PDA

View Full Version : Malware can't remove, spybot stuck



miamiwings
2011-07-03, 16:09
It took several hours to complete the spybot scan and when I attempted to do a fix, spybot minimized and I couldnt reopen. Here are my logs. please help. my computer is running at a snails pace thanks so much
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Liz at 8:23:24 on 2011-07-03
.
============== Running Processes ===============
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\NK5KY5FD\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.peoplestring.com
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] NWIZ.EXE /install
mRun: [TaskTray]
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
Trusted Zone: plaxo.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://cam1.rcon.nl/activex/AMC.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader5.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://guckhin.serveftp.net/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{53DF6BF5-643F-4570-B039-491C5D1DD8B7} : DhcpNameServer = 172.16.0.1
TCP: Interfaces\{635F2B4A-7C31-4C58-A4C1-AD2F8A9BA7BB} : DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R? AX88178;10/100 Gigabit USB2.0 Network Adapter
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? PSI;PSI
S? AVG Security Toolbar Service;AVG Security Toolbar Service
S? avg8wd;AVG Free8 WatchDog
S? AvgLdx86;AVG Free AVI Loader Driver x86
S? AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86
S? MBAMSwissArmy;MBAMSwissArmy
S? Secunia Update Agent;Secunia Update Agent
.
=============== Created Last 30 ================
.
2011-06-17 00:24:21 -------- d-----w- c:\program files\iPod
2011-06-16 23:07:11 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-07-01 02:11:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2007-07-27 12:28:27 2775032 ----a-w- c:\program files\AiRoboForm.exe
.
============= FINISH: 8:32:16.17 ===============

ken545
2011-07-12, 03:06
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.



Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.






Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

miamiwings
2011-07-12, 17:26
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7082

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2011-07-11 10:23:12 PM
mbam-log-2011-07-11 (22-23-11).txt

Scan type: Quick scan
Objects scanned: 185452
Time elapsed: 1 hour(s), 0 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ken545
2011-07-12, 20:07
Great, lets run these quick scans

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png





OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

miamiwings
2011-07-13, 16:00
My computer seemed to be running much better but then I downloaded the aswMBR.exe and attempted to do the scan, but it shut my computer down when it got to a certain place in the scan. ........drivers/atilpdxxsys. I tried doing it again, twice but it happened again. Not only that, but I lost my active desktop. I had lost it a couple of weeks ago but restored it after doing a search on the desktophtt error. I also downloaded the "OTL" but did not attempt to run it because I was afraid to cause any more problems.

Do you have any other suggestions as to what might have happened? I appreciate any help you can give me.
Thanks

miamiwings
2011-07-13, 16:14
I think I have fixed the active desktop by looking for a solution and changing some settings

ken545
2011-07-13, 19:04
Hi,

aswMBR doesn't remove anything unless we run a fix and it changes no settings, but a rootkit could be present, lets do this

