Anti Malware Doctor Trojan

[ken545]

Pat , have you tried doing a System Restore a little further back in time, like maybe a month ago.


I want to be 100% convinced there is no Rootkit causing your problems

Try running this program

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

 

[ken545]

Pat,

I have other helpers looking in. If you have not run GMER yet just hold off on it.

What I need you to do is run OTL again ( Just the scan ) ( not the fix ) You can find the instructions back in Post # 2

But this time in the custom scan/fixes box , copy and paste this in.

/md5start
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
/md5stop


You can run the scan in Safemode, be sure to click Run Scan and Not RUN FIX

Then post the new log please

 

[PatSpencer]

Ran the scan then saw last post

Hello,

I just finished the GMER scan when I read your post about not running it. Here is the txt file. I will run ODT again with that last script you posted.

Pat

 

[PatSpencer]

Also.. good news?

So I also tried to system restore to a December date and got the same results that I cannot restore to that date. BUt when I let the comp reboot I decided to try letting it run in regular mode (not Safe Mode) and so far I have been not frozen. A little slow running but no freezing.

Does this seem good?

 

[PatSpencer]

OTL scan again

OK,

So I ran OTL again with that last script you posted. I checked the boxes beside 'LOP check' and 'Security Check' as was posted in the first page, with minimal output. Ran scan (not run fix) and only received the OTL.txt file. Last time there was also an "Extras.txt" but only one log (OTL) this time. SHould that be right?

HEre is the OTL.txt:

OTL logfile created on: 20/02/2011 6:24:34 PM - Run 2
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Staples\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 347.00 Mb Available Physical Memory | 34.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 84.70 Gb Total Space | 33.37 Gb Free Space | 39.40% Space Free | Partition Type: NTFS
Drive D: | 7.44 Gb Total Space | 0.45 Gb Free Space | 6.09% Space Free | Partition Type: FAT32
Drive E: | 7.43 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: IRONMAN | User Name: Staples | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Staples\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgemcx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
PRC - C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe (Memeo)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Staples\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msacm32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\AppPatch\acgenral.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (AppMgmt) -- File not found
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (avgwd) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (SeagateDashboardService) -- C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe (Memeo)
SRV - (Bonjour Service) -- C:\Program Files\mDNSResponder\mDNSResponder.exe (Apple Computer, Inc.)
SRV - (ProtexisLicensing) -- C:\WINDOWS\system32\PSIService.exe ()
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (USBDeviceService) -- C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe ()
SRV - (AdobeActiveFileMonitor) -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe ()
SRV - (PhotoshopElementsDeviceConnect) -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe ()
SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation)


========== Driver Services (SafeList) ==========

DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgrkx86) -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (PaeFireStudio) -- C:\WINDOWS\system32\drivers\PaeFireStudio.sys (PreSonus Audio Electronics)
DRV - (PaeFireStudioMidi) -- C:\WINDOWS\system32\drivers\PaeFireStudioMidi.sys (PreSonus Audio Electronics)
DRV - (PaeFireStudioAudio) -- C:\WINDOWS\system32\drivers\PaeFireStudioAudio.sys (PreSonus Audio Electronics)
DRV - (motubus) -- C:\WINDOWS\system32\drivers\motubus.sys (Mark of the Unicorn)
DRV - (mfwamidi) -- C:\WINDOWS\system32\drivers\mfwamidi.sys (Mark of the Unicorn)
DRV - (MotuFWA) -- C:\WINDOWS\system32\drivers\motufwa.sys (Mark of the Unicorn)
DRV - (mfwawave) -- C:\WINDOWS\system32\drivers\mfwawave.sys (Mark of the Unicorn)
DRV - (FTDIBUS) -- C:\WINDOWS\system32\drivers\ftdibus.sys (FTDI Ltd.)
DRV - (FTSER2K) -- C:\WINDOWS\system32\drivers\ftser2k.sys (FTDI Ltd.)
DRV - (61883) -- C:\WINDOWS\system32\drivers\61883.sys (Microsoft Corporation)
DRV - (Avc) -- C:\WINDOWS\system32\drivers\avc.sys (Microsoft Corporation)
DRV - (MSDV) -- C:\WINDOWS\system32\drivers\msdv.sys (Microsoft Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (sptd) -- C:\WINDOWS\system32\drivers\sptd.sys (Duplex Secure Ltd.)
DRV - (TASCAM_US122144) -- C:\WINDOWS\system32\drivers\tascusb2.sys (TASCAM)
DRV - (TASCAM_US122L_WDM) -- C:\WINDOWS\system32\drivers\tscusb2a.sys (TASCAM)
DRV - (TASCAM_US122L_MIDI) -- C:\WINDOWS\system32\drivers\tscusb2m.sys (TASCAM)
DRV - (w39n51) Intel(R) -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel® Corporation)
DRV - (Mvc25U870_VID_1262&PID_25FD) -- C:\WINDOWS\system32\drivers\Mvc25U870.sys (Micro Vision Co.,Ltd)
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\CHDAud.sys (Conexant Systems Inc.)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (rismxdp) -- C:\WINDOWS\system32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC)
DRV - (iaStor) -- C:\WINDOWS\System32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (CLEDX) -- C:\WINDOWS\system32\drivers\cledx.sys (Team H2O)
DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (eabusb) -- C:\WINDOWS\system32\drivers\EabUsb.sys (Hewlett-Packard Development Company, L.P.)
DRV - (NSNDIS5) -- C:\WINDOWS\system32\nsndis5.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (NETMDUSB) -- C:\WINDOWS\system32\drivers\NETMDUSB.sys (Sony Corporation)
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=4105&_lang=EN
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=4105&_lang=EN"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2011/01/02 20:31:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/02 14:16:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/09 14:13:17 | 000,000,000 | ---D | M]

