.0\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpfccopy.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpoews01.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpofxm08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hposfx08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hposid01.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqCopy.exe"=
"d:\\Program Files\\Digital Imaging\\Unload\\HpqDIA.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqkygrp.exe"=
"d:\\Program Files\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqscnvw.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqste08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqtra08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [6/23/2011 8:39 PM 13496]
R2 KDATA;KDATA;c:\windows\system32\drivers\Kdata.sys [1/15/2004 10:29 AM 44504]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2/23/2006 8:19 PM 45312]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [3/9/2004 7:20 AM 3712]
R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 4:53 PM 12032]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [8/2/2005 8:27 PM 7196]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2/23/2006 8:19 PM 55936]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [6/23/2011 8:43 PM 30368]
R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [6/23/2011 8:43 PM 16080]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 8:55 PM 54271]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [5/5/2011 12:26 AM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 6:01 PM 21248]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [6/11/2011 10:58 PM 27064]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 3:26 PM 593000]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2/23/2004 3:25 PM 15576]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [4/26/2006 7:59 PM 899884]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [6/23/2011 8:43 PM 239472]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004Core1cc27e486266d16.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-04 22:32]
.
2011-07-31 c:\windows\Tasks\SmartDefrag_Startup.job
- d:\program downloads\Smart Defrag 2\SmartDefrag.exe [2011-06-24 00:19]
.
2011-07-25 c:\windows\Tasks\SOS Online Backup - Prompter.job
- c:\program files\Common Files\SOS Online Backup\Prompter\Prompter.exe [2010-04-20 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 127.0.0.1:8080
uSearchAssistant = hxxp://www.google.com
IE: + Offline &Explorer: Download the link
IE: + Offline E&xplorer: Download the current page
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Customize Menu &4
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Logoff &5
IE: Open Link Target in Firefox
IE: Reset Fields &-
IE: Rf Options &O
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Set Fields &=
IE: Stop popups from this web page
IE: Translate this page
IE: View This Page in Firefox
LSP: c:\program files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Trusted Zone: linkshare.com
Trusted Zone: linksynergy.com
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: ppctlcab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\pjv41h00.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=642886&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=642886&p=
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 1088
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-LyraWirelessRemote - d:\program files\Lyra Remote\Lyraw.exe
AddRemove-Adobe Photoshop 7.0 - d:\program files\Adobe Photoshop\Uninst.isu
AddRemove-EBookPaper - c:\program files\EBookPaper.com\EBookPaper\Uninst.isu
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-IrfanView - d:\program files\Irfanview 3.97\iv_uninstall.exe
AddRemove-SetupPPUpdater - c:\progra~1\PESTPA~1\UNWISE.EXE
AddRemove-Total Uninstall_is1 - d:\program files\Total Uninstall\unins000.exe
AddRemove-{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1 - d:\program files\AVG PC Tuneup 2011\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-31 15:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-602162358-308236825-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2011-07-31 15:56:45
ComboFix-quarantined-files.txt 2011-07-31 19:56
.
Pre-Run: 680,407,040 bytes free
Post-Run: 1,243,287,552 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut
.
Current=5 Default=5 Failed=2 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 68314DA55CB9E74A60B5536706A8B3FA
---------------------------------------------------------------------------
Second Run