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

miamiwings
2011-07-13, 21:51
I scanned with the TDSSkiller. Didn't find anything; however, here is the log. 2011/07/13 14:38:35.0847 2000 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/13 14:38:37.0859 2000 ================================================================================
2011/07/13 14:38:37.0859 2000 SystemInfo:
2011/07/13 14:38:37.0859 2000
2011/07/13 14:38:37.0859 2000 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/13 14:38:37.0859 2000 Product type: Workstation
2011/07/13 14:38:37.0859 2000 ComputerName: OWNER-C4ACA923A
2011/07/13 14:38:37.0859 2000 UserName: Liz
2011/07/13 14:38:37.0859 2000 Windows directory: C:\WINDOWS
2011/07/13 14:38:37.0859 2000 System windows directory: C:\WINDOWS
2011/07/13 14:38:37.0859 2000 Processor architecture: Intel x86
2011/07/13 14:38:37.0859 2000 Number of processors: 1
2011/07/13 14:38:37.0859 2000 Page size: 0x1000
2011/07/13 14:38:37.0859 2000 Boot type: Normal boot
2011/07/13 14:38:37.0859 2000 ================================================================================
2011/07/13 14:39:33.0169 2000 Initialize success
2011/07/13 14:40:04.0224 2992 ================================================================================
2011/07/13 14:40:04.0224 2992 Scan started
2011/07/13 14:40:04.0224 2992 Mode: Manual;
2011/07/13 14:40:04.0224 2992 ================================================================================
2011/07/13 14:40:16.0441 2992 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/13 14:40:18.0334 2992 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/13 14:40:20.0096 2992 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/13 14:40:20.0707 2992 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2011/07/13 14:40:21.0999 2992 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/13 14:40:24.0333 2992 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/07/13 14:40:27.0127 2992 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/13 14:40:28.0418 2992 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/13 14:40:30.0642 2992 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/13 14:40:32.0354 2992 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/13 14:40:34.0327 2992 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys
2011/07/13 14:40:35.0949 2992 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2011/07/13 14:40:37.0081 2992 AX88178 (b049e9b9d005bfa5ec95270aa7b213aa) C:\WINDOWS\system32\DRIVERS\ax88178.sys
2011/07/13 14:40:38.0072 2992 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/13 14:40:42.0639 2992 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/13 14:40:44.0021 2992 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/13 14:40:44.0692 2992 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/13 14:40:45.0443 2992 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
2011/07/13 14:40:45.0974 2992 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/13 14:40:48.0147 2992 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
2011/07/13 14:40:50.0230 2992 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/13 14:40:51.0752 2992 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/13 14:40:53.0254 2992 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/13 14:40:54.0256 2992 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/13 14:40:56.0469 2992 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/13 14:40:58.0011 2992 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/13 14:40:59.0623 2992 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
2011/07/13 14:41:01.0426 2992 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
2011/07/13 14:41:02.0387 2992 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/13 14:41:03.0439 2992 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/13 14:41:04.0530 2992 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/13 14:41:05.0311 2992 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/13 14:41:06.0223 2992 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/13 14:41:06.0954 2992 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/13 14:41:07.0515 2992 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/13 14:41:07.0975 2992 gameenum (5f92fd09e5610a5995da7d775eadcd12) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/07/13 14:41:08.0436 2992 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/07/13 14:41:09.0137 2992 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/13 14:41:10.0018 2992 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/13 14:41:10.0869 2992 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2011/07/13 14:41:13.0173 2992 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2011/07/13 14:41:17.0429 2992 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/13 14:41:23.0868 2992 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/13 14:41:27.0924 2992 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/13 14:41:30.0458 2992 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/13 14:41:31.0008 2992 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/13 14:41:31.0980 2992 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/13 14:41:32.0891 2992 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/13 14:41:33.0462 2992 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/13 14:41:34.0644 2992 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/13 14:41:35.0405 2992 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/13 14:41:36.0757 2992 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/13 14:41:38.0389 2992 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/13 14:41:38.0619 2992 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/13 14:41:43.0737 2992 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/07/13 14:41:46.0751 2992 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/13 14:41:51.0217 2992 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/13 14:41:54.0873 2992 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/07/13 14:41:58.0889 2992 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/13 14:41:59.0840 2992 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/13 14:42:03.0735 2992 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/13 14:42:06.0529 2992 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/13 14:42:09.0283 2992 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/13 14:42:11.0136 2992 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/13 14:42:16.0604 2992 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/13 14:42:21.0201 2992 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/13 14:42:22.0302 2992 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/13 14:42:25.0847 2992 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/13 14:42:27.0259 2992 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/13 14:42:29.0483 2992 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/13 14:42:30.0704 2992 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/13 14:42:31.0926 2992 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/13 14:42:32.0367 2992 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/13 14:42:32.0978 2992 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/13 14:42:33.0568 2992 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/13 14:42:34.0169 2992 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/13 14:42:34.0860 2992 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/07/13 14:42:35.0431 2992 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/13 14:42:36.0052 2992 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/13 14:42:37.0144 2992 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/13 14:42:38.0465 2992 nv (1685a86ce8dc5a70d307dca625fb50e7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/13 14:42:40.0348 2992 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/13 14:42:41.0249 2992 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/13 14:42:42.0491 2992 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/07/13 14:42:44.0174 2992 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/07/13 14:42:47.0258 2992 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/13 14:42:48.0219 2992 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/13 14:42:49.0641 2992 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/13 14:42:50.0332 2992 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/13 14:42:54.0198 2992 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/13 14:43:02.0290 2992 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/13 14:43:04.0903 2992 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/13 14:43:06.0346 2992 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
2011/07/13 14:43:08.0288 2992 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/13 14:43:12.0434 2992 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/13 14:43:14.0257 2992 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/13 14:43:16.0871 2992 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/13 14:43:20.0215 2992 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/13 14:43:23.0490 2992 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/13 14:43:25.0834 2992 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/13 14:43:28.0377 2992 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/13 14:43:34.0636 2992 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/13 14:43:37.0620 2992 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/13 14:43:39.0373 2992 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/07/13 14:43:41.0276 2992 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/13 14:43:42.0968 2992 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/13 14:43:44.0530 2992 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/13 14:43:46.0203 2992 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/13 14:43:47.0334 2992 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
2011/07/13 14:43:50.0559 2992 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/13 14:43:50.0910 2992 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/13 14:43:51.0551 2992 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/13 14:43:52.0161 2992 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/13 14:43:52.0572 2992 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/13 14:43:55.0997 2992 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/13 14:43:59.0322 2992 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/13 14:44:01.0004 2992 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/13 14:44:04.0780 2992 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/13 14:44:06.0302 2992 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/13 14:44:07.0403 2992 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/13 14:44:08.0795 2992 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/13 14:44:13.0772 2992 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/07/13 14:44:14.0453 2992 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/13 14:44:16.0576 2992 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/13 14:44:17.0117 2992 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/13 14:44:19.0140 2992 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/13 14:44:20.0823 2992 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/13 14:44:22.0475 2992 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/07/13 14:44:23.0106 2992 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/07/13 14:44:24.0067 2992 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/13 14:44:25.0359 2992 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/13 14:44:26.0871 2992 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/13 14:44:27.0352 2992 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2011/07/13 14:44:28.0974 2992 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/13 14:44:30.0476 2992 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/13 14:44:31.0348 2992 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/07/13 14:44:33.0441 2992 MBR (0x1B8) (0ab31cf2bd90af73df1c8308c72e3f38) \Device\Harddisk1\DR1
2011/07/13 14:44:40.0100 2992 Boot (0x1200) (fa0acc11548d4c1ee2bd12ca636da8fa) \Device\Harddisk0\DR0\Partition0
2011/07/13 14:44:40.0200 2992 Boot (0x1200) (ddc29537b2a2dc8e3511cf77f0f8409b) \Device\Harddisk1\DR1\Partition0
2011/07/13 14:44:40.0271 2992 ================================================================================
2011/07/13 14:44:40.0271 2992 Scan finished
2011/07/13 14:44:40.0271 2992 ================================================================================
2011/07/13 14:44:40.0361 4000 Detected object count: 0
2011/07/13 14:44:40.0361 4000 Actual detected object count: 0



