-
-
Member
removed AVG finally posting log from combofix
ComboFix 11-07-13.03 - Liz 2011-07-13 21:40:35.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.163 [GMT -4:00]
Running from: c:\documents and settings\Liz\Desktop\ComboFix1.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Liz\Desktop\Setup.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
C:\Thumbs.db
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-06-14 to 2011-07-14 )))))))))))))))))))))))))))))))
.
.
2011-07-14 01:31 . 2011-07-14 01:31 -------- d-----w- C:\ComboFix1
2011-07-04 03:05 . 2011-07-04 11:45 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-07-03 14:26 . 2011-07-03 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\ODIR
2011-07-03 13:16 . 1999-03-26 05:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-07-03 13:16 . 2011-07-03 13:16 -------- d-----w- c:\program files\ODIR
2011-06-23 08:16 . 2011-06-23 08:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-06-17 00:24 . 2011-06-17 00:24 -------- d-----w- c:\program files\iPod
2011-06-16 23:07 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-01 02:11 . 2011-05-18 10:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 13:11 . 2010-09-21 16:18 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-09-21 16:17 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2007-07-19 15:58 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2007-07-27 12:28 . 2007-07-27 12:28 2775032 ----a-w- c:\program files\AiRoboForm.exe
2008-09-11 15:58 . 2008-09-11 15:59 122880 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"nwiz"="NWIZ.EXE" [2003-07-28 323584]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
"McAfee Guardian"="c:\program files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 1:19 PM 136176]
S3 AX88178;10/100 Gigabit USB2.0 Network Adapter;c:\windows\system32\drivers\ax88178.sys [2007-07-19 1:41 PM 24192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 1:19 PM 136176]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-09-01 4:30 AM 15544]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 17:18]
.
2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 17:18]
.
2011-07-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-09-04 19:31]
.
2011-07-03 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-02-17 19:31]
.
2011-07-13 c:\windows\Tasks\User_Feed_Synchronization-{D7BC8F18-6F1E-45C3-8E5E-E54B9ACF7CC2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.peoplestring.com
uInternet Settings,ProxyOverride = *.local
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: plaxo.com\www
TCP: DhcpNameServer = 192.168.1.254
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader5.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://guckhin.serveftp.net/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-TaskTray - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-13 23:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-13 23:22:46
ComboFix-quarantined-files.txt 2011-07-14 03:22
ComboFix2.txt 2010-09-24 02:32
.
Pre-Run: 10,145,050,624 bytes free
Post-Run: 10,256,191,488 bytes free
.
- - End Of File - - 37658A55FBBAD53022883DC3C2FBBD23
-
You can go ahead and reinstall AVG
Go back to Post #4 and run OTL and post the log please
-
Member
installed AVG
I installed AVG the 2011 edition. It has a lot of bells and whistles that I really dont know if I need. Keeps showing updates. And, when I attempted to run OTL, it stops scanning at "scanning Firefox Settings" I tried 3 times. Am wondering if I need to disable the AVG when running the OTL. I am sorry that I keep having these issues. I kind of wish I could reinstall the AVG 8. They say it is out of date. Do you think another antivirus program would be better? Sorry for all the questions
-
Disable AVG and try OTL again.
This is a free one from Microsoft and I am impressed with it. But if you install it then uninstall AVG
http://www.microsoft.com/en-us/secur...s/default.aspx
-
Member
uninstalled avg and installed the microsoft security
I did the OTL here is the txt
OTL logfile created on: 2011-07-15 7:31:38 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Liz\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd
511.53 Mb Total Physical Memory | 162.74 Mb Available Physical Memory | 31.81% Memory free
1.15 Gb Paging File | 0.59 Gb Available in Paging File | 51.02% Paging File free
Paging file location(s): C:\pagefile.sys 700 768 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 57.25 Gb Total Space | 8.15 Gb Free Space | 14.24% Space Free | Partition Type: NTFS
Drive D: | 55.90 Gb Total Space | 31.50 Gb Free Space | 56.36% Space Free | Partition Type: FAT32
Computer Name: OWNER-C4ACA923A | User Name: Liz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days
========== LOP Check ==========
[2010-06-02 19:03:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\WinPatrol
[2009-10-03 16:52:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2009-10-22 09:43:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AT&T U-verse Media Share Wizard
[2011-07-15 18:52:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010-05-16 12:01:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Carbonite
[2011-07-14 15:24:33 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010-05-30 20:01:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2008-08-01 12:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2011-05-18 07:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2008-04-14 10:42:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Karen's Power Tools
[2011-07-14 17:13:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011-07-03 10:26:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ODIR
[2010-05-30 15:58:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2007-07-19 21:31:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2008-08-01 13:26:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008-01-09 20:04:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZipSE
[2010-05-10 18:36:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009-07-04 09:34:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2008-06-18 07:44:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\acccore
[2011-07-14 17:11:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\AVG10
[2011-05-18 12:35:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\check identical files
[2010-05-30 16:01:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\DriverCure
[2010-07-03 13:41:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\ElevatedDiagnostics
[2008-12-07 06:37:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Foxit
[2009-09-12 09:22:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Foxit Software
[2011-07-03 22:35:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\GoodSync
[2007-07-19 17:34:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Grisoft
[2008-07-10 23:16:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\gtk-2.0
[2009-06-28 09:46:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\IObit
[2008-04-05 15:54:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Leadertech
[2008-12-21 08:59:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\MOVAVI
[2008-06-07 08:13:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\MSNInstaller
[2007-07-20 08:24:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\OLYMPUS
[2008-12-08 12:26:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Skinux
[2007-12-11 13:10:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Snapfish
[2010-05-28 08:42:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\SumatraPDF
[2008-01-29 00:39:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Uniblue
[2008-09-13 09:11:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\W Photo Studio Viewer
[2007-09-10 07:30:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\Windows Desktop Search
[2010-09-19 13:11:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Liz\Application Data\WinPatrol
[2007-07-28 11:24:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\Grisoft
[2009-06-25 16:36:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\Skinux
[2010-12-19 22:38:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\WinPatrol
[2011-07-15 19:04:30 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2011-07-15 19:20:21 | 000,000,390 | -H-- | M] () -- C:\WINDOWS\Tasks\MpIdleTask.job
[2011-07-15 17:24:01 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{D7BC8F18-6F1E-45C3-8E5E-E54B9ACF7CC2}.job
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:351B5DA2
< End of report >
-
Member
could not find the other OTL file
I searched the desktop and c drive and could not find the other extra.txt file
-
Hi,
Please run OTL scan again as you did not post the entire log, most of it is missing, dont worry about the extras log
-
Member
OTL Problem
I attempted to run the OTL again and it is getting stuck on the same thing io
did before.Stops responding when it gets to a certain point. Also, the microsoft security program msmpEng.exe shows 248,548k peak memory usage. I tried disabling it but OTL still didnt complete the scan
-
Try running the scan in Safemode
To Enter Safemode
- Go to Start> Shut off your Computer> Restart
- As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu. - Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
- Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