ComboFix 11-07-31.04 - User 07/31/2011 16:17:52.2.1 - x86
Running from: d:\program files\Combofix 7-31-11\ComboFix.exe
Command switches used :: /Uninstal
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-31 )))))))))))))))))))))))))))))))
.
.
2011-07-31 18:28 . 2011-07-31 18:28 -------- d-----w- c:\documents and settings\User\Application Data\Avira
2011-07-31 17:08 . 2011-06-17 16:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-31 17:08 . 2011-06-17 16:37 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-07-31 17:08 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-07-31 17:08 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-07-31 17:08 . 2011-07-31 17:08 -------- d-----w- c:\program files\Avira
2011-07-31 17:08 . 2011-07-31 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-07-30 09:09 . 2011-07-30 09:09 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2011-07-28 19:03 . 2011-07-28 19:03 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-07-28 19:02 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-28 19:02 . 2011-07-28 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-28 19:02 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-28 18:46 . 2011-07-28 18:46 -------- d-----w- c:\program files\Trend Micro
2011-07-18 22:39 . 2011-07-18 22:39 -------- d-----w- c:\program files\IObit Toolbar
2011-07-17 00:55 . 2011-07-17 00:55 -------- d-----w- c:\documents and settings\User\Application Data\Search Settings
2011-07-17 00:54 . 2011-07-17 00:55 -------- d-----w- c:\program files\Application Updater
2011-07-17 00:54 . 2011-07-17 00:54 -------- d-----w- c:\program files\Common Files\Spigot
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-19 16:15 . 2011-06-11 19:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-19 15:04 . 2009-08-19 00:10 4702 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-06-02 14:02 . 2001-12-14 19:26 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 08:52 . 2010-05-05 22:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2008-01-26 02:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!1BackedupFileOverlay]
@="{3F1FB271-8290-4330-8069-310F32C030EF}"
[HKEY_CLASSES_ROOT\CLSID\{3F1FB271-8290-4330-8069-310F32C030EF}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!2LiveProtectedFileOverlay]
@="{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}"
[HKEY_CLASSES_ROOT\CLSID\{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!3ProtectedFileOverlay]
@="{A94C4834-6F18-491F-A205-3AFF24B16BC0}"
[HKEY_CLASSES_ROOT\CLSID\{A94C4834-6F18-491F-A205-3AFF24B16BC0}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!4SharedFileOverlay]
@="{C85F4084-C3E3-453c-B242-4BDABA8F58FB}"
[HKEY_CLASSES_ROOT\CLSID\{C85F4084-C3E3-453c-B242-4BDABA8F58FB}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!5SyncedFileOverlay]
@="{58605E40-AE20-45d7-887B-08F3D9FF3651}"
[HKEY_CLASSES_ROOT\CLSID\{58605E40-AE20-45d7-887B-08F3D9FF3651}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!6SyncingFileOverlay]
@="{06DF45CB-D312-4306-B97D-6CDA50A10B30}"
[HKEY_CLASSES_ROOT\CLSID\{06DF45CB-D312-4306-B97D-6CDA50A10B30}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!7ConflictedFileOverlay]
@="{D1542785-76CA-4d0c-9688-F290B1E77E01}"
[HKEY_CLASSES_ROOT\CLSID\{D1542785-76CA-4d0c-9688-F290B1E77E01}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-30 160328]
"Messenger (Yahoo!)"="d:\progra~2\YAHOOI~1.0\MESSEN~1\YahooMessenger.exe" [2011-06-16 6276408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-27 98304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-04-26 29696]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-01-27 585728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-06-01 4385112]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-06-24 534880]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\User\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
Yankee Clipper III.lnk - d:\program files\Yankee Clipper\YankClip.exe [2005-7-11 1368064]
.
c:\documents and settings\User\Start Menu\Programs\Startup\AutorunsDisabled
quicken online backup taskbar icon.lnk.disabled [2004-7-3 679]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech SetPoint.lnk - d:\program files\Logitech MX 1000 Mouseware\SetPoint\KEM.exe [2006-10-12 573440]
openURL.vbs [2011-7-31 131]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk.disabled
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
2004-04-29 14:08 896002 ----a-w- d:\progra~2\Evidence Eliminator\Ee.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2004-04-26 11:06 29696 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-02-27 09:32 98304 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlueSoleil Hid Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PestPatrolCL"=c:\progra~1\PESTPA~1\PestPatrolCL.exe c:\
"PestPatrol Control Center"=c:\progra~1\PESTPA~1\PPControl.exe
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_04\bin\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Yahoo IM 7.0\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpfccopy.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpoews01.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpofxm08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hposfx08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hposid01.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqCopy.exe"=
"d:\\Program Files\\Digital Imaging\\Unload\\HpqDIA.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqkygrp.exe"=
"d:\\Program Files\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqscnvw.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqste08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqtra08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [6/23/2011 8:39 PM 13496]
R2 KDATA;KDATA;c:\windows\system32\drivers\Kdata.sys [1/15/2004 10:29 AM 44504]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2/23/2006 8:19 PM 45312]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [3/9/2004 7:20 AM 3712]
R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 4:53 PM 12032]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [8/2/2005 8:27 PM 7196]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2/23/2006 8:19 PM 55936]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [6/23/2011 8:43 PM 30368]
R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [6/23/2011 8:43 PM 16080]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 8:55 PM 54271]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [5/5/2011 12:26 AM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 6:01 PM 21248]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [6/11/2011 10:58 PM 27064]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 3:26 PM 593000]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2/23/2004 3:25 PM 15576]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [4/26/2006 7:59 PM 899884]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [6/23/2011 8:43 PM 239472]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004Core1cc27e486266d16.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-04 22:32]
.
2011-07-31 c:\windows\Tasks\SmartDefrag_Startup.job
- d:\program downloads\Smart Defrag 2\SmartDefrag.exe [2011-06-24 00:19]
.
2011-07-25 c:\windows\Tasks\SOS Online Backup - Prompter.job
- c:\program files\Common Files\SOS Online Backup\Prompter\Prompter.exe [2010-04-20 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 127.0.0.1:8080
uSearchAssistant = hxxp://www.google.com
IE: + Offline &Explorer: Download the link
IE: + Offline E&xplorer: Download the current page
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Customize Menu &4
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Logoff &5
IE: Open Link Target in Firefox
IE: Reset Fields &-
IE: Rf Options &O
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Set Fields &=
IE: Stop popups from this web page
IE: Translate this page
IE: View This Page in Firefox
LSP: c:\program files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Trusted Zone: linkshare.com
Trusted Zone: linksynergy.com
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: ppctlcab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\pjv41h00.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=642886&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=642886&p=
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 1088
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-31 17:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-602162358-308236825-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3812)
c:\windows\system32\WININET.dll
d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-31 18:34:23
ComboFix-quarantined-files.txt 2011-07-31 22:34
ComboFix2.txt 2011-07-31 19:56
.
Pre-Run: 1,313,935,360 bytes free
Post-Run: 1,288,474,624 bytes free
.
Current=5 Default=5 Failed=2 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - E03E64CA1E7189030FDDFFC716CD5183

