Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Google Analytics and other Malware infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 paullb77

paullb77

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 18 November 2010 - 07:25 PM

Hello. I'm new to posting on the boards here but I have been reading these forums for various problems in the past. I am having a terrible time with the Google Analytics redirect virus.
I will click on various links from google searches and the browser will act like it is going to the website and then get hung up on google-analytics.com.
I was having the Blue Screen of Death randomly over the summer but I think I was successful in removing it with Malwarebytes. My PC hasn't frozen/restarted/or displayed the BSOD for a couple of months but this Google virus is an everyday thing now for close to 3-4 months.
I also hear my pc fan start working overtime when there are no websites or known programs running on my pc.

Any and all help is greatly appreciated. Here is all the information as requested within the Preparation Guide. From first looks of the scan results, I think my pc has AIDS! haha Thanks a million in advance!


DDS (Ver_10-11-10.01) - NTFSx86
Run by HP_Administrator at 18:28:33.76 on Thu 11/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1022 [GMT -5:00]

AV: My Security Shield *On-access scanning enabled* (Updated) {5D04D0BE-D319-477F-90FA-5D3C596533E6}
AV: AVG Internet Security *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: My Security Shield *enabled* {749961C4-6F43-466A-90B6-1CD0FC33E565}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Innovative Solutions\DriverMax\devices.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.chattahoocheetech.edu/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [DriverMax] "c:\program files\innovative solutions\drivermax\devices.exe" -agent
uRun: [IJKUK66HMN] c:\docume~1\hp_adm~1\locals~1\temp\Zmq.exe
uRun: [NtWqIVLZEWZU] c:\docume~1\hp_adm~1\locals~1\temp\Zmu.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_Plugin.exe -update plugin
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: bing.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
TCP: NameServer = 93.188.164.242,93.188.160.242
TCP: {5F321BAA-6B11-4AAE-B384-CB24671BEF3A} = 93.188.164.242,93.188.160.242
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-10-9 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-6 52872]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-10 165584]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-6 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-6 242896]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-10 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-10 40384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-10 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-10 40384]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-6 216200]
S2 avg9wd;AVG WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S2 avgfws9;AVG Firewall;"c:\program files\avg\avg9\avgfws9.exe" --> c:\program files\avg\avg9\avgfws9.exe [?]
S2 AVGIDSAgent;AVG9IDSAgent;"c:\program files\avg\avg9\identity protection\agent\bin\avgidsagent.exe" avgidsagent --> c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-26 136176]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2007-5-23 547744]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\toolbarbroker.exe --> c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-10-9 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-10-9 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsdriver.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [?]
S3 AVGIDSFilterxpx;AVG9IDSFilter;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsfilter.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [?]
S3 AVGIDSShimxpx;AVG9IDSShim;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsshim.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-4-6 27064]

=============== Created Last 30 ================

2010-11-18 18:24:01 -------- d-----w- c:\program files\Amazon
2010-10-24 22:37:33 -------- d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-10-25 21:59:05 256 ----a-w- c:\windows\system32\pool.bin
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6L300S0 rev.BANC1G10 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89A19EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x891bf872; SUB DWORD [EBP-0x4], 0x891bf12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A65CAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000076[0x8A663710]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A65E940]
[0x8A2ABF38] -> IRP_MJ_CREATE -> 0x89A19EC5
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskMaxtor_6L300S0__________________________BANC1G10#364c30303342474c202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89A19AEA
user & kernel MBR OK
sectors 586072366 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:30:27.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:04 AM

Posted 18 November 2010 - 07:48 PM

Hello paullb77 ,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Avg or Avast.

2.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 paullb77

paullb77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 18 November 2010 - 08:36 PM

Hi fireman4it,

First thank you so much for your quick response. Before we continue onto these steps, I want to let you know that I went to the Control Panel > Add/Remove Programs to remove AVG and it is not listed. I see it in the log that I posted above but cannot find it in Add/Remove. I thought that I removed it over the summer using Revo Uninstaller Pro. Please advise before I move on to the next step.