[2008/09/13 11:46:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Staples\Application Data\Mozilla\Extensions
[2011/02/17 21:24:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Staples\Application Data\Mozilla\Firefox\Profiles\tznzdlkx.default\extensions
[2010/08/01 11:34:29 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Staples\Application Data\Mozilla\Firefox\Profiles\tznzdlkx.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/18 19:24:55 | 000,002,233 | ---- | M] () -- C:\Documents and Settings\Staples\Application Data\Mozilla\Firefox\Profiles\tznzdlkx.default\searchplugins\google-maps-canada.xml
[2008/06/25 00:36:43 | 000,000,681 | ---- | M] () -- C:\Documents and Settings\Staples\Application Data\Mozilla\Firefox\Profiles\tznzdlkx.default\searchplugins\webster.xml
[2008/06/25 00:36:43 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\Staples\Application Data\Mozilla\Firefox\Profiles\tznzdlkx.default\searchplugins\wikipedia-en.xml
[2011/02/17 21:24:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/02 20:31:59 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG10\FIREFOX
[2009/03/25 22:45:41 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/07/12 11:33:56 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2011/02/17 20:56:07 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - File not found
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Seagate Dashboard] C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe ()
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: themusic.com ([www] https in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1005.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1196044102265 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196044046312 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Staples\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Staples\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 23:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{588323d1-16dd-11e0-8d13-00163619cfda}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\setup.exe -- [2008/04/13 19:12:34 | 000,023,040 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{588323d1-16dd-11e0-8d13-00163619cfda}\Shell\Install\command - "" = C:\WINDOWS\System32\setup.exe -- [2008/04/13 19:12:34 | 000,023,040 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{d9e30035-2cbf-11df-8ce9-00163619cfda}\Shell\AutoRun\command - "" = F:\backup.bat
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/20 15:19:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/02/20 15:19:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/02/19 20:36:47 | 001,366,104 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Staples\Desktop\TDSSKiller.exe
[2011/02/17 09:33:24 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/02/17 09:29:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Staples\Desktop\erunt
[2011/02/16 20:29:06 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Staples\Desktop\OTL.exe
[2011/02/16 20:01:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Staples\Desktop\Virus Fixin'
[2011/02/16 19:59:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/02/16 19:59:25 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/02/16 19:59:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/02/15 00:43:06 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/02/14 23:58:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Staples\Application Data\2A2DC2F96B78C60F06E72E7439DF4133
[2011/01/28 21:11:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Staples\My Documents\My Albums
[2011/01/27 22:23:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PreSonus
[2011/01/27 22:10:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Staples\My Documents\New Folder
[2011/01/27 22:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Staples\My Documents\Studio One
[2011/01/27 21:51:12 | 000,107,368 | ---- | C] (GEAR Software Inc.) -- C:\WINDOWS\System32\GEARAspi.dll
[2011/01/27 21:51:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2007/02/13 10:40:53 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Staples\Application Data\pcouffin.sys
[2007/01/29 14:59:42 | 000,049,152 | R--- | C] (Matsushita Electric Industrial Co.,Ltd.) -- C:\Program Files\Common Files\HDvAvi.dll