 

[Bobbye]

Perhaps I'm missing something, but these entries aren't complete:

------- Supplementary Scan -------
uInternet Settings,ProxyServer = 127.0.0.1:8080
IE: + Offline &Explorer: Download the link
IE: + Offline E&xplorer: Download the current page
IE: Customize Menu &4
IE: Logoff &5
IE: Open Link Target in Firefox
IE: Reset Fields &-
IE: Rf Options &O
IE: Set Fields &=
IE: Stop popups from this web page
IE: Translate this page
IE: View This Page in Firefox
DPF: ppctlcab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\pjv41h00.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.search.selectedEngine - Yahoo
---------------------------------
Are you using FoxyProxy?
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 1088
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 1
.

 

[MrEd]

I uninstalled Combo fix and ran it again. When I click on my desktop icons, windows explorer still crashes and desktop goes blank and the icons repopulate. Log enclosed.Thx.


ComboFix 11-08-02.03 - User 08/02/2011 19:44:46.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.245 [GMT -4:00]
Running from: d:\my documents\C Drive\Downloads\Combofix 8-2-11\Combo-Fix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))
.
.
2011-07-31 18:28 . 2011-07-31 18:28 -------- d-----w- c:\documents and settings\User\Application Data\Avira
2011-07-31 17:08 . 2011-08-01 17:12 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-31 17:08 . 2011-08-01 17:12 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-07-31 17:08 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-07-31 17:08 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-07-31 17:08 . 2011-07-31 17:08 -------- d-----w- c:\program files\Avira
2011-07-31 17:08 . 2011-07-31 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-07-30 09:09 . 2011-07-30 09:09 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2011-07-28 19:03 . 2011-07-28 19:03 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-07-28 19:02 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-28 19:02 . 2011-07-28 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-28 19:02 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-28 18:46 . 2011-07-28 18:46 -------- d-----w- c:\program files\Trend Micro
2011-07-18 22:39 . 2011-07-18 22:39 -------- d-----w- c:\program files\IObit Toolbar
2011-07-17 00:55 . 2011-07-17 00:55 -------- d-----w- c:\documents and settings\User\Application Data\Search Settings
2011-07-17 00:54 . 2011-07-17 00:55 -------- d-----w- c:\program files\Application Updater
2011-07-17 00:54 . 2011-07-17 00:54 -------- d-----w- c:\program files\Common Files\Spigot
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-19 16:15 . 2011-06-11 19:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-19 15:04 . 2009-08-19 00:10 4702 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-06-02 14:02 . 2001-12-14 19:26 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!1BackedupFileOverlay]
@="{3F1FB271-8290-4330-8069-310F32C030EF}"
[HKEY_CLASSES_ROOT\CLSID\{3F1FB271-8290-4330-8069-310F32C030EF}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!2LiveProtectedFileOverlay]
@="{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}"
[HKEY_CLASSES_ROOT\CLSID\{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!3ProtectedFileOverlay]
@="{A94C4834-6F18-491F-A205-3AFF24B16BC0}"
[HKEY_CLASSES_ROOT\CLSID\{A94C4834-6F18-491F-A205-3AFF24B16BC0}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!4SharedFileOverlay]
@="{C85F4084-C3E3-453c-B242-4BDABA8F58FB}"
[HKEY_CLASSES_ROOT\CLSID\{C85F4084-C3E3-453c-B242-4BDABA8F58FB}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!5SyncedFileOverlay]
@="{58605E40-AE20-45d7-887B-08F3D9FF3651}"
[HKEY_CLASSES_ROOT\CLSID\{58605E40-AE20-45d7-887B-08F3D9FF3651}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!6SyncingFileOverlay]
@="{06DF45CB-D312-4306-B97D-6CDA50A10B30}"
[HKEY_CLASSES_ROOT\CLSID\{06DF45CB-D312-4306-B97D-6CDA50A10B30}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!7ConflictedFileOverlay]
@="{D1542785-76CA-4d0c-9688-F290B1E77E01}"
[HKEY_CLASSES_ROOT\CLSID\{D1542785-76CA-4d0c-9688-F290B1E77E01}]
2010-04-20 20:22 596480 ------w- d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-30 160328]
"Messenger (Yahoo!)"="d:\progra~2\YAHOOI~1.0\MESSEN~1\YahooMessenger.exe" [2011-06-16 6276408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-27 98304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-04-26 29696]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-01-27 585728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-06-01 4385112]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-06-24 534880]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\User\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
Yankee Clipper III.lnk - d:\program files\Yankee Clipper\YankClip.exe [2005-7-11 1368064]
.
c:\documents and settings\User\Start Menu\Programs\Startup\AutorunsDisabled
quicken online backup taskbar icon.lnk.disabled [2004-7-3 679]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech SetPoint.lnk - d:\program files\Logitech MX 1000 Mouseware\SetPoint\KEM.exe [2006-10-12 573440]