Thanks again,

PBell

edit - I also looked inside of my program listing under the start menu>Programs and AVG was not listed there either.

Edited by paullb77, 18 November 2010 - 08:39 PM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:04 AM

Posted 18 November 2010 - 09:56 PM

Hello,

You must have some leftovers try this Uninstaller.

Uninstall AVG 32 bit


  • Download avgremover.exe and save it to your Desktop
  • Run the file avgremover.exe
  • Confirm that you want to uninstall.
  • Wait until the program confirms the removal.
  • Restart your computer.
AVG should now be removed from your PC.

After this run Combofix



Original instructions here:
http://www.avg.com/faq.num-1119#faq_1119

Edited by fireman4it, 18 November 2010 - 09:57 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 paullb77

paullb77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 19 November 2010 - 11:59 AM

ok, here is where I am so far:

Ran AVGRemover; everything ran fine and system rebooted then "seemed" to remove AVG.

Ran RKill; everything happened as stated above.

Ran Combofix and got the following error:
32788R22FWJFW\iexplore.exe and 32788R22FWJFW\n.pif and another 32788R22FWJFW\(didn't catch the last). I had to click ok about 15 times and after each time one of the above errors would display. The text within the error window was as follows:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

after I clicked the "OK" those 15 times the Combofix program started to show the progress bar and then another window popped up and told me that Combofix has detected AVG Internet Security running, and to stop AVG before pressing "OK". I searched for AVG again and didn't find it. I opened the Task Manager and could not find anything attributed to AVG. I clicked "OK" and got the following error window:

"Warning!!
antivirus: AVG Internet Security
The above real time scanner(s) are still active but Combofix shall continue to run. Kindly note that this is at your own risk"

I stopped here and did not press ok. And this is the last step attempted.

THanks in advance!

PBell

**Edit** AVAST should be my only antivirus. I right clicked on the avast icon in the system tray > clicked avast! shields control > Disable until computer is restarted ....to disable.

Edited by paullb77, 19 November 2010 - 12:04 PM.


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:04 AM

Posted 20 November 2010 - 06:57 PM

Hello,

Go ahead and run Combofix even if it tells you that Avg is running.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 paullb77

paullb77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 20 November 2010 - 08:31 PM

Good evening!

Ran combofix. clicked ok or yes when prompted to do so. Left the pc scan. Checked after 30/45 Minutes and the screen is stuck on a black screen and a blue combofix dialogue box that reads:

Combofix - Find3M

Preparing Log Report.

Do not run any programs until ComboFix has finished
Blinking insert point below that line but it has been stuck on this screen for at least 30 minutes after I checked its status. I can also move the mouse around but there are no icons or start menu/task bar.

Please advise! Thanks again!

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:04 AM

Posted 20 November 2010 - 09:47 PM

Hello,

Go ahead and restart your machine and look in C:\Combofix.txt for the log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 paullb77

paullb77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 22 November 2010 - 09:05 PM

Hi,

Here is the combofix log:

ComboFix 10-11-20.03 - HP_Administrator 11/20/2010 19:12:13.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1387 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Internet Security *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

I have had my pc off for two days. I ran that two days ago. Two days ago, after I read your last post to restart and post Combofix, as soon as I opened the .txt file, I got a blue screen saying my memory was being dumped. I did a hard shutdown and left it off because I didn't have time to mess with it. It has been connected to the internet today only. After doing a Google search, I am being redirected through r3.google.com and id.google.com. I've been redirected to BravoTv.com, Lycos, Findology and other random sites that I never visit. I am also still getting the google-analytics.com redirect.

Please advise

Edited by paullb77, 22 November 2010 - 09:06 PM.


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:04 AM

Posted 23 November 2010 - 09:56 PM

Hello,

That is not a complete combofix log.
Lets try another step then try Combofix again.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
Noe re run Combofix.