========== Files - Modified Within 30 Days ==========

[2011/02/20 18:14:03 | 000,000,986 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3613315136-1778929509-3348509564-1006UA.job
[2011/02/20 17:46:13 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/02/20 17:45:26 | 106,652,153 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/02/20 16:46:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/02/20 16:14:02 | 000,000,934 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3613315136-1778929509-3348509564-1006Core.job
[2011/02/20 15:45:27 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/02/20 15:22:30 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/20 15:21:58 | 000,000,433 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2011/02/20 15:21:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/20 15:21:23 | 1063,309,312 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/17 23:59:49 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/17 20:56:07 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/02/16 20:28:50 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Staples\Desktop\OTL.exe
[2011/02/16 13:29:17 | 000,016,434 | ---- | M] () -- C:\Documents and Settings\Staples\My Documents\GEOG - Steph.docx
[2011/02/15 02:19:49 | 000,000,315 | RHS- | M] () -- C:\boot.ini
[2011/02/14 14:20:29 | 000,037,376 | ---- | M] () -- C:\Documents and Settings\Staples\My Documents\Nepean Rideau and Osgoode Community Resource Centre.doc
[2011/02/14 14:15:45 | 000,011,607 | ---- | M] () -- C:\Documents and Settings\Staples\My Documents\Monthly reports.docx
[2011/02/14 11:09:10 | 000,050,696 | ---- | M] () -- C:\Documents and Settings\Staples\Desktop\bathroom_graffiti_04.jpg
[2011/02/13 15:35:39 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/02/12 17:08:44 | 000,013,382 | ---- | M] () -- C:\Documents and Settings\Staples\Desktop\Lobster Poutine - CKCU SOCAN FORM.xlsx
[2011/02/12 12:58:30 | 000,285,312 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/12 12:41:17 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/10 11:08:26 | 001,366,104 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Staples\Desktop\TDSSKiller.exe
[2011/01/31 18:54:08 | 000,143,825 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2011/01/28 21:27:42 | 001,974,529 | ---- | M] () -- C:\Documents and Settings\Staples\Desktop\Wedding Photos.docx
[2011/01/27 21:51:00 | 000,000,835 | ---- | M] () -- C:\Documents and Settings\Staples\Desktop\Studio One.lnk