thanks so much for your help. I really appreciate it

ken545
2011-07-14, 00:38
Hi,

I would like you to run Combofix, the only problem is that AVG antivirus wont let it run, it needs to be uninstalled not just disabled. You can uninstall it via add remove programs in the control panel. We will reinstall it when were done




Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

miamiwings
2011-07-14, 02:25
when i attempted to uninstall AVG I went thru the process several times and got an error message
Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

I am so frustrated, any suggestions?

ken545
2011-07-14, 02:42
You can try there removal tool

http://download.avg.com/filedir/util/support/avg_remover_stf_x86_2011_1322.exe

Or you can try this program to remove it
http://www.appremover.com/supported-applications

miamiwings
2011-07-14, 08:58
ComboFix 11-07-13.03 - Liz 2011-07-13 21:40:35.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.163 [GMT -4:00]
Running from: c:\documents and settings\Liz\Desktop\ComboFix1.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Liz\Desktop\Setup.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
C:\Thumbs.db


c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-06-14 to 2011-07-14 )))))))))))))))))))))))))))))))
.
.
2011-07-14 01:31 . 2011-07-14 01:31 -------- d-----w- C:\ComboFix1
2011-07-04 03:05 . 2011-07-04 11:45 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-07-03 14:26 . 2011-07-03 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\ODIR
2011-07-03 13:16 . 1999-03-26 05:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-07-03 13:16 . 2011-07-03 13:16 -------- d-----w- c:\program files\ODIR
2011-06-23 08:16 . 2011-06-23 08:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-06-17 00:24 . 2011-06-17 00:24 -------- d-----w- c:\program files\iPod
2011-06-16 23:07 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-01 02:11 . 2011-05-18 10:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 13:11 . 2010-09-21 16:18 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-09-21 16:17 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2007-07-19 15:58 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2007-07-27 12:28 . 2007-07-27 12:28 2775032 ----a-w- c:\program files\AiRoboForm.exe
2008-09-11 15:58 . 2008-09-11 15:59 122880 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"nwiz"="NWIZ.EXE" [2003-07-28 323584]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
"McAfee Guardian"="c:\program files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 1:19 PM 136176]
S3 AX88178;10/100 Gigabit USB2.0 Network Adapter;c:\windows\system32\drivers\ax88178.sys [2007-07-19 1:41 PM 24192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 1:19 PM 136176]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-09-01 4:30 AM 15544]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 17:18]
.
2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 17:18]
.
2011-07-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-09-04 19:31]
.
2011-07-03 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-02-17 19:31]
.
2011-07-13 c:\windows\Tasks\User_Feed_Synchronization-{D7BC8F18-6F1E-45C3-8E5E-E54B9ACF7CC2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.peoplestring.com
uInternet Settings,ProxyOverride = *.local
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: plaxo.com\www
TCP: DhcpNameServer = 192.168.1.254
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader5.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://guckhin.serveftp.net/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-TaskTray - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-13 23:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-13 23:22:46
ComboFix-quarantined-files.txt 2011-07-14 03:22
ComboFix2.txt 2010-09-24 02:32
.
Pre-Run: 10,145,050,624 bytes free
Post-Run: 10,256,191,488 bytes free
.
- - End Of File - - 37658A55FBBAD53022883DC3C2FBBD23

ken545
2011-07-14, 11:28
:bigthumb:

You can go ahead and reinstall AVG

Go back to Post #4 and run OTL and post the log please

miamiwings
2011-07-15, 15:07
I installed AVG the 2011 edition. It has a lot of bells and whistles that I really dont know if I need. Keeps showing updates. And, when I attempted to run OTL, it stops scanning at "scanning Firefox Settings" I tried 3 times. Am wondering if I need to disable the AVG when running the OTL. I am sorry that I keep having these issues. I kind of wish I could reinstall the AVG 8. They say it is out of date. Do you think another antivirus program would be better? Sorry for all the questions

ken545
2011-07-15, 15:22
Disable AVG and try OTL again.

This is a free one from Microsoft and I am impressed with it. But if you install it then uninstall AVG

http://www.microsoft.com/en-us/security_essentials/default.aspx

miamiwings
2011-07-16, 02:33
I did the OTL here is the txt
OTL logfile created on: 2011-07-15 7:31:38 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Liz\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

511.53 Mb Total Physical Memory | 162.74 Mb Available Physical Memory | 31.81% Memory free
1.15 Gb Paging File | 0.59 Gb Available in Paging File | 51.02% Paging File free
Paging file location(s): C:\pagefile.sys 700 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 57.25 Gb Total Space | 8.15 Gb Free Space | 14.24% Space Free | Partition Type: NTFS
Drive D: | 55.90 Gb Total Space | 31.50 Gb Free Space | 56.36% Space Free | Partition Type: FAT32

Computer Name: OWNER-C4ACA923A | User Name: Liz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== LOP Check ==========

[2010-06-02 19:03:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\WinPatrol
[2009-10-03 16:52:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2009-10-22 09:43:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AT&T U-verse Media Share Wizard
[2011-07-15 18:52:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010-05-16 12:01:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Carbonite
[2011-07-14 15:24:33 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010-05-30 20:01:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2008-08-01 12:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2011-05-18 07:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2008-04-14 10:42:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Karen's Power Tools
[2011-07-14 17:13:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011-07-03 10:26:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ODIR
[2010-05-30 15:58:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2007-07-19 21:31:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2008-08-01 13:26:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008-01-09 20:04:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZipSE
[2010-05-10 18:36:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009-07-04 09:34:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2008-06-18 07:44:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\acccore
[2011-07-14 17:11:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\AVG10
[2011-05-18 12:35:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\check identical files
[2010-05-30 16:01:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\DriverCure
[2010-07-03 13:41:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\ElevatedDiagnostics
[2008-12-07 06:37:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Foxit
[2009-09-12 09:22:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Foxit Software
[2011-07-03 22:35:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\GoodSync
[2007-07-19 17:34:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Grisoft
[2008-07-10 23:16:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\gtk-2.0
[2009-06-28 09:46:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\IObit
[2008-04-05 15:54:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Leadertech
[2008-12-21 08:59:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\MOVAVI
[2008-06-07 08:13:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\MSNInstaller
[2007-07-20 08:24:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\OLYMPUS
[2008-12-08 12:26:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Skinux
[2007-12-11 13:10:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Snapfish
[2010-05-28 08:42:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\SumatraPDF
[2008-01-29 00:39:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Uniblue
[2008-09-13 09:11:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\W Photo Studio Viewer
[2007-09-10 07:30:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Windows Desktop Search
[2010-09-19 13:11:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\WinPatrol
[2007-07-28 11:24:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\Grisoft
[2009-06-25 16:36:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\Skinux
[2010-12-19 22:38:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\WinPatrol
[2011-07-15 19:04:30 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2011-07-15 19:20:21 | 000,000,390 | -H-- | M] () -- C:\WINDOWS\Tasks\MpIdleTask.job
[2011-07-15 17:24:01 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{D7BC8F18-6F1E-45C3-8E5E-E54B9ACF7CC2}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:351B5DA2

< End of report >

miamiwings
2011-07-16, 02:41
I searched the desktop and c drive and could not find the other extra.txt file

ken545
2011-07-16, 03:14
Hi,

Please run OTL scan again as you did not post the entire log, most of it is missing, dont worry about the extras log

miamiwings
2011-07-16, 14:54
I attempted to run the OTL again and it is getting stuck on the same thing io
did before.Stops responding when it gets to a certain point. Also, the microsoft security program msmpEng.exe shows 248,548k peak memory usage. I tried disabling it but OTL still didnt complete the scan

ken545
2011-07-16, 23:31
Try running the scan in Safemode

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

miamiwings
2011-07-17, 01:32
I ran OTL in safemode and the same thing happened . It stopped responding when it was scanning firefox settings. One other thing, The microsoft security essentials MsMpeng.exe peak memory usage shows 243,212 and 168,554 vm, 360 handles and 34 threads. I don't know much about the task manager, but the 243,212 seems like it is using up too much memory or resources. I did a search and it seems as though lots of people claim that it is a problem. What do you think? I never had problems with AVG 8 but cant find it to reinstall. They only show 2011.