Things to include in your next reply::
Tdsskiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 paullb77

paullb77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 24 November 2010 - 06:13 PM

downloaded TDSSKiller.exe and ran it. it is actually version 2.4.8.0. It found no threats. here is the log for it:

2010/11/24 15:22:47.0073 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
2010/11/24 15:22:47.0073 ================================================================================
2010/11/24 15:22:47.0073 SystemInfo:
2010/11/24 15:22:47.0073
2010/11/24 15:22:47.0073 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/24 15:22:47.0073 Product type: Workstation
2010/11/24 15:22:47.0073 ComputerName: MEDIA_CENTER
2010/11/24 15:22:47.0073 UserName: HP_Administrator
2010/11/24 15:22:47.0073 Windows directory: C:\WINDOWS
2010/11/24 15:22:47.0073 System windows directory: C:\WINDOWS
2010/11/24 15:22:47.0073 Processor architecture: Intel x86
2010/11/24 15:22:47.0073 Number of processors: 2
2010/11/24 15:22:47.0073 Page size: 0x1000
2010/11/24 15:22:47.0073 Boot type: Normal boot
2010/11/24 15:22:47.0073 ================================================================================
2010/11/24 15:22:47.0479 Initialize success
2010/11/24 15:22:50.0075 ================================================================================
2010/11/24 15:22:50.0075 Scan started
2010/11/24 15:22:50.0075 Mode: Manual;
2010/11/24 15:22:50.0075 ================================================================================
2010/11/24 15:22:51.0529 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2010/11/24 15:22:51.0623 A3AB (21af8e9c727c6d7643ad497268f55bf1) C:\WINDOWS\system32\DRIVERS\A3AB.sys
2010/11/24 15:22:51.0764 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/11/24 15:22:51.0904 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/24 15:22:51.0951 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/24 15:22:52.0061 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\WINDOWS\system32\drivers\adfs.sys
2010/11/24 15:22:52.0358 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/24 15:22:52.0749 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/24 15:22:52.0999 AgereSoftModem (34f27c7d71f1c49c7d3857f28b42f544) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/11/24 15:22:53.0374 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
2010/11/24 15:22:53.0421 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
2010/11/24 15:22:53.0468 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
2010/11/24 15:22:53.0499 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
2010/11/24 15:22:53.0609 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/24 15:22:53.0640 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
2010/11/24 15:22:53.0812 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/11/24 15:22:53.0859 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/11/24 15:22:53.0906 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/11/24 15:22:53.0953 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
2010/11/24 15:22:54.0000 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/11/24 15:22:54.0031 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/24 15:22:54.0078 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/24 15:22:54.0265 ati2mtag (99f6db087497f55d5f8d971f7689f054) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/11/24 15:22:54.0375 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/24 15:22:54.0531 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/24 15:22:54.0625 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2010/11/24 15:22:54.0875 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys
2010/11/24 15:22:54.0922 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/24 15:22:55.0235 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/24 15:22:55.0344 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/24 15:22:55.0454 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/24 15:22:55.0501 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/24 15:22:55.0532 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/24 15:22:55.0813 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/24 15:22:55.0892 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/24 15:22:56.0017 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/24 15:22:56.0064 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/24 15:22:56.0173 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/24 15:22:56.0267 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/24 15:22:56.0314 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/11/24 15:22:56.0392 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/24 15:22:56.0439 fasttx2k (1e580770bdece924494b368ac980749e) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys
2010/11/24 15:22:56.0517 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/24 15:22:56.0626 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/24 15:22:56.0705 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/24 15:22:56.0814 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/24 15:22:56.0908 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/24 15:22:56.0955 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/24 15:22:57.0002 ftsata2 (92e8443c7bf5c0137671cde080655dfc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys
2010/11/24 15:22:57.0064 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/11/24 15:22:57.0189 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/24 15:22:57.0236 hcwPP2 (41bbad646a8c842bc30ef6745a4f6ff3) C:\WINDOWS\system32\DRIVERS\hcwPP2.sys
2010/11/24 15:22:57.0299 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/24 15:22:57.0346 HidIr (bb1a6fb7d35a91e599973fa74a619056) C:\WINDOWS\system32\DRIVERS\hidir.sys
2010/11/24 15:22:57.0393 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/24 15:22:57.0549 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/24 15:22:57.0690 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/24 15:22:57.0737 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/24 15:22:58.0018 IntcAzAudAddService (7a9299f48d6f2e802e5b0e0dc508842a) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/11/24 15:22:58.0268 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/11/24 15:22:58.0315 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/24 15:22:58.0378 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/24 15:22:58.0472 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/24 15:22:58.0581 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/24 15:22:58.0659 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/24 15:22:58.0769 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/24 15:22:58.0862 IrBus (b43b36b382aea10861f7c7a37f9d4ae2) C:\WINDOWS\system32\DRIVERS\IrBus.sys