========== Files Created - No Company Name ==========

[2011/02/20 15:49:20 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Staples\Desktop\gmer.exe
[2011/02/20 14:12:15 | 1063,309,312 | -HS- | C] () -- C:\hiberfil.sys
[2011/02/14 14:20:29 | 000,037,376 | ---- | C] () -- C:\Documents and Settings\Staples\My Documents\Nepean Rideau and Osgoode Community Resource Centre.doc
[2011/02/14 14:07:57 | 000,011,607 | ---- | C] () -- C:\Documents and Settings\Staples\My Documents\Monthly reports.docx
[2011/02/14 13:20:02 | 000,016,434 | ---- | C] () -- C:\Documents and Settings\Staples\My Documents\GEOG - Steph.docx
[2011/02/14 11:09:09 | 000,050,696 | ---- | C] () -- C:\Documents and Settings\Staples\Desktop\bathroom_graffiti_04.jpg
[2011/02/12 17:08:18 | 000,013,382 | ---- | C] () -- C:\Documents and Settings\Staples\Desktop\Lobster Poutine - CKCU SOCAN FORM.xlsx
[2011/01/28 21:27:41 | 001,974,529 | ---- | C] () -- C:\Documents and Settings\Staples\Desktop\Wedding Photos.docx
[2011/01/27 21:51:00 | 000,000,841 | ---- | C] () -- C:\Documents and Settings\Staples\Start Menu\Programs\Studio One.lnk
[2011/01/27 21:51:00 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\Staples\Desktop\Studio One.lnk
[2010/06/12 20:08:05 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/19 01:30:21 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\wpcalv.dat
[2009/07/16 12:20:25 | 000,000,158 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2009/01/01 19:04:46 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2008/11/06 11:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/09/23 21:01:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2008/05/17 03:54:26 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2008/05/05 17:58:13 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/03/02 22:51:28 | 000,000,027 | ---- | C] () -- C:\WINDOWS\SmartAudio.INI
[2008/02/13 02:14:23 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2008/02/13 02:14:23 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2008/02/13 02:14:23 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2008/02/13 02:14:23 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2008/02/13 02:14:23 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2008/01/12 17:17:41 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/12/03 23:53:48 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/12/03 23:53:48 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/11/22 16:03:54 | 003,049,984 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2007/11/22 16:03:54 | 000,404,480 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2007/11/22 16:03:54 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2007/11/22 16:03:54 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2007/02/13 10:41:14 | 000,000,033 | ---- | C] () -- C:\Documents and Settings\Staples\Application Data\pcouffin.log
[2007/02/13 10:40:54 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Staples\Application Data\ezpinst.exe
[2007/02/13 10:40:54 | 000,007,824 | ---- | C] () -- C:\Documents and Settings\Staples\Application Data\pcouffin.cat
[2007/02/13 10:40:53 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Staples\Application Data\pcouffin.inf
[2007/01/23 16:57:01 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/17 14:44:36 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2007/01/13 22:05:19 | 000,262,416 | ---- | C] () -- C:\WINDOWS\System32\Asfv2.dll
[2007/01/13 22:03:38 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2007/01/05 11:36:47 | 000,002,466 | ---- | C] () -- C:\Documents and Settings\Staples\Application Data\wklnhst.dat
[2006/12/27 07:08:02 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/05/17 06:26:45 | 000,215,552 | ---- | C] () -- C:\Documents and Settings\Staples\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/05/17 06:24:14 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Staples\Local Settings\Application Data\fusioncache.dat
[2006/01/03 06:39:38 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/01/03 06:31:19 | 000,001,454 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/01/03 06:25:56 | 000,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/01/03 06:20:03 | 000,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/11/01 14:02:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/05/05 21:06:32 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2004/08/07 08:16:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 08:10:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/07 07:57:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2011/02/16 20:14:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/10/24 12:50:15 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2009/06/29 23:34:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2009/01/03 18:46:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2010/10/24 12:48:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2007/01/31 08:56:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software
[2006/01/03 06:42:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2009/04/13 22:12:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2007/01/13 22:05:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OpenMG Jukebox
[2009/04/13 10:50:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2008/03/25 00:51:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2011/01/27 21:51:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2011/02/20 15:19:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\2A2DC2F96B78C60F06E72E7439DF4133
[2011/02/12 16:32:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\Audacity
[2010/10/24 12:52:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\AVG10
[2007/01/09 18:29:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\Cakewalk
[2010/01/01 23:41:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\Decagon
[2009/04/13 10:50:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\DriverCure
[2009/08/15 12:35:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\FileZilla
[2011/01/21 17:46:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\FireControlSettings
[2008/06/03 21:27:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\ivivo
[2006/12/30 17:27:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\Leadertech
[2006/12/28 05:36:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\muvee Technologies
[2009/04/13 22:10:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\NCH Swift Sound
[2006/12/27 07:11:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\Netscape
[2011/02/03 11:04:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\PreSonus
[2007/01/10 22:32:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\RhythmRascal
[2007/09/24 08:56:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\ScummVM
[2011/01/02 21:53:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\Seagate
[2007/01/09 20:36:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\Steinberg
[2009/12/09 00:03:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\STOIK
[2007/01/05 11:36:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\Template
[2007/04/01 23:01:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\Thinstall
[2009/08/15 09:57:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\Uniblue
[2010/12/21 00:45:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\uTorrent
[2009/01/01 17:45:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Staples\Application Data\Vso

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: EXPLORER.EX_ >
[2004/08/04 08:00:00 | 000,359,533 | ---- | M] () MD5=4F061B12F3D5457315A0314954E7EF46 -- C:\I386\EXPLORER.EX_

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/04 03:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: EXPLORER.GIF >
[2004/03/21 18:03:26 | 000,000,124 | ---- | M] () MD5=E98CB09109AE5FA8CFE276E9CAD13A24 -- C:\Program Files\MATLAB\R2007a Student\toolbox\shared\dastudio\resources\explorer.gif

< MD5 for: EXPLORER.M >
[2007/01/26 15:50:36 | 000,006,349 | ---- | M] () MD5=8E8B0B5342018DED1632623D4C7800A5 -- C:\Program Files\MATLAB\R2007a Student\toolbox\shared\fixedpointlib\@fxptui\@explorer\explorer.m