Thanks for your help

ken545
2011-07-17, 01:43
That file is related to Windows Defender, read this and see if you can follow disabling it. Let me know , I can break it down for you if needed

http://helpdeskgeek.com/windows-vista-tips/what-is-msmpeng-exe/


Then try OTL again

miamiwings
2011-07-17, 01:58
I hope I am not looking stupid but I dont know if I even have windows defender. I cant find it. Only security essentials.

ken545
2011-07-17, 02:57
These logs can be located in the OTL. folder on you C:\ drive

OPen Microsoft Security Essentials, settings tab, select realtime protection, and uncheck "turn on realtime protection". Ok your way out and try OTL again

miamiwings
2011-07-17, 04:16
I followed your instructions with Security Essentials and disabled; however, when I tried OTL again, it still stopped responding when checking firefox settings and even though I unchecked turn on realtime protection. I could not find the OTL logs in C drive or anywhere. I opened task manager and it still showed the MsMpEng at 230,508 I am totally confused, now I have no antivirus protection turned on and am unhappy about the resourse usage. Maybe I am writing it incorrectly, but now the computer is getting frozen up
Please help. Maybe I should have another anti virus. what do you think?

miamiwings
2011-07-17, 12:38
The fix you suggested referred to Vista. I have xp . I researched the problem with the cpu usage and MsMpeng. On one site the path for disabling is shown differently it is under :\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Essentials. I haven't tried it yet and am afraid to do it. I found the information on another site
"1st bye solutions" What do you think?

ken545
2011-07-17, 14:08
Go ahead and uninstall Microsoft Security Essentials, after its unintalled try OTL again, if OTL wont run, then reinstall AVG so you will have virus protection.

Then see if this will run


Download OTS.exe (http://oldtimer.geekstogo.com/OTS.exe) by OldTimer to your Desktop.
Close any open browsers.
Double-click on OTS.exe to start the program.
Leave all settings as they appear as default, except for the following:
Under Drivers, select "All".
Under Additional Scans, click on the "Extra" button.

Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, Attach the file ).

miamiwings
2011-07-18, 03:04
I followed your instructions but could not install AVG. I kept getting a message after it was almost complete and I saved the log, which I am attaching. I am at a loss as to what to do next. I don't understand why I cannot install AVG I don't know if you can open the log. I am afraid to do anything because I have no anti virus

ken545
2011-07-18, 03:48
Try using there removal tool again to remove any remnants of it, then try this other free program, I like it better than AVG, AVG can sometimes be a nuisance

Free Avast 4 Home Edition (http://www.avast.com/eng/avast_4_home.html)

miamiwings
2011-07-18, 14:14
I was happy to install avast with no problem; however, when I attempted to run ots.exe it froze when scanning internet explorer settings. I disabled avast and tried again, no luck,,it stopped responding.

ken545
2011-07-18, 14:18
Lets see a new DDS log

Download DDS from one of the links below to your desktop

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)


Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files) (http://windows.microsoft.com/en-us/windows-vista/Compress-and-uncompress-files-zip-files)