2010/11/24 15:22:58.0941 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/24 15:22:59.0066 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/24 15:22:59.0206 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/24 15:22:59.0285 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/24 15:22:59.0363 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/24 15:22:59.0457 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/24 15:22:59.0676 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/11/24 15:22:59.0769 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/24 15:22:59.0848 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/24 15:22:59.0910 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/24 15:22:59.0988 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/24 15:23:00.0082 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/24 15:23:00.0285 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/24 15:23:00.0442 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/24 15:23:00.0583 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2010/11/24 15:23:00.0645 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/24 15:23:00.0723 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/24 15:23:00.0801 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/24 15:23:00.0880 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/24 15:23:00.0927 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/24 15:23:01.0005 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/11/24 15:23:01.0067 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/24 15:23:01.0130 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/11/24 15:23:01.0333 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/24 15:23:01.0411 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/11/24 15:23:01.0474 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/24 15:23:01.0536 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/24 15:23:01.0568 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/24 15:23:01.0615 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/24 15:23:01.0661 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/24 15:23:01.0708 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/24 15:23:01.0833 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/24 15:23:01.0943 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/24 15:23:02.0005 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/24 15:23:02.0131 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/24 15:23:02.0256 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/24 15:23:02.0365 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/24 15:23:02.0428 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/24 15:23:02.0490 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/24 15:23:02.0537 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/24 15:23:02.0631 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/24 15:23:02.0693 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/24 15:23:02.0772 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/24 15:23:02.0834 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/24 15:23:03.0241 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/24 15:23:03.0319 Ps2 (0e2eb30605ca6ed2509d59af6a7362b4) C:\WINDOWS\system32\DRIVERS\PS2.sys
2010/11/24 15:23:03.0381 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/24 15:23:03.0460 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/24 15:23:03.0538 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/24 15:23:03.0851 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/24 15:23:03.0929 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/24 15:23:04.0054 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/24 15:23:04.0101 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/24 15:23:04.0210 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/24 15:23:04.0320 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/24 15:23:04.0413 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/24 15:23:04.0507 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/24 15:23:04.0585 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/24 15:23:04.0711 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys
2010/11/24 15:23:04.0836 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2010/11/24 15:23:04.0929 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/11/24 15:23:05.0023 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/11/24 15:23:05.0258 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/11/24 15:23:05.0399 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/24 15:23:05.0524 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/24 15:23:05.0586 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/24 15:23:05.0649 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/24 15:23:05.0774 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/11/24 15:23:05.0930 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/24 15:23:06.0087 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/24 15:23:06.0243 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/24 15:23:06.0352 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/11/24 15:23:06.0399 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/24 15:23:06.0524 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/24 15:23:06.0775 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/24 15:23:06.0915 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/24 15:23:06.0993 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/24 15:23:07.0087 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/24 15:23:07.0244 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/24 15:23:07.0400 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/24 15:23:07.0509 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/24 15:23:07.0666 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/11/24 15:23:07.0744 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/24 15:23:07.0869 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/24 15:23:08.0119 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/24 15:23:08.0432 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/24 15:23:08.0729 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/24 15:23:08.0948 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/24 15:23:09.0276 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/24 15:23:09.0464 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/24 15:23:09.0573 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/11/24 15:23:09.0620 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/24 15:23:09.0792 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/24 15:23:09.0902 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/24 15:23:10.0152 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/11/24 15:23:10.0324 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/11/24 15:23:10.0496 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/11/24 15:23:10.0668 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/24 15:23:10.0762 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/24 15:23:10.0871 ================================================================================
2010/11/24 15:23:10.0871 Scan finished
2010/11/24 15:23:10.0871 ================================================================================
2010/11/24 15:24:36.0325 Deinitialize success