< MD5 for: EXPLORER.SC_ >
[2004/08/04 08:00:00 | 000,000,181 | ---- | M] () MD5=BC5B38879C56DFBC05C8B5C43AC4D739 -- C:\I386\EXPLORER.SC_

< MD5 for: EXPLORER.SCF >
[2004/08/04 03:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: WINLOGON.EX_ >
[2004/08/04 08:00:00 | 000,261,115 | ---- | M] () MD5=F41C4F5745589D0BB8268C02B71594CA -- C:\I386\WINLOGON.EX_

< MD5 for: WINLOGON.EXE >
[2004/08/04 03:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< End of report >

 

[PatSpencer]

Also

When I ran OTL I noticed that most of the options that are dotted are checked "Use Safelist" but the one that is for Extra Registry was checked as "None". I just wanted to make sure that is ok. Here is a Screenshot attached if you dont see what I mean.

Pat

 

[ken545]

Thats fine. I dont see any rootkit but you where infected with a rogue program. Hang on a bit , another helper I work close with wants to look over you OTL log


While I am waiting for input on your new OTL log , go ahead and run Malwarebytes again ( Make sure you check for updates first ) and post the new report

Glad things are loosening up, be back as soon as I can.

 

[ken545]

Good Morning, other helpers have looked in and all agree your log looks just fine, lets see what Malwarebytes comes up with

 

[PatSpencer]

Hmmm how bout this?

Hello Good Morning,

Malware found 5 infections, 4 of them state that they are already in quarantine. Here is the log from the scan:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5828

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

21/02/2011 6:30:58 AM
mbam-log-2011-02-21 (06-30-58).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 294672
Time elapsed: 1 hour(s), 41 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\documents and settings\Staples\local settings\application data\gjkfvidum\qvupmldtssd.exe.vir (Malware.Gen) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\rqoqaa.exe.vir (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\Drivers\ndis.sys.vir (Rootkit.Kobcka) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\Drivers\smejyao.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\pss\algeki32.exestartup (Trojan.Downloader) -> Quarantined and deleted successfully.

 

[PatSpencer]

Damnit, we were so close

Hello,

Thanks so much for the help so far.

I thought we were heading in to home base and now after that Malware Malwarebytes' scan and reboot, I am back at the freezing stage. After I try to open any folder or program, the pc freezes and I need to hard restart.

I am back in Safe mode now. aRGGHHH and I thought we were soo close before...

Pat

 

[ken545]

Pat,

Those files that Malwarebytes found where in Qoobox,they are backups of what Combofix removed. Looks like you where infected with a rootkit, these are dangerous and can cause all kinds of problems. You should never have run Combofix on your own, its a very powerful tool, you get a warning when you run it and we are not responsible if you run it own and it damages your system. I don't know what else it removed, lets hope it wasn't something that is causing this.

C:\ComboFix.txt <--Go here and post the log please

 

[PatSpencer]

ComboFix Log

Hello Ken,

I am not sure about running Combo Fix, I definitely have only done what we have discussed in the past week. Maybe this from last year when I had a blue screen of death and took my pc into a local professional to get it fixed. So I do not think that combo fix has been run recently or at the time if this recent virus.

Here is the log:

10-05-19.02 - Staples 19/05/2010 18:41:51.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.571 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Staples\Application Data\ATManager
c:\documents and settings\Staples\Application Data\ATManager\metafiles\e7e2135bcdfc87179deacdb1cdac8b7a.torrent
c:\documents and settings\Staples\Local Settings\Application Data\gjkfvidum
c:\documents and settings\Staples\Local Settings\Application Data\gjkfvidum\qvupmldtssd.exe
c:\windows\Rqoqaa.exe
c:\windows\system32\drivers\smejyao.sys
c:\windows\system32\fjhdyfhsn.bat

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_smejyao
-------\Service_smejyao


((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.