miamiwings
2011-07-18, 14:59
DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Liz at 7:27:47 on 2011-07-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.150 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.peoplestring.com
uProxyServer = :0
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - <orphaned>
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - <orphaned>
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - <orphaned>
TB: &RoboForm: {724D43A0-0D85-11D4-9908-00400523E39A} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: Groove Folder Synchronization: {2A541AE1-5BF6-4665-A8A3-CFA9672E4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
EB: &Research: {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program files\microsoft office\office12\REFIEBAR.DLL
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [nwiz] NWIZ.EXE /install
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Customize Menu - c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://cam1.rcon.nl/activex/AMC.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader5.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://guckhin.serveftp.net/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{53DF6BF5-643F-4570-B039-491C5D1DD8B7} : DHCPNameServer = 172.16.0.1
TCP: Interfaces\{635F2B4A-7C31-4C58-A4C1-AD2F8A9BA7BB} : DHCPNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
Notify: dimsntfy - <no file>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
============= SERVICES / DRIVERS ===============
.
S1 MpKsl8350b39d;MpKsl8350b39d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b2d7fed-b10e-4078-afb7-ef756a7aa676}\mpksl8350b39d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b2d7fed-b10e-4078-afb7-ef756a7aa676}\MpKsl8350b39d.sys [?]
S1 MpKslaff28954;MpKslaff28954;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b2d7fed-b10e-4078-afb7-ef756a7aa676}\mpkslaff28954.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b2d7fed-b10e-4078-afb7-ef756a7aa676}\MpKslaff28954.sys [?]
S3 AX88178;10/100 Gigabit USB2.0 Network Adapter;c:\windows\system32\drivers\ax88178.sys [2007-7-19 24192]
.
=============== Created Last 30 ================
.
2011-07-18 06:31:32 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-18 06:30:14 40112 ----a-w- c:\windows\avastSS.scr
2011-07-18 06:29:10 -------- d-----w- c:\program files\AVAST Software
2011-07-18 06:29:10 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-07-17 23:06:38 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-07-15 22:50:19 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-07-15 11:17:19 0 ---ha-w- c:\documents and settings\liz\local settings\application data\BIT6.tmp
2011-07-14 19:24:33 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-07-14 18:24:58 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-07-14 01:31:15 -------- d-----w- C:\ComboFix1
2011-07-04 03:05:54 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-07-03 14:26:01 -------- d-----w- c:\documents and settings\all users\application data\ODIR
2011-07-03 13:16:47 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-07-03 13:16:36 -------- d-----w- c:\program files\ODIR
.
==================== Find3M ====================
.
2011-07-01 02:11:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2007-07-27 12:28:27 2775032 ----a-w- c:\program files\AiRoboForm.exe
.
============= FINISH: 7:35:27.85 ===============

ken545
2011-07-18, 19:13
Using Combofix thats still on your desktop, do this

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::




DDS::
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - <orphaned>
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - <orphaned>
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

miamiwings
2011-07-18, 20:35
Output folder: C:\32788R22FWJFW
Delete file: C:\32788R22FWJFW\023.dat
Delete file: C:\32788R22FWJFW\023v.dat
Delete file: C:\32788R22FWJFW\023w7.dat
Delete file: C:\32788R22FWJFW\AppDataFile.cfx
Delete file: C:\32788R22FWJFW\AppDataFolder.cfx
Delete file: C:\32788R22FWJFW\appinit.bad
Delete file: C:\32788R22FWJFW\asp.str
Delete file: C:\32788R22FWJFW\Assoc.cmd
Delete file: C:\32788R22FWJFW\Auto-RC.cmd
Delete file: C:\32788R22FWJFW\av.cmd
Delete file: C:\32788R22FWJFW\av.vbs
Delete file: C:\32788R22FWJFW\AWF.cmd
Delete file: C:\32788R22FWJFW\badclsid.c
Delete file: C:\32788R22FWJFW\Boot-Rk.cmd
Delete file: C:\32788R22FWJFW\Boot.bat
Delete file: C:\32788R22FWJFW\BootDrv.vbs
Delete file: C:\32788R22FWJFW\c.bat
Delete file: C:\32788R22FWJFW\Catch-sub.cmd
Delete file: C:\32788R22FWJFW\catchme.cfxxe
Delete file: C:\32788R22FWJFW\CF-Script.cmd
Delete file: C:\32788R22FWJFW\CHCP.bat
Delete file: C:\32788R22FWJFW\clsid.c
Delete file: C:\32788R22FWJFW\Combo-Fix.sys
Delete file: C:\32788R22FWJFW\Combobatch.bat
Delete file: C:\32788R22FWJFW\ComboFix-Download.cfxxe
Delete file: C:\32788R22FWJFW\Create.cmd
Delete file: C:\32788R22FWJFW\Creg.dat
Delete file: C:\32788R22FWJFW\CregC.cmd
Delete file: C:\32788R22FWJFW\CregC.dat
Delete file: C:\32788R22FWJFW\CSet.cmd
Delete file: C:\32788R22FWJFW\dd.cfxxe
Delete file: C:\32788R22FWJFW\ddsDo.sed
Delete file: C:\32788R22FWJFW\DelClsid.bat
Delete file: C:\32788R22FWJFW\DelClsid64.bat
Delete file: C:\32788R22FWJFW\desktop.ini
Delete file: C:\32788R22FWJFW\DesktopFile.cfx
Delete file: C:\32788R22FWJFW\DisclaimED.dat
Delete file: C:\32788R22FWJFW\Dnl.dat
Delete file: C:\32788R22FWJFW\DPF.str
Delete file: C:\32788R22FWJFW\DrvRun.vbs
Delete file: C:\32788R22FWJFW\dumphive.cfxxe
Delete file: C:\32788R22FWJFW\embedded.sed
Remove folder: C:\32788R22FWJFW\EN-US\
Delete file: C:\32788R22FWJFW\ERDNT.e_e
Delete file: C:\32788R22FWJFW\ERDNTDOS.LOC
Delete file: C:\32788R22FWJFW\ERDNTWIN.LOC
Delete file: C:\32788R22FWJFW\ERUNT.cfxxe
Delete file: C:\32788R22FWJFW\ERUNT.LOC

miamiwings
2011-07-18, 20:36
combofix did not ask me to reboot.

ken545
2011-07-18, 20:41
Let me see the entire Combofix log .

