Seem to be having trouble

**redwingsfan81** · 2011-05-08, 16:17

I use AVG free. Lately it seems it has been catching a lot of threats. But from previous use I know that it doesn't catch everything. And with the amount that it has caught, i'm wondering if anything on my pc hasen't been caught.

Here are the logs:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Brian at 10:08:10.14 on 08/05/2011
Internet Explorer: 9.0.8112.16421
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2814.1526 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\rundll32.exe
C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Brian\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?o=14196&l=dis
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\brian\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32464]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 296400]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-20 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-5-8 1153368]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-20 193840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-08 06:29:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-08 06:29:41 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-05-08 06:18:14 -------- d-----w- c:\program files\4Videosoft Studio
2011-05-08 06:15:47 -------- d-----w- c:\users\brian\appdata\roaming\GetRightToGo
2011-05-04 02:32:00 -------- d-----w- c:\users\brian\appdata\local\{5687629B-0731-472A-AE7E-1844B105C6CC}
2011-05-02 22:11:58 -------- d-----w- c:\users\brian\appdata\local\{7BBAB14E-2224-48A2-8C39-30D733BEFA0B}
2011-04-29 23:17:55 -------- d-----w- c:\program files\iPod
2011-04-29 23:17:42 -------- d-----w- c:\program files\iTunes
2011-04-29 23:10:39 -------- d-----w- c:\program files\Bonjour
2011-04-28 15:00:49 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-28 15:00:48 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-28 15:00:31 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-15 20:38:57 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-04-15 20:38:55 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-15 20:38:48 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-04-12 18:01:02 -------- d-----w- c:\users\brian\appdata\local\{5C9DC467-E23D-4DF9-9658-F701A42E8BC8}
2011-04-12 03:17:16 -------- d-----w- c:\users\brian\appdata\local\{619CA3ED-9619-460F-A62E-FEBF9B636FB8}
2011-04-11 14:48:52 -------- d-----w- c:\users\brian\appdata\local\{4C63B8B0-3CE9-458A-8DCE-77ACE368CE53}
2011-04-10 23:44:39 -------- d-----w- c:\users\brian\appdata\local\HP
2011-04-08 18:11:25 -------- d-----w- c:\users\brian\appdata\local\{4EE4255C-21A7-420C-9224-6E3B047096A6}
.
==================== Find3M ====================
.
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-18 20:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-16 16:16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02:23 292864 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 10:09:47.83 ===============

**jeffce** · 2011-05-11, 17:26

Hi and

!! My name is Jeff. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

**Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort. This may cause a delay, but I will do my best to keep it as short as possible. Please bear with me, I will post back to you as soon as I can.**

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

**redwingsfan81** · 2011-05-11, 20:01

Thank you for the reply!

**jeffce** · 2011-05-12, 02:30

Let's get going!!

I notice that you have Norton Internet Security installed on your system. We need to uninstall that and the best way to make sure that all of it is removed is by downloading the Norton AntiVirus Remover Tool found here. Follow the instructions on this page that I have provided. Once the tool is downloaded, double-click (for XP) or right-click and Run as Administrator (Vista) the Norton Removal Tool icon for this tool and follow the prompts to completely remove Norton Antivirus. Once complete do not forget to restart your computer.
----------

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
----------

Please download aswMBR to your desktop.

Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Click the image to enlarge it

In your next reply please post the logs to:

GMER
aswMBR

**redwingsfan81** · 2011-05-12, 18:48

Let me say first that when I tried to run aswMBR, a blue screen came up and said my computer needed to be shut down. It restarted and was then able to run the program fine after.

Here is the Gmer log.

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-12 12:36:08
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 Hitachi_HTS545025B9A300 rev.PB2OCA0G
Running: gmer.exe; Driver: C:\Users\Brian\AppData\Local\Temp\agloqpow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA08F07A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA08F0848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA08F08E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA08F0980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 81EB8B74 4 Bytes [A0, 07, 8F, A0]
.text ntkrnlpa.exe!KeSetEvent + 621 81EB8DA4 8 Bytes [48, 08, 8F, A0, E4, 08, 8F, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 81EB8E04 4 Bytes [80, 09, 8F, A0]

---- User code sections - GMER 1.0.15 ----

.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtCreateFile + 6 77D4422A 4 Bytes [28, 00, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtCreateFile + B 77D4422F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtMapViewOfSection + 6 77D4497A 1 Byte [28]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtMapViewOfSection + 6 77D4497A 4 Bytes [28, 03, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtMapViewOfSection + B 77D4497F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenFile + 6 77D44A0A 4 Bytes [68, 00, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenFile + B 77D44A0F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenProcess + 6 77D44A8A 4 Bytes [A8, 01, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenProcess + B 77D44A8F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenProcessToken + B 77D44A9F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenProcessTokenEx + 6 77D44AAA 4 Bytes [A8, 02, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenProcessTokenEx + B 77D44AAF 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenThread + 6 77D44AFA 4 Bytes [68, 01, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenThread + B 77D44AFF 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenThreadToken + 6 77D44B0A 4 Bytes [68, 02, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenThreadToken + B 77D44B0F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtOpenThreadTokenEx + B 77D44B1F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtQueryAttributesFile + 6 77D44BAA 4 Bytes [A8, 00, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtQueryAttributesFile + B 77D44BAF 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtQueryFullAttributesFile + B 77D44C5F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtSetInformationFile + 6 77D4513A 4 Bytes [28, 01, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtSetInformationFile + B 77D4513F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtSetInformationThread + 6 77D4518A 4 Bytes [28, 02, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtSetInformationThread + B 77D4518F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtUnmapViewOfSection + 6 77D4542A 1 Byte [68]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtUnmapViewOfSection + 6 77D4542A 4 Bytes [68, 03, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[440] ntdll.dll!NtUnmapViewOfSection + B 77D4542F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtCreateFile + 6 77D4422A 4 Bytes [28, 00, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtCreateFile + B 77D4422F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtMapViewOfSection + 6 77D4497A 1 Byte [28]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtMapViewOfSection + 6 77D4497A 4 Bytes [28, 03, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtMapViewOfSection + B 77D4497F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenFile + 6 77D44A0A 4 Bytes [68, 00, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenFile + B 77D44A0F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenProcess + 6 77D44A8A 4 Bytes [A8, 01, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenProcess + B 77D44A8F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenProcessToken + B 77D44A9F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenProcessTokenEx + 6 77D44AAA 4 Bytes [A8, 02, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenProcessTokenEx + B 77D44AAF 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenThread + 6 77D44AFA 4 Bytes [68, 01, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenThread + B 77D44AFF 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenThreadToken + 6 77D44B0A 4 Bytes [68, 02, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenThreadToken + B 77D44B0F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtOpenThreadTokenEx + B 77D44B1F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtQueryAttributesFile + 6 77D44BAA 4 Bytes [A8, 00, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtQueryAttributesFile + B 77D44BAF 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtQueryFullAttributesFile + B 77D44C5F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtSetInformationFile + 6 77D4513A 4 Bytes [28, 01, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtSetInformationFile + B 77D4513F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtSetInformationThread + 6 77D4518A 4 Bytes [28, 02, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtSetInformationThread + B 77D4518F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtUnmapViewOfSection + 6 77D4542A 1 Byte [68]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtUnmapViewOfSection + 6 77D4542A 4 Bytes [68, 03, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5152] ntdll.dll!NtUnmapViewOfSection + B 77D4542F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtCreateFile + 6 77D4422A 4 Bytes [28, 00, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtCreateFile + B 77D4422F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtMapViewOfSection + 6 77D4497A 1 Byte [28]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtMapViewOfSection + 6 77D4497A 4 Bytes [28, 03, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtMapViewOfSection + B 77D4497F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenFile + 6 77D44A0A 4 Bytes [68, 00, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenFile + B 77D44A0F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenProcess + 6 77D44A8A 4 Bytes [A8, 01, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenProcess + B 77D44A8F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenProcessToken + B 77D44A9F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenProcessTokenEx + 6 77D44AAA 4 Bytes [A8, 02, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenProcessTokenEx + B 77D44AAF 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenThread + 6 77D44AFA 4 Bytes [68, 01, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenThread + B 77D44AFF 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenThreadToken + 6 77D44B0A 4 Bytes [68, 02, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenThreadToken + B 77D44B0F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtOpenThreadTokenEx + B 77D44B1F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtQueryAttributesFile + 6 77D44BAA 4 Bytes [A8, 00, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtQueryAttributesFile + B 77D44BAF 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtQueryFullAttributesFile + B 77D44C5F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtSetInformationFile + 6 77D4513A 4 Bytes [28, 01, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtSetInformationFile + B 77D4513F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtSetInformationThread + 6 77D4518A 4 Bytes [28, 02, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtSetInformationThread + B 77D4518F 1 Byte [E2]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtUnmapViewOfSection + 6 77D4542A 1 Byte [68]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtUnmapViewOfSection + 6 77D4542A 4 Bytes [68, 03, 06, 00]
.text C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe[5360] ntdll.dll!NtUnmapViewOfSection + B 77D4542F 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Here is the aswMBR

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-12 12:44:01
-----------------------------
12:44:01.634 OS Version: Windows 6.0.6002 Service Pack 2
12:44:01.634 Number of processors: 2 586 0x301
12:44:01.634 ComputerName: BRIAN-PC UserName: Brian
12:44:03.553 Initialize success
12:44:06.283 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5
12:44:06.283 Disk 0 Vendor: Hitachi_HTS545025B9A300 PB2OCA0G Size: 238475MB BusType: 3
12:44:08.374 Disk 0 MBR read successfully
12:44:08.374 Disk 0 MBR scan
12:44:08.374 Disk 0 unknown MBR code
12:44:10.402 Disk 0 scanning sectors +488390656
12:44:10.464 Disk 0 scanning C:\Windows\system32\drivers
12:44:23.162 Service scanning
12:44:25.705 Disk 0 trace - called modules:
12:44:25.721 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
12:44:25.736 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85778198]
12:44:25.736 3 CLASSPNP.SYS[807a48b3] -> nt!IofCallDriver -> [0x85562360]
12:44:25.752 5 acpi.sys[806126bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-5[0x85562b98]
12:44:25.752 Scan finished successfully
12:44:39.074 Disk 0 MBR has been saved successfully to "C:\Users\Brian\Desktop\MBR.dat"
12:44:39.090 The log file has been saved successfully to "C:\Users\Brian\Desktop\aswMBR.txt"

**jeffce** · 2011-05-13, 03:23

I notice that you have AVG installed on your system. We need to uninstall that and the best way to make sure that all of it is removed is by downloading the AVG Remover Tool found here. Download either the 32bit or 64bit version whichever is applicable to your system onto your desktop. Once the tool is downloaded, double-click (for XP) or right-click and Run as Administrator (Vista) the icon for this tool and follow the prompts to completely remove AVG.
----------

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.

In your next reply please post the log that is created by ComboFix.

**redwingsfan81** · 2011-05-13, 21:23

ComboFix 11-05-12.04 - Brian 13/05/2011 15:11:53.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2814.1942 [GMT -4:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 )))))))))))))))))))))))))))))))
.
.
2011-05-13 19:19 . 2011-05-13 19:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-12 15:38 . 2011-05-12 15:38 100736 ----a-w- C:\agloqpow.sys
2011-05-12 02:43 . 2011-05-12 02:43 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-05-11 19:25 . 2011-05-11 19:26 -------- d-----w- c:\users\Brian\AppData\Local\{A2757DCE-75E0-4590-A806-DFCD5E3E8409}
2011-05-11 17:38 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-10 01:54 . 2011-05-10 01:54 -------- d-----w- C:\$AVG
2011-05-08 06:29 . 2011-05-08 13:59 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-05-08 06:29 . 2011-05-08 06:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-08 06:18 . 2011-05-08 06:18 -------- d-----w- c:\program files\4Videosoft Studio
2011-05-08 06:15 . 2011-05-08 06:17 -------- d-----w- c:\users\Brian\AppData\Roaming\GetRightToGo
2011-05-04 02:32 . 2011-05-04 02:32 -------- d-----w- c:\users\Brian\AppData\Local\{5687629B-0731-472A-AE7E-1844B105C6CC}
2011-05-02 22:11 . 2011-05-02 22:12 -------- d-----w- c:\users\Brian\AppData\Local\{7BBAB14E-2224-48A2-8C39-30D733BEFA0B}
2011-04-29 23:17 . 2011-04-29 23:17 -------- d-----w- c:\program files\iPod
2011-04-29 23:17 . 2011-04-29 23:20 -------- d-----w- c:\program files\iTunes
2011-04-29 23:10 . 2011-04-29 23:10 -------- d-----w- c:\program files\Bonjour
2011-04-28 15:00 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-28 15:00 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-28 15:00 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-15 20:38 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-04-15 20:38 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exea
2011-03-09 16:57 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-03 15:40 . 2011-04-28 15:00 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-28 15:00 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-28 15:00 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-28 15:00 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-02-22 14:13 . 2011-03-23 03:29 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 03:29 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 03:29 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-18 20:36 . 2011-02-18 20:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 20:36 . 2011-02-18 20:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-1-25 984408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3137346884-2441235573-1657677640-1000Core.job
- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-18 16:17]
.
2011-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3137346884-2441235573-1657677640-1000UA.job
- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-18 16:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=14196&l=dis
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-13 15:19
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-13 15:22:20
ComboFix-quarantined-files.txt 2011-05-13 19:22
.
Pre-Run: 81,701,597,184 bytes free
Post-Run: 81,509,998,592 bytes free
.
- - End Of File - - F71D38AF15097E0BC1BD3464C5B453DC

**jeffce** · 2011-05-14, 15:21

Hi redwingsfan81!