openURL.vbs [2011-7-31 131]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk.disabled
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
2004-04-29 14:08 896002 ----a-w- d:\progra~2\Evidence Eliminator\Ee.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2004-04-26 11:06 29696 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-02-27 09:32 98304 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlueSoleil Hid Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PestPatrolCL"=c:\progra~1\PESTPA~1\PestPatrolCL.exe c:\
"PestPatrol Control Center"=c:\progra~1\PESTPA~1\PPControl.exe
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_04\bin\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Yahoo IM 7.0\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpfccopy.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpoews01.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpofxm08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hposfx08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hposid01.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqCopy.exe"=
"d:\\Program Files\\Digital Imaging\\Unload\\HpqDIA.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqkygrp.exe"=
"d:\\Program Files\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqscnvw.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqste08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpqtra08.exe"=
"d:\\Program Files\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [6/23/2011 8:39 PM 13496]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [6/24/2011 5:30 PM 393112]
R2 KDATA;KDATA;c:\windows\system32\drivers\Kdata.sys [1/15/2004 10:29 AM 44504]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2/23/2006 8:19 PM 45312]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [3/9/2004 7:20 AM 3712]
R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 4:53 PM 12032]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [8/2/2005 8:27 PM 7196]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2/23/2006 8:19 PM 55936]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [6/23/2011 8:43 PM 30368]
R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [6/23/2011 8:43 PM 16080]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 8:55 PM 54271]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [5/5/2011 12:26 AM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 6:01 PM 21248]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [6/11/2011 10:58 PM 27064]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 3:26 PM 593000]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2/23/2004 3:25 PM 15576]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [4/26/2006 7:59 PM 899884]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [6/23/2011 8:43 PM 239472]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004Core1cc27e486266d16.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-04 22:32]
.
2011-08-02 c:\windows\Tasks\SmartDefrag_Startup.job
- d:\program downloads\Smart Defrag 2\SmartDefrag.exe [2011-06-24 00:19]
.
2011-08-01 c:\windows\Tasks\SOS Online Backup - Prompter.job
- c:\program files\Common Files\SOS Online Backup\Prompter\Prompter.exe [2010-04-20 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 127.0.0.1:8080
uSearchAssistant = hxxp://www.google.com
IE: + Offline &Explorer: Download the link
IE: + Offline E&xplorer: Download the current page
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Customize Menu &4
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Logoff &5
IE: Open Link Target in Firefox
IE: Reset Fields &-
IE: Rf Options &O
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Set Fields &=
IE: Stop popups from this web page
IE: Translate this page
IE: View This Page in Firefox
LSP: c:\program files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Trusted Zone: linkshare.com
Trusted Zone: linksynergy.com
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: ppctlcab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\pjv41h00.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=642886&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=642886&p=
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 1088
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-02 21:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-602162358-308236825-1801674531-1004\Software\Microsoft\ActiveMovie\devenum\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\ÿÿÿÿ]*‘|ÞÂÂw]
"FriendlyName"=""
"CLSID"="{1B544C22-FD0B-11CE-8C63-00AA0044B51E}"
"FilterData"=hex:02,00,00,00,00,00,20,00,00,00,00,00,00,00,00,00
.
[HKEY_USERS\S-1-5-21-602162358-308236825-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\WININET.dll
d:\program files\Backup SOS for Kingtston Thumb Drive 5-16-11\ShlOverlays.dll
c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-02 21:52:31
ComboFix-quarantined-files.txt 2011-08-03 01:52
.
Pre-Run: 1,253,326,848 bytes free
Post-Run: 1,227,165,696 bytes free
.
Current=5 Default=5 Failed=2 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - E98B3E29E96035F060AFC3A80C7FF9C1