2010-05-19 22:50 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-05-19 22:50 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2010-05-19 22:31 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-19 22:31 . 2010-05-19 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-19 22:31 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-19 06:33 . 2010-05-19 06:19 70656 ----a-w- c:\windows\system32\-f36decbb.exe
2010-05-19 06:29 . 2010-05-19 06:19 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\uOC793179.dll
2010-05-19 06:19 . 2010-05-19 06:19 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\UO7oCE79.dll
2010-05-19 06:19 . 2010-05-19 06:19 70656 ----a-w- c:\windows\system32\-a66736ff.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 06:30 . 2010-05-19 06:30 20 ----a-w- c:\documents and settings\LocalService\Application Data\wpcalv.dat
2010-05-16 01:03 . 2009-03-26 05:58 -------- d-----w- c:\documents and settings\Staples\Application Data\uTorrent
2010-05-15 21:23 . 2008-10-19 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-12 20:12 . 2007-02-10 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-17 21:13 . 2006-01-03 11:41 -------- d-----w- c:\program files\Google
2010-03-23 02:30 . 2007-01-08 00:25 -------- d-----w- c:\documents and settings\Staples\Application Data\Audacity
2010-03-22 02:44 . 2009-12-18 03:24 79488 ----a-w- c:\documents and settings\Staples\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-09 11:09 . 2004-08-04 08:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43 . 2004-08-04 08:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2004-08-04 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2001-11-30 16:09 . 2007-01-29 19:59 49152 -c--a-r- c:\program files\Common Files\HDvAvi.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-10-25 11:20 . 2006-10-25 11:20 22 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-22 2046816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 02:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MOTU Pedal Handler.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MOTU Pedal Handler.lnk
backup=c:\windows\pss\MOTU Pedal Handler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Staples^Start Menu^Programs^Startup^algeki32.exe]
path=c:\documents and settings\Staples\Start Menu\Programs\Startup\algeki32.exe
backup=c:\windows\pss\algeki32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-05-18 18:29 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DetectorApp]
2005-10-20 14:15 102400 ----a-w- c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2005-12-07 18:56 409600 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-12-11 04:08 133104 ----atw- c:\documents and settings\Staples\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-10-23 04:00 385024 ----a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-11-22 19:55 61952 ----a-w- c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-11-02 23:22 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-11-02 23:26 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-11-02 23:25 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2005-12-12 19:39 94208 -c--a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 18:23 1187840 ------w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-10-19 15:21 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-11-11 07:04 761945 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherEye]
2009-10-27 01:42 718232 ----a-w- c:\documents and settings\Staples\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"USBDeviceService"=2 (0x2)
"SPTISRV"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"PhotoshopElementsDeviceConnect"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MSIU-a66736ff"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"hpqwmiex"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"AdobeActiveFileMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Staples\\Desktop\\utorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDPHCP Discovery Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/10/2008 12:59 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/10/2008 12:59 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [13/10/2008 12:58 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [13/10/2008 12:58 PM 297752]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [09/01/2007 9:27 PM 33792]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\motubus.sys [03/07/2009 5:11 PM 23600]
S3 Aldebaran;Aldebaran - Storage Filter Drivers;\??\c:\windows\system32\Drivers\Aldebaran.sys --> c:\windows\system32\Drivers\Aldebaran.sys [?]
S3 mfwamidi;MOTU Audio MIDI;c:\windows\system32\drivers\mfwamidi.sys [03/07/2009 5:11 PM 26160]
S3 mfwawave;MOTU Audio Wave;c:\windows\system32\drivers\mfwawave.sys [03/07/2009 5:11 PM 69680]
S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\motufwa.sys [03/07/2009 5:11 PM 445488]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [08/05/2008 7:52 PM 392864]
S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [08/05/2008 7:52 PM 10688]
S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [08/05/2008 7:52 PM 18112]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [04/10/2004 5:47 AM 98304]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/02/2010 6:54 PM 135664]
S4 MSIU-a66736ff;MSIU-a66736ff;c:\windows\system32\-a66736ff.exe [19/05/2010 2:19 AM 70656]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [04/10/2004 4:40 AM 118784]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/01/2007 4:35 PM 639224]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 15:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-03 02:26]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 22:54]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 22:54]