after running that, I ran Combofix. It updated. And still told me I was running AVG (which I am not). I still had to click ok like 25-30 times do get through the 32788R22FWJFW\iexplore.exe and 32788R22FWJFW\n.pif error warnings. After that combofix ran a complete scan and here is the log for it:

ComboFix 10-11-24.01 - HP_Administrator 11/24/2010 15:30:15.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1310 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Internet Security *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\HP_Administrator\Recent\PE.tmp
C:\Install.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-24 to 2010-11-24 )))))))))))))))))))))))))))))))
.

2010-11-24 08:00 . 2010-11-24 08:03 -------- d-----w- C:\f4a702c0d313d53ba3860a21c7
2010-11-23 08:00 . 2010-11-23 08:03 -------- d-----w- C:\04b4f0641db5f0fdc84fe23069
2010-11-18 18:27 . 2010-11-18 18:27 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Amazon
2010-11-18 18:24 . 2010-11-18 18:24 -------- d-----w- c:\program files\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2004-08-10 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-10 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12 . 2010-09-11 03:22 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-09-11 03:22 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-09-11 03:22 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-09-11 03:23 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-09-11 03:23 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-09-11 03:22 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-09-11 03:22 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-09-11 03:23 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-09-11 03:22 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-01 11:51 . 2004-08-10 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-10 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-10 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2010-03-01 9216928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-15 180269]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-30 19523616]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-10 61440]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk]
backup=c:\windows\pss\eFax 4.3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus Xtreme G

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1043:TCP"= 1043:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/10/2010 10:23 PM 165584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 7:00 AM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/10/2010 10:23 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/26/2010 11:05 PM 136176]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [5/23/2007 3:15 AM 547744]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/6/2010 10:10 AM 27064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD25
*Deregistered* - klmd25

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-11-24 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 09:42]

2010-11-22 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-05-22 01:36]

2010-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-27 04:05]

2010-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-27 04:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.chattahoocheetech.edu/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: bing.com
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll
SafeBoot-sglfb.sys
SafeBoot-tga.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-24 15:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1296)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-11-24 15:38:26
ComboFix-quarantined-files.txt 2010-11-24 20:38
ComboFix2.txt 2010-06-01 13:52

Pre-Run: 214,581,403,648 bytes free
Post-Run: 214,605,680,640 bytes free

- - End Of File - - F87811E23DBFDDBB083CD057781EFB9C

-After running the combofix, I restarted the pc like normal. After the reboot finished I got an Application Error that I have never had happen before. It read: ATI video bios puller: Ati2evxx.exe - Application Error
The instruction at "0x7c9369da" referenced memory at "0x00000000". The memory could not be "read".
Click on OK to terminate the program
Click on CANCEL to debug the program

-I didn't do either and have just left the box up until I got your advice.

-Did a google search and am still being redirected through r3.google.com. I did a search for University of Michigan and clicked on the wikipedia link and here is the redirect site it gave me: http://72.233.76.67/p/index.php?PHPSESSID=9891428509b4c0f0b6ec480a5f0016db5983a96cb329689c51884e29a6

-While it was searching another window popped up and here is the url for that site: http://kc.mv.bidsystem.com/bin/findwhat.dll?clickthrough&y=74639&x=UPsA;pujL3XIe3ANsXv5ts8OjXXK29vzAkvrysLMA3vszAAiwoDpFIpVJy0lQa7h2KYhaLX2Qa82tkvv2YO2SyvAtaX4a:WxZIXP5stdVIuzjLsQ850C;rF0DLIxL9u0;XXsN9ms;yRU2HK1rspXVAmwAabS:Mm9;oABs8b1mL2NL1ozs8FMDsRhaPqBqYSQeRKOYrdKcyUleUpEdYiOJ8IVDBDlsS2kKJdB0PbI6UkjY5mreSqJLBkLlXvK0LAmsomuVLWQkoojBHuG;sWSn5dJs:uH3a0dN:sElY;$H


Awaiting, your next instruction. Thanks again a million times over for your help!