 

[Bobbye]

Please address the incomplete entries and proxy addon I questioned in my Reply #10.

 

[MrEd]

Not Using A Proxy to My Knowledge....

Bobbye Please address the incomplete entries and proxy addon I questioned in my Reply #10.
---------------------------------------------------------------------------------
Sorry....Not using a "foxyproxy" or any other to my knowledge. I used to use "Secure Tunnel" years ago...used their software. As far as incomplete entries, I have no clue about the incomplete entries you asked about which was why I ran Combofix again and submitted the log again.Thx.

 

[Bobbye]

Reviewing the logs again, I think the incomplete entries are from Roboform:

IE: + Offline &Explorer: Download the link
IE: + Offline E&xplorer: Download the current page
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Customize Menu &4
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Logoff &5
IE: Open Link Target in Firefox
IE: Reset Fields &-
IE: Rf Options &O
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Set Fields &=
IE: Stop popups from this web page
IE: Translate this page
IE: View This Page in Firefox

I left the RoboForm entry out previously but checking again appears that the settings have been done in the program.
Are you still using RoboForm? IF so, open the program and see if these entries above with only info like 'Reset Field &-' and 'Translate this page', etc. are from that program. I have never seen entries listed like this with RoboForm on the system. I can remove them with script.
--------------------> Leaving the following in case you need it:
Q: How can I uninstall RoboForm?
A: Select "Start -> Programs -> AI RoboForm -> Uninstall".
If RoboForm the embedded uninstaller does not work, click this link: RoboForm Uninstaller. It will download and run a file that will uninstall RoboForm.
If you did not close all browser windows when uninstalling RoboForm then the file RoboForm.dll will remain locked. However, you can reboot and remove the file manually.
http://www.roboform.com/support/faq/roboform
========================================
Something has set these proxy ports in Firefox. Did I have you reset the proxies? If not, do this:
Reset your browser proxies

• For Firefox:
  o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
  o Click on the "Network" tab, and then on the "Settings" button.
  o Please make sure that the "No Proxy" option is selected.
  