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\users\Brian\AppData\Local\{A2757DCE-75E0-4590-A806-DFCD5E3E8409}
c:\users\Brian\AppData\Local\{5687629B-0731-472A-AE7E-1844B105C6CC}
c:\users\Brian\AppData\Local\{7BBAB14E-2224-48A2-8C39-30D733BEFA0B}

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**redwingsfan81** · 2011-05-17, 03:21

ComboFix needed to update before it ran.

ComboFix 11-05-16.02 - Brian 16/05/2011 21:09:56.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2814.1872 [GMT -4:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
Command switches used :: c:\users\Brian\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Brian\AppData\Local\{5687629B-0731-472A-AE7E-1844B105C6CC}
c:\users\Brian\AppData\Local\{7BBAB14E-2224-48A2-8C39-30D733BEFA0B}
c:\users\Brian\AppData\Local\{A2757DCE-75E0-4590-A806-DFCD5E3E8409}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-17 to 2011-05-17 )))))))))))))))))))))))))))))))
.
.
2011-05-17 01:16 . 2011-05-17 01:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-13 19:25 . 2011-05-13 19:55 -------- d-----w- c:\users\Brian\AppData\Local\Microsoft Games
2011-05-12 15:38 . 2011-05-12 15:38 100736 ----a-w- C:\agloqpow.sys
2011-05-12 02:43 . 2011-05-12 02:43 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-05-11 17:38 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-10 01:54 . 2011-05-10 01:54 -------- d-----w- C:\$AVG
2011-05-08 06:29 . 2011-05-08 13:59 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-05-08 06:29 . 2011-05-08 06:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-08 06:18 . 2011-05-08 06:18 -------- d-----w- c:\program files\4Videosoft Studio
2011-05-08 06:15 . 2011-05-08 06:17 -------- d-----w- c:\users\Brian\AppData\Roaming\GetRightToGo
2011-04-29 23:17 . 2011-04-29 23:17 -------- d-----w- c:\program files\iPod
2011-04-29 23:17 . 2011-04-29 23:20 -------- d-----w- c:\program files\iTunes
2011-04-29 23:10 . 2011-04-29 23:10 -------- d-----w- c:\program files\Bonjour
2011-04-28 15:00 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-28 15:00 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-28 15:00 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-10 17:03 . 2011-04-15 20:39 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-15 20:39 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-09 16:57 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-03 15:42 . 2011-04-15 20:38 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-28 15:00 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-28 15:00 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-28 15:00 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-28 15:00 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-15 20:38 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-15 20:39 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-23 03:29 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 03:29 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 03:29 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-15 20:39 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-15 20:39 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-15 20:39 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-15 20:39 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-18 20:36 . 2011-02-18 20:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 20:36 . 2011-02-18 20:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-18 14:03 . 2011-04-15 20:39 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-18 14:03 . 2011-04-15 20:39 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-18 14:03 . 2011-04-15 20:39 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-16 16:16 . 2011-04-15 20:39 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02 . 2011-04-15 20:39 292864 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-1-25 984408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3137346884-2441235573-1657677640-1000Core.job
- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-18 16:17]
.
2011-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3137346884-2441235573-1657677640-1000UA.job
- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-18 16:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=14196&l=dis
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-16 21:16
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-16 21:19:27
ComboFix-quarantined-files.txt 2011-05-17 01:19
ComboFix2.txt 2011-05-13 19:22
.
Pre-Run: 81,574,924,288 bytes free
Post-Run: 81,388,183,552 bytes free
.
- - End Of File - - F574DC945D339B8536CE10D224E541D0

**jeffce** · 2011-05-17, 04:04

Great job getting that log for me. Let's go ahead and get you an Anti Virus up and running on your system again. You can reinstall AVG again by downloading from here. You can also check out some of these others that I would recommend but remember to only have one:

----------

Please download JavaRa to your desktop and unzip it to its own
folder

Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
Java Runtime Environment (JRE) version for your computer.

----------

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan as shown below.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

The log can also be found here:
C:\Documents and Settings\<User name>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
----------------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the button.
Push Finish

http://www.eset.com/onlinescan/

In your next reply please post the logs to Malwarebytes and ESET Online Scan. Let me know how your system is running now too.

Thread: Seem to be having trouble

Thread Tools

Display

Seem to be having trouble

Posting Permissions