2010-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3613315136-1778929509-3348509564-1006Core.job
- c:\documents and settings\Staples\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-11 04:08]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3613315136-1778929509-3348509564-1006UA.job
- c:\documents and settings\Staples\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-11 04:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=4105&_lang=EN
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: digital-supply.com
Trusted Zone: download-soft-package.com
Trusted Zone: download-software-package.com
Trusted Zone: get-key-se10.com
Trusted Zone: is-software-download.com
Trusted Zone: themusic.com\www
Trusted Zone: digital-supply.com
FF - ProfilePath - c:\documents and settings\Staples\Application Data\Mozilla\Firefox\Profiles\tznzdlkx.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=4105&_lang=EN
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Staples\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\iViVo\IVIVO\npivivo.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ltolpphm - c:\windows\System32\ltolpphm.exe
MSConfigStartUp-M5T8QL3YW3 - c:\docume~1\Staples\LOCALS~1\Temp\Rxr.exe
MSConfigStartUp-net - c:\windows\system32\net.net
MSConfigStartUp-Pareto_Update - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
MSConfigStartUp-smss32 - c:\windows\system32\smss32.exe
MSConfigStartUp-xrpyjwqb - c:\documents and settings\Staples\Local Settings\Application Data\gjkfvidum\qvupmldtssd.exe
AddRemove-{2249e988-4727-4c22-97d6-6051f4c8e603} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{36357fd8-6297-47e6-8f4b-2f94fcfdef53} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{419950d2-52af-4448-a9aa-672e7af9ade0} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{570d504b-fadc-43aa-b765-4a3605e8e756} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{5d2a7280-66b6-400d-8974-759a046c44fc} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{5e964977-bfe5-4e76-8355-e2ac56e56000} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{87f283b3-8e06-4e98-85f7-ea12a913da3a} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{95d9908f-4197-4f61-95d4-5bb3e4ab4204} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{9dde4ab7-a555-4643-a82f-e92dc754bce0} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{9e68a806-8cae-4caf-9661-59f1d6551755} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{a7c07c2a-da95-4d2a-b5f8-3d0e5397c4d4} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{c5c2e6e2-0352-47d3-b974-210f6893d315} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{d8039bf2-367e-4921-8ce1-69cf54017195} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{e4e6aa03-91f2-477b-932c-ba4d2b5a7e5f} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{edce3886-879a-4429-9878-08e5274af3de} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{f4019786-e194-4fb1-a8bd-367a9e061beb} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{f616ace9-0caf-4c53-861e-f7b59f19164a} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-19 18:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:08,0d,77,48,79,1d,31,33,a5,97,46,8d,2e,d0,91,6e,55,92,dc,7a,23,
9b,db,29,4b,97,5f,75,11,35,ed,dc,81,8d,34,09,92,d3,96,70,59,ed,ef,f7,fe,5e,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:08,0d,77,48,79,1d,31,33,a5,97,46,8d,2e,d0,91,6e,55,92,dc,7a,23,
9b,db,29,4b,97,5f,75,11,35,ed,dc,81,8d,34,09,92,d3,96,70,59,ed,ef,f7,fe,5e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3036)
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\HPZipm12.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2010-05-19 19:02:42 - machine was rebooted
-quarantined-files.txt 2010-05-19 23:02
.txt 2009-03-27 20:47

Pre-Run: 8,269,385,728 bytes free
Post-Run: 8,299,581,440 bytes free

- - End Of File - - F5516689F087B1EBF3D366744B809F97

 

[ken545]

Hello Pat,

19/05/2010 <-- Looks like the tech at Staples ran this back in May of 2010, it definitely removed a rootkit along with a backdoor trojan that had the capabilities to steal personal info from your system like bank account numbers, passwords, credit card numbers, did they let you know about this?

We think what happened is that explorer was stopped as part of the fix, its needed so OTL can remove entries, but when the program stopped running the first time it looks like it was not started, but when you ran it the second time in safemode it started it then. Part of the new scan I asked you to run was to see if explorer was damaged and it is not, its running fine. Other helpers have looked in on this and feel that emptying all the caches may have slowed the system down, happens on some systems but the percentage is very low. Just try using your computer for a day or two, be sure to reboot it a few times and it may bring things back to normal

Post back in a few days and let me know

 

[PatSpencer]

Just curious

Hello,

So I was just wondering how this would work if my system freezes all the time in regular mode. Do I just keep trying to open it, wait for it to freeze and cold stop it to reboot? Or run in Safe mode a couple times then try every once in a while try it in regular mode?

 

[ken545]

You can try either way. I think what I would do is to start in normal mode, but dont do anything, just let it be. Wait about 15 min or so and shut it down and then restart it, try that a few times.

You can also try this other site and just tell them your system freezes at times and let them go through your programs and and prevent ones from starting up that are not needed.

http://forums.whatthetech.com/index.php?showforum=119

I can find you on the forum when you post and will give some input as to what we have done