• For Internet Explorer:
  o Open Internet Explorer.
  o Click on "Tools" and then select "Internet Options".
  o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
  o Uncheck "Use a Proxy server for your LAN".
  o Click Ok to close the Local Area Network (LAN) Settings window.
  o Click Ok to close the Internet Options window.

When you go in to do this, let me know if you found these proxy ports set.

 

[MrEd]

Hello

Hello- Yes, I use roboform (older version) and have for years. Sorry as I tried to find those files in Roboform but could not locate them. I really would rather not uninstall this program as I use it constantly.Roboform is set to work with IE but I use Chrome unless I need Roboform to fill in IE 7. BTW, I used to run an browser type program which is still installed called D:\Program Files\iRider2.48\iRider.exe.I think that ties inti IE somehow.

I never use Firefox (had version 1.5 from 2006) so I uninstalled it with revo uninstaller pro.Checked IE 7 LAN connections where "Automatically Detect Settings" was checked. Down below in the proxy server box which was unchecked, "grayed out" were 127.0.0.1, port 8080.

Don't mean to ask you more things but this came up after you had me update my Java which I did to 7 but can't remove version 6.26 with JavaRa or Revo as it installs it instead. Also, tried to uninstall it in "Add/Remove Programs" but I get "Internal Error 2753.regutils.dll. The java Auto Updater is there with no remove button.In Revo, I tried doing a "forced uninstall" but the uninstall program is Microsoft Picture It Version 7 (very old)and it

pulls up a ton of entries so something is amiss there.Tried to uninstall it in Add/Remove Programs and asks for original disk which I don't have. Any suggestions?Thanks!

 

[MrEd]

Hello

Posted 6 days ago....just wondered if you could assist please? Thank you!

 

[Bobbye]

I'm very sorry- I got no notice that you had replied. Every once in a while feedback gets lost in cyberspace.

See if you can access the Control Panel that will populate like this:
Click on Start> Run> type in appwiz.cpl> enter> wait a few seconds and see if it populates.


About your uninstalling: When uninstalling anything you should follow this order:
1. See if the program has it's own uninstaller. I if does, use that.
2. If there is no uninstaller in a program or app, look for it in Add/Remove Programs and uninstall from there.
3. Revo and the Windows Installer Cleanup Utility should not be used for the initial uninstall. Their purpose is to remove any 'left over entries' from a program or app that has been uninstalled.

An example of a failed uninstall using Revo: All of the following remain on the system:

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\pjv41h00.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=642886&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=642886&p=
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 1088
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 1

If Firefox has been uninstalled correctly, these entries would no longer be present. Since the FF is a several years outdated version, I suggest you check the Mozilla forum for way to do a correct and complete uninstall. As long as these entries remain on the system, they present a vulnerability.
=========================================
About Java: Java 7 is not the correct version for you. Java v6u26 is.
The Java Development Kit (JDK) is a Sun Microsystems product aimed at Java developers. It is now in Version 7

This URL that is included at the end of Java Ra> https://www.techspot.com/downloads/6463-java-se.html
This will bring you to the current version of Java v6u26
=================================================

I used to run an browser type program which is still installed called D:\Program Files\iRider2.48\iRider.exe.I think that ties inti IE somehow.

If you are no linger using iRider, please uninstall it and then delete the Program folder.
--------------------------
You should maintain as close to 80% of the hard drive free as possible. You have less than 30% free. You should uninstall everything you no longer use to recover some of the hard drive.
===========================================
Please update and/or reinstall RoboForm. The following entries are not correct:

IE: + Offline &Explorer: Download the link
IE: + Offline E&xplorer: Download the current page
IE: Customize Menu &4
IE: Logoff &5
IE: Open Link Target in Firefox
IE: Reset Fields &-
IE: Rf Options &O
IE: Set Fields &=
IE: Stop popups from this web page
IE: Translate this page
IE: View This Page in Firefox
DPF: ppctlcab