C:\ComboFix.txt <--You can find it here, make sure its the one you just ran, check the date

miamiwings
2011-07-18, 20:58
I only found what I included the last time, the others don't show combofix.txt

they show complete files and when I try to attach it won't . I guess I am doing something wrong. Sorry

ken545
2011-07-18, 21:33
Just go ahead and run Combofix again, the program, not the script we did last time and post the new log

miamiwings
2011-07-19, 01:45
ComboFix 11-07-18.04 - Liz 2011-07-18 16:32:06.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.159 [GMT -4:00]
Running from: c:\documents and settings\Liz\Desktop\ComboFix1.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Liz\WINDOWS
c:\windows\system32\ctfmon(2).exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-18 to 2011-07-18 )))))))))))))))))))))))))))))))
.
.
2011-07-18 06:31 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-18 06:31 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-07-18 06:31 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-18 06:31 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-18 06:31 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-18 06:31 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-18 06:31 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-18 06:31 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-18 06:30 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-07-18 06:30 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-18 06:29 . 2011-07-18 06:29 -------- d-----w- c:\program files\AVAST Software
2011-07-18 06:29 . 2011-07-18 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-07-17 23:06 . 2011-07-17 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-07-15 22:50 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-07-15 11:17 . 2011-07-15 11:17 0 ---ha-w- c:\documents and settings\Liz\Local Settings\Application Data\BIT6.tmp
2011-07-14 19:24 . 2011-07-14 19:24 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-07-14 18:24 . 2011-07-17 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-07-14 01:31 . 2011-07-14 01:31 -------- d-----w- C:\ComboFix1
2011-07-04 03:05 . 2011-07-04 11:45 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-07-03 14:26 . 2011-07-03 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\ODIR
2011-07-03 13:16 . 1999-03-26 05:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-07-03 13:16 . 2011-07-03 13:16 -------- d-----w- c:\program files\ODIR
2011-06-23 08:16 . 2011-06-23 08:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-01 02:11 . 2011-05-18 10:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 13:11 . 2010-09-21 16:18 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-09-21 16:17 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2007-07-19 15:58 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2007-07-27 12:28 . 2007-07-27 12:28 2775032 ----a-w- c:\program files\AiRoboForm.exe
2008-09-11 15:58 . 2008-09-11 15:59 122880 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-14_03.10.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-19 02:51 . 2011-04-19 02:51 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_4ddc769f\vcomp90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90rus.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90kor.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90jpn.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90ita.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90fra.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esp.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esn.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90enu.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90deu.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90cht.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90chs.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90u.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2011-07-17 23:47 . 2011-07-17 23:47 16384 c:\windows\Temp\Perflib_Perfdata_598.dat
+ 2011-04-19 02:51 . 2011-04-19 02:51 653136 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcr90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 569680 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcp90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcm90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 159048 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_92453bb7\atl90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 640000 c:\windows\system32\dllcache\dbghelp.dll
+ 2011-07-15 14:04 . 2011-07-15 14:04 223744 c:\windows\Installer\a0b8d9.msi
+ 2011-07-15 22:19 . 2011-07-15 22:19 301056 c:\windows\Installer\2668217.msi
+ 2011-07-14 18:44 . 2011-07-14 18:44 219648 c:\windows\Installer\174d24a.msi
+ 2011-04-19 02:51 . 2011-04-19 02:51 3781960 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90u.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 3766600 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2011-05-19 21:24 . 2011-05-19 21:24 1939968 c:\windows\Installer\266821f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"nwiz"="NWIZ.EXE" [2003-07-28 323584]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
"McAfee Guardian"="c:\program files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-07-18 2:31 AM 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-07-18 2:31 AM 19544]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-07-18 2:31 AM 441176]
S1 MpKsl8350b39d;MpKsl8350b39d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B2D7FED-B10E-4078-AFB7-EF756A7AA676}\MpKsl8350b39d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B2D7FED-B10E-4078-AFB7-EF756A7AA676}\MpKsl8350b39d.sys [?]
S1 MpKslaff28954;MpKslaff28954;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B2D7FED-B10E-4078-AFB7-EF756A7AA676}\MpKslaff28954.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B2D7FED-B10E-4078-AFB7-EF756A7AA676}\MpKslaff28954.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 1:19 PM 136176]
S3 AX88178;10/100 Gigabit USB2.0 Network Adapter;c:\windows\system32\drivers\ax88178.sys [2007-07-19 1:41 PM 24192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 1:19 PM 136176]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-09-01 4:30 AM 15544]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - AVAST!_ANTIVIRUS
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 17:18]
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 17:18]
.
2011-07-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-09-04 19:31]
.
2011-07-03 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-02-17 19:31]
.
2011-07-18 c:\windows\Tasks\User_Feed_Synchronization-{D7BC8F18-6F1E-45C3-8E5E-E54B9ACF7CC2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.peoplestring.com
uInternet Settings,ProxyOverride = *.local
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: plaxo.com\www
TCP: DhcpNameServer = 192.168.1.254
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader5.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://guckhin.serveftp.net/activex/AMC.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-18 17:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-18 17:19:05
ComboFix-quarantined-files.txt 2011-07-18 21:18
ComboFix2.txt 2011-07-14 03:22
ComboFix3.txt 2010-09-24 02:32
.
Pre-Run: 8,838,823,936 bytes free
Post-Run: 8,852,873,216 bytes free
.
- - End Of File - - 41560BEBEC584DAAF22513004D64AE3B