Paull

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:04 AM

Posted 24 November 2010 - 06:40 PM

Hello,
We need to run a Combofix script.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

DDS::
uStart Page = hxxp://www.chattahoocheetech.edu/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-

Driver::
AVG Security Toolbar Service
Avgfwdx
Avgfwfd

SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}
{8decf618-9569-4340-b34a-d78d28969b66}

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Do you connect to the internet through a router? If so do the following:
Reset your router
  • Go to Start -> Control Panel -> Network and Internet Connection ->Network Connections.
  • Right-click your default connection, usually Local Area Connection or Dial-up Connection (if you are using dial-up), and left-click on the Properties option.
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically".
  • Click OK twice.
    spacer.gif
  • Go to Start -> Run...
  • In the Open: field type cmd and click OK or hit Enter.
    This will open a Command Prompt.
  • At the DOS prompt screen, type in ipconfig /flushdns and then press Enter (notice the space between "ipconfig" and "/flushdns").
  • Exit the Command Prompt.
  • Reboot your PC and try to open any website.

3.
Download Bootkit remover to your desktop

1. Extract the file to your desktop.
2. Double click Remover.exe to run it (Right click and run as Administrator for Vista).
3. It will show a Black screen with some data on it.
4. Right click on the screen and choose Select All.
5. Press Control+C (to copy the data).
6. Open a notepad, Click on Edit tab > paste.
7. Exit the Remover.exe window.
8. Please post the contents of the notepad when you reply.

4.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

Things to include in your next reply::
Combofix.txt
Bootkit Remover log
MbrCheck log
How is your machine running now?

Edited by fireman4it, 24 November 2010 - 06:41 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:04 AM

Posted 27 November 2010 - 07:30 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 paullb77

paullb77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 29 November 2010 - 06:30 PM

Hi fireman!

First, I hope you had a great holiday weekend. Sorry for the delay in response. I got the email for your last post and tried to respond via my blackberry. After just getting home for the holidays, here is where I am. I ran all checks and rebooted. I accidentally left my pc on during the weekend and when I returned, it was on a blue dump memory screen saying that there was an error with aswMon2.sys. I did a hard reboot and when it came back online, I tried to open a firefox browser and got another bluescreen but with no error this time. I did ANOTHER hard reboot and waited about 20 mins before attempting to open another browser. No problems.

After attempting to run the CFScript, I STILL got the 32788R22FWJFW error saying that I didn't have permissions or the correct path or whatever with the three errors being, (hidec.exe), (n.pif), (iexplore.exe). I had to press enter about 25-30 times and then it needed to update Combofix with the newest version. After doing that, the combofix screen never appeared and I had to redrag the CFScript. Still got the 25-30 errors for the above and it finally ran.

I have done a few different google searches and it doesn't seem to be redirecting anywhere. I don't see r3.google.com or the google.analytics, but I did get a popup window from http://www.epoclick.com/?ad=1291072580. Here are my logs:

ComboFix 10-11-29.03 - HP_Administrator 11/29/2010 17:45:38.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1487 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVG_SECURITY_TOOLBAR_SERVICE
-------\Service_AVG Security Toolbar Service
-------\Service_Avgfwdx
-------\Service_Avgfwfd


((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-18 18:27 . 2010-11-18 18:27 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Amazon
2010-11-18 18:24 . 2010-11-18 18:24 -------- d-----w- c:\program files\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2004-08-10 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-10 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12 . 2010-09-11 03:22 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-09-11 03:22 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-09-11 03:22 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-09-11 03:23 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-09-11 03:23 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-09-11 03:22 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-09-11 03:22 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-09-11 03:23 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-09-11 03:22 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-01 11:51 . 2004-08-10 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2010-03-01 9216928]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-15 180269]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-30 19523616]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-10 61440]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk]
backup=c:\windows\pss\eFax 4.3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1037:TCP"= 1037:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/10/2010 10:23 PM 165584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 7:00 AM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/10/2010 10:23 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/26/2010 11:05 PM 136176]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [5/23/2007 3:15 AM 547744]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/6/2010 10:10 AM 27064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-11-27 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 09:42]

2010-11-29 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-05-22 01:36]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-27 04:05]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-27 04:05]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: bing.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 17:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2800)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\msiexec.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-11-29 17:59:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-29 22:59
ComboFix2.txt 2010-11-24 20:38
ComboFix3.txt 2010-06-01 13:52

Pre-Run: 213,973,213,184 bytes free
Post-Run: 214,056,157,184 bytes free

- - End Of File - - 3AE2CE156F781A83B7CC104AF4D0F1B9
-------------------------------------------------------------------------

Bootkit Remover
© 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`00a4e000
Boot sector MD5 is: 04bb945744f67e09eac699dea7655d04

Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
------------------------------------------------------------------------------

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 141):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 viaide.sys
0xBA5AE000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5B0000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xB9EE8000 fasttx2k.sys
0xB9ED0000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB9E8D000 ftsata2.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E6D000 fltmgr.sys
0xB9E5B000 sr.sys
0xBA0F8000 bb-run.sys
0xBA108000 PxHelp20.sys
0xB9E44000 KSecDD.sys
0xB9E31000 WudfPf.sys
0xB9DA4000 Ntfs.sys
0xB9D77000 NDIS.sys
0xBA118000 ohci1394.sys
0xBA128000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9D5D000 Mup.sys
0xBA158000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA208000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\aracpi.sys
0xB92DF000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB92CB000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB92A3000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA408000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB927F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA410000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9258000 \SystemRoot\system32\DRIVERS\hcwPP2.sys
0xB9235000 \SystemRoot\system32\DRIVERS\ks.sys
0xB920F000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xB91FB000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA218000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA428000 \SystemRoot\system32\DRIVERS\PS2.sys
0xBA430000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA65A000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xBA228000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA238000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA248000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA448000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xB967F000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xBA700000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA258000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9677000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB91E4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA268000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA278000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA490000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB91D3000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA288000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA468000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA480000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA488000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xB91A3000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB94B4000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA4A0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA660000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9145000 \SystemRoot\system32\DRIVERS\update.sys
0xB9653000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9484000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB0B26000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB0B02000 \SystemRoot\system32\drivers\portcls.sys
0xB9454000 \SystemRoot\system32\drivers\drmk.sys
0xB9444000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5C2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA5CE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6CB000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5E2000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA398000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA3A0000 \SystemRoot\System32\drivers\vga.sys
0xBA5D2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5D6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3B0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3C0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA59C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB0287000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB022E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB9434000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xB0208000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB01E0000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB9424000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB9D39000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB01BE000 \SystemRoot\System32\drivers\afd.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB0193000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB0123000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA2C8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB00FC000 \SystemRoot\System32\Drivers\aswSP.SYS
0xBA3E8000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xB00B0000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBA2E8000 \SystemRoot\system32\DRIVERS\IrBus.sys
0xBA400000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA420000 \SystemRoot\system32\DRIVERS\hidir.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA440000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
0xB964F000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA54C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB02DE000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA5E0000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xBA460000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB0098000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA600000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA594000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA340000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA77A000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF049000 \SystemRoot\System32\ati2cqag.dll
0xBF07D000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xADFB4000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xADF3C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xADD11000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xADBC1000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAD7FC000 \SystemRoot\system32\drivers\wdmaud.sys
0xADA91000 \SystemRoot\system32\drivers\sysaudio.sys
0xAD593000 \SystemRoot\System32\Drivers\adfs.SYS
0xAD462000 \SystemRoot\System32\Drivers\HTTP.sys
0xAD2F2000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA632000 \SystemRoot\system32\drivers\MSPQM.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 59):
0 System Idle Process
4 System
664 C:\WINDOWS\system32\smss.exe
896 csrss.exe
988 C:\WINDOWS\system32\winlogon.exe
1148 C:\WINDOWS\system32\services.exe
1160 C:\WINDOWS\system32\lsass.exe
1432 C:\WINDOWS\system32\ati2evxx.exe
1448 C:\WINDOWS\system32\svchost.exe
1568 svchost.exe
1696 C:\WINDOWS\system32\svchost.exe
1744 C:\WINDOWS\system32\svchost.exe
1844 svchost.exe
1956 svchost.exe
460 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
484 C:\WINDOWS\system32\ati2evxx.exe
576 C:\WINDOWS\explorer.exe
864 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
956 C:\WINDOWS\RTHDCPL.EXE
1012 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
1020 C:\WINDOWS\ehome\ehtray.exe
1044 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
1052 C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
1060 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
1100 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1248 C:\Program Files\QuickTime\QTTask.exe
1256 C:\Program Files\iTunes\iTunesHelper.exe
1292 C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
1352 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
132 C:\Program Files\Innovative Solutions\DriverMax\devices.exe
708 C:\WINDOWS\system32\ctfmon.exe
1240 C:\WINDOWS\system32\spoolsv.exe
2144 C:\WINDOWS\system32\svchost.exe
2172 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2184 C:\WINDOWS\arservice.exe
2228 C:\Program Files\Bonjour\mDNSResponder.exe
2256 C:\WINDOWS\ehome\ehrecvr.exe
2412 C:\WINDOWS\ehome\ehSched.exe
2548 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2560 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2628 C:\WINDOWS\system32\msiexec.exe
3948 C:\hp\KBD\kbd.exe
3136 C:\WINDOWS\system\hpsysdrv.exe
932 C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
3348 svchost.exe
3436 C:\WINDOWS\system32\svchost.exe
3612 mcrdsvc.exe
2092 C:\Program Files\Java\jre1.5.0\bin\jusched.exe
2492 C:\WINDOWS\system32\wuauclt.exe
3772 C:\Program Files\iPod\bin\iPodService.exe
3776 wmiprvse.exe
848 C:\WINDOWS\system32\dllhost.exe
948 C:\WINDOWS\system32\wscntfy.exe
3820 alg.exe
1476 C:\WINDOWS\system32\svchost.exe
2444 C:\Program Files\Mozilla Firefox\firefox.exe
3416 C:\WINDOWS\ehome\ehmsas.exe
1428 C:\Documents and Settings\HP_Administrator\desktop\BLEEPING COMPUTER GOOGLE VIRUS REMOVAL\bootkit_remover\remover.exe
2796 C:\Documents and Settings\HP_Administrator\desktop\BLEEPING COMPUTER GOOGLE VIRUS REMOVAL\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`00a4e000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: Maxtor6L300S0, Rev: BANC1G10

Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972


Done!


Thanks again for ALL of your help!

Paull B

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:04 AM

Posted 29 November 2010 - 10:23 PM

Hello,

It looks like you have some corrupted or leftover avast and Avg files and drivers. I would Uninstall both and reinstall the 1 you want to use. I will give you a couple uninstallers that work better for removing these.

  • Download aswClear.exe on to your desktop.
  • Start Windows in Safe Mode.
  • Run aswClear.exe.
  • If you installed Avast! in a different folder than the default, browse for it.
    (Note: Be careful! The content of any folder you choose will be deleted!)
  • Click REMOVE.
  • Restart your computer.
Avast! should now be removed from your PC.

AVGremover:
  • Download avgremover.exe and save it to your Desktop
  • Run the file avgremover.exe
  • Confirm that you want to uninstall.
  • Wait until the program confirms the removal.
  • Restart your computer.
AVG should now be removed from your PC.

1.
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

2.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

3.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

4.
I would Reset your router now that your having no redirects.


Things to include in your next reply::
MBAM log
A new DDS log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users