For instance, you shows DPF: ppcylcab
The correct entry would be DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
You have Pest Patrol loading but the entry isn't indicating that.
===============================================
About the Proxy port 8080: It looks like this is a Proxy auto-configured port. (PAC)
Browsers such as Firefox and Internet Explorer only support system default encoding PAC file. I think when Firefox is fully uninstalled correctly, this proxy entry will be removed.
=============================================
Much of the malware found in Malwarebytes was on Evidence Eliminator. Some have used this with no problem. But the home site for Evidence Eliminator Quick Mode is rated in Red by the Site Advisor I use, WOT. It fails all 4 rating categories: Vendor reliability, Trustworthiness, Privacy, Family. And it gives the following:
Warning! This site has a poor reputation.
This program is still loading from the Registry:

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
2004-04-29 14:08 896002 ----a-w- d:\progra~2\Evidence Eliminator\Ee.exe

I can remove this entry with script you'll run through Combofix.
=============================================
If we are to get anywhere you need to clean up the system:
1. To uninstall, look for uninstaller in program first, use Add/Remove Programs if none.
2. Complete the uninstall properly for Firefox.
3. Uninstall iRide, Evidence Eliminator
4. Install Java v6u26, uninstall JDK 7
5. Update or reinstall RoboForm
6. Uninstall all programs and apps you no longer use.
7. For all uninstalled programs use Windows Explorer (Right click on Start> Explore) to go to My Computer> Double click Local Drive (C)> Programs> find folder for each uninstall and do Right click> Delete on folder.
Reboot the computer when through
==============================================
If you were able to get into the Control Panel for Add/Remove Programs and if you have updated Java correctly ans if you have updated or reinstalled RoboForm, please do the following:

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
============================================
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[MrEd]

Can't Uninstall Some Programs

Hello- I had to do a system restore because my quicken launcher was gone.Anyway, I can't uninstall some programs from "Add/Remove programs" because of an error msg. which usually reads "Wise Uninstall-Could not open log file" or "Can't Uninstall-C:\Programs.....unins000.dat does not exist...cannot uninstall"or "Uninstall date could not be found at the specified location-Cannot uninstall". How do I get rid of these programs? Edit the registry?

What is the best way to clean up the "garbage" and unneeded files on my PC without nuking system files and rendering programs unuseable? Any recommendations?


Also...you mentioned this about removing the entry thru combofix...pls advise.
"Warning! This site has a poor reputation.
This program is still loading from the Registry:
Quote:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
2004-04-29 14:08 896002 ----a-w- d:\progra~2\Evidence Eliminator\Ee.exe
I can remove this entry with script you'll run through Combofix."

I will rerun the hijack this log since I am having to redo this last step. Thank you!

 

[Bobbye]

Doing a System Restore undoes anything done between the Restore Point and now.

I'm not understanding some of what you're asking.

1. About the bad site: I use the WOT Site Advisor so I have a 3 way protection to not access a bad site:
WOT, my Firefox settings and Eset Nod32.
2. When I looks for information about the 'Evidence Eliminator,' the home site was listed in red> trying to access another site that was marked as safe and giving a link for Evidence Eliminator site, click on the link displayed the message for a bad site. I do not go to those sites.

My thoughts are that if the home site of a program is not trustworthy, or has a questionable privacy policy or shows vendor not trustworthy, I have to think that the program they sponsor is not safe.

I just went though this with another member- he used Revo to uninstall everything- but ended up with parts of programs all over the system - when a program isn't uninstalled correctly, the install/uninstall in the program will be damaged but the program will remain. I mentioned this order:
1. Check to see if program has it's own uninstaller. If it does, use that.
2. If it does not, then use Add/Remove Programs for the uninstaller..Revo, Windows Installer Cleanup Utility should only be use if a stray file from an uninstalled program remains, or if the program shows in Add/Remove Programs bu doesn't have uninstall capability.

Some programs also can't be uninstalled in Safe Mode.

About “Could not open uninstall.log file” when the file is missing or damaged. Most of the programs create an install.log when you install them. These are nice as a reference for what files were added and what changes were made in various parts of Windows.

Some programs also use these files as a guide for the uninstall routine.

Bottomlline? If the installer/uninstaller is damaged, if you can't do a proper uninstall, if a cleanup utility still won't remove the files, then the only recourse you have is to reinstall the program, then uninstall it correctly.

 

[MrEd]

Thanks for the note! What if it is an old program and there is no disc available? Case and Point...Enter Microsoft Picture It 7.0 which calls for the disc but I do not have it since it is several years old therefore can't reinstall it. Also, can find the original program to install it first as you suggested.

Also...you mentioned this about removing the entry thru combofix...pls advise.
"Warning! This site has a poor reputation.
This program is still loading from the Registry:
Quote:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
2004-04-29 14:08 896002 ----a-w- d:\progra~2\Evidence Eliminator\Ee.exe
I can remove this entry with script you'll run through Combofix."

What about Spybot Search and Destroy? Do you like that program?

Had to keep restoring because my quicken launcher was getting corrupted uninstalling some program so I did the uninstalls I could but some programs like "net meeting" and Irider won't uninstall either. Won't uninstall so if you can't download and install it to uninstall then how do you get rid of these old programs? I ran Hijack This again as I said earlier. Could you check it please? Thanks!
--------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:17:15 PM, on 8/20/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17099)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Backup SOS for Kingtston Thumb Drive 5-16-11\OverlayCache.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\Yankee Clipper\YankClip.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Yankee Clipper III.lnk = D:\Program Files\Yankee Clipper\YankClip.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ppctlcab -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo IM 7.0\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134210557440
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} - http://supportcentral4.sel.sony.com/sdccommon/download/sonyctl.CAB
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Quicken Online Backup RegCap (OLRegCap) - Intuit, Inc. - d:\Program Files\Quicken Backup\OLRegCap.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Quicken Online Backup Launcher (Quicken Online BackupLauncher) - Intuit, Inc. - d:\Program Files\Quicken Backup\OLlaunch.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
--
End of file - 10777 bytes

 

[MrEd]

Sorry ...forgot to take off word wrap so here is the Hijack log again. Thx.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:24:21 PM, on 8/20/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17099)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Backup SOS for Kingtston Thumb Drive 5-16-11\OverlayCache.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\Yankee Clipper\YankClip.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Yankee Clipper III.lnk = D:\Program Files\Yankee Clipper\YankClip.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ppctlcab -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo IM 7.0\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134210557440
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} - http://supportcentral4.sel.sony.com/sdccommon/download/sonyctl.CAB
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Quicken Online Backup RegCap (OLRegCap) - Intuit, Inc. - d:\Program Files\Quicken Backup\OLRegCap.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Quicken Online Backup Launcher (Quicken Online BackupLauncher) - Intuit, Inc. - d:\Program Files\Quicken Backup\OLlaunch.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 10744 bytes

 

[Bobbye]

What if it is an old program and there is no disc available? Case and Point...Enter Microsoft Picture It 7.0 which calls for the disc but I do not have it since it is several years old therefore can't reinstall it.

Then you've lost it! Backup, Backup, Backup before there is a problem!

Mr. Ed, you've had your Windows XP ole guy for 8 yers- I've had a desktop with XP for even longer! But time goes on, programs get updates or new versions. I'm sorry you can't get everything back on the system. I am not a magician.

However, the repeated restores are undoing everything I instruct you to do. And I think the original problem- and even up to now, is part system related.

Is sounds like you don't even have a CD so you can reformat and reinstall.
===================================
I don't know if this is good any more with all the restores:
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
svchost.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe

DDS::
uInternet Settings,ProxyServer = 127.0.0.1:8080
DPF: ppctlcab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
DPF: {62789780-B744-11D0-986B-00609731A21D}
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}
Folders::
c:\program files\IObit Toolbar
c:\documents and settings\User\Application Data\Search Settings
c:\program files\Application Updater
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IObit Malware Fighter"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=-c:\program files\Java\jre1.5.0_04\bin\jusched.exe
RegLock::
[HKEY_USERS\S-1-5-21-602162358-308236825-1801674531-1004\Software\Microsoft\ActiveMovie\devenum\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\ÿÿÿÿ]*‘|ÞÂÂw]
"FriendlyName"=""
"CLSID"="{1B544C22-FD0B-11CE-8C63-00AA0044B51E}"
"FilterData"=hex:02,00,00,00,00,00,20,00,00,00,00,00,00,00,00,00

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Java is out of date: Update now: Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
Adobe Reader is out of date: Update now: Adobe Reader site . Uninstall any earlier updates as they are vulnerabilities.