ken545
2011-07-19, 03:43
Looking good. I see you have Avast as your main AV, good choice, but I am also seeing markers for AVG, did you try to uninstall AVG at one time ?

How are things running now ?

miamiwings
2011-07-19, 04:05
I went to restart and everything froze, then when I started up. It took forever, and just got the plain blue desktop, I shut down and restarted in safe mode. Right now I am going to restart in normal and if it doesnt work,, I will be back in safe mode. This stuff is driving me crazy. I tried to remove avg several ways,

ken545
2011-07-19, 04:13
See if you can run the AVG removal tool


http://download.avg.com/filedir/util/support/avg_remover_stf_x86_2011_1322.exe

miamiwings
2011-07-19, 05:00
I tried startup in normal mode and logged into this forum. It was almost impossible for me to post a message because it kept freezing up . I ran the avg removal tool but I don't know what happened, it didn't produce anything. It just seemed to finish. Some of my avg files were located in "d" drive. I removed them by hand . Something is still wrong because I cannot start up in normal mode. I don't know what happened. Do you have any idea what the problem is? Thanks

ken545
2011-07-19, 11:27
I think at this point you should post over at this forum for windows problems. You can do a repair install of windows, this will reinstall windows right on top of the current installation and repair things as it goes along. The other option is to reset your computer back to manufacturer defaults, it will set it back to the day you received it, the third option is to just do a format and fresh reinstall of windows. We seem to be just chasing our tail, the scans we ran cleaned a few things but nothing earth shattering so the issues your having may just be windows related. This forum like Safer is free but you will need to register. We all work together so feel free to link them to this thread so they can see what we have done.

http://forums.whatthetech.com/index.php?showforum=119

Good Luck,
Ken

miamiwings
2011-07-20, 01:01
I don't have my windows disk. I have misplaced it. Isn't there anyway I can get help here. When all this started I didn't have the problems with my computer that I am having now. I just couldnt run spybot to completion and I had some malware. Now I can't log on except in safe mode. I don't know what to do.,

ken545
2011-07-20, 01:31
We just do malware removal on this forum, post over at the windows forum I suggested and lets see what they can do for you.


When all this started I didn't have the problems with my computer that I am having now

With all the scans and programs we have run, Combofix removed these which are malware
Search Toolbar
c:\documents and settings\Liz\WINDOWS


With Post # 33 all we removed where orphaned BHOs ( Browser Helper Objects ) Removing these would not effect system performance
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - <orphaned>
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - <orphaned>
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>


I dont know what you did but in Post # 34 your showing a bunch of files related to Combofix, again, deleting these or keeping them would make no difference in system performance. Deleting these is part of our clean up procedure and we would have removed these all anyway when we where done

Delete file: C:\32788R22FWJFW


You may not need your disk, they maybe able to do a work around

miamiwings
2011-07-20, 02:58
I certainly didnt mean to suggest that my problems are your fault. I apppreciated all that you have done to help me. I posted over there. I hope they can help. I am still running in safe mode. Thanks again

Liz

ken545
2011-07-20, 03:08
Liz, link them to this thread so they can see what we have done, I will find you over there and offer any advice that I can

miamiwings
2011-07-20, 03:11
I did post the link, unfortunately, I didn't zip the log but just posted it. What a dummy I am. Thanks Ken

ken545
2011-07-20, 10:55
Looks like you got a response, lets see what happens :bigthumb: