Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot get DDS to create a log


  • This topic is locked This topic is locked
22 replies to this topic

#1 acbent

acbent

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 31 March 2012 - 05:16 AM

Hi,

I am running Windows XP and have not been able to apply Service Pack 3 without my computer crashing.

I have done a lot of reading and have followed the preparation Guide. I can get as far as running DDS but the scan stops and my computer freezes.
I'm not sure which programs are running script blockers that may interfer with DDS but I disconnected from the internet by disabling my wireless Lan adapter and turned off Super Anti-Spyware, AVG and Malwarebytes.

My problem is that I keep getting Google redirects when I search. When Malwarebytes is running, it keeps giving me block notifications to "potentially malicious sites". I also get pop-up windows when I boot my computer without clicking on internet explorer, firefox or chrome. I have run all of my security programs mentioned above and I always get objects (threats) and the programs remove them but my problems continue. I am afraid that the security of my computer is seriously compromised.

I did run hijackthis and got a log file before I discivered your site.

I'm not sure how to proceed.

Thank you in advance,

Adam

BC AdBot (Login to Remove)

 


#2 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 06 April 2012 - 03:14 AM

Hi , acbent and welcome.

I will be helping you get cleaned up. Please give me some time to do up a fix and I'll get back to you.

White Warrior

Edited by White Warrior, 06 April 2012 - 03:16 AM.


#3 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 06 April 2012 - 06:34 PM

Hi

I want you to try to run the following tools in normal mode.
If they will not run in normal mode, then try to run them in safe mode.

To boot into Safe Mode.
This can be done by tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

Please download Rkill by Grinler from one of these links:

Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Save it to your desktop.

Please download aswMBR ( 511KB ) to your desktop.

Double-click on Rkill to run it.

Note: If the first one does not run successfully, download and try the other copies (with a different file extension) and see if one of them will run.

Warning: Do not let RKill reboot the machine. If it does reboot, then run RKill again.

Once Rkill has successfully run:

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Let me know how the computer is running.

White Warrior

#4 acbent

acbent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 06 April 2012 - 08:13 PM

Hi White Warrior,

Thank you for helping me. I can get RKill to run and it creates a log file but in the process I lose my desktop and start menu and I then have to reboot.
I am going to upload the file. I had read that one should cut and paste the content but I cannot access the file as I have no desktop. I am now going to boot in safe mode and try to run the aswMBR. I will post back...

Thank you very much again.

Adam

Attached Files



#5 acbent

acbent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 06 April 2012 - 08:42 PM

Hi again,

I cannot boot in safe mode at all. I have been able to in the past. The computer stops at ...Drivers\MUP.sys or something similar and the HDD light remains solidly lit but nothing happens. I waited 10 minutes.

Unfortunately at this point I can't get the other application to run. I will continue trying to get into safe mode.

Any more advice would be most appreciated.

Thanks!

Here is the content of the latest RKill.log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/06/2012 at 22:33:13.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\Admin\My Documents\RCA Detective\RCADetective.exe


Rkill completed on 04/06/2012 at 22:34:49.

#6 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 07 April 2012 - 05:39 PM

Hi

Please try to run aswMBR in normal mode.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Let me know if it won't run.

Also
Do you have access to a clean computer?
Do you have your windows installation disc?

White Warrior

#7 acbent

acbent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 07 April 2012 - 08:05 PM

Hi,

I can't run it in either normal or safe mode. I do have access to a clean computer but don't have my Windows install cd.

I appreciate the help. Is it possible to download Windows repair console? Is that what I would need?

Thanks White Warrior. I'll keep following your suggestions.

Adam

#8 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 08 April 2012 - 09:28 PM

Hi

Is it possible to download Windows repair console? Is that what I would need?

I very much doubt it would run. And I doubt it would do any good.

If we can't run our tools one way, then we'll just have to try another way.

Try this please. You will need a CD or a USB drive.

We are going to create and run a rescue disc.

To summarize:
Go to a clean computer
Download an iso image file
Create a CD or flash drive
Put the disc in the drive of the infected computer and reboot.

Read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. You can use a CD or a USB.

Follow the directions here, but note: You will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10

Print the following directions:

Boot from Kaspersky Rescue Disk 10:
Restart your computer and put the disk in the drive while booting.
Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu (select Windows whatever)
Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
Click My Update Center and update if any available
Back to other tab and click Start Object Scan.
This scan will take a long time.
When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
On the upper right hand corner of the Detailed report window, click on the Save button.
After clicking Detailed Report and 'SAVE', a browse window opens.
Double-click on the \
Click 'disks'.
All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
Click on the Save button.
The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

Post the log back here to me, and let me know how the computer is running now.

For more information please read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk


White Warrior

Edited by White Warrior, 08 April 2012 - 09:34 PM.


#9 acbent

acbent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 09 April 2012 - 10:41 AM

HI White Warrior,

I ran a recovery disk on the weekend and also an application called FixTDSS. My computer has never run faster (webpages) and I just managed to get aswMBR to run and create a text file (I did not click the Fix MBR tab but will wait for further instructions from you)

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-09 11:54:40
-----------------------------
11:54:40.140 OS Version: Windows 5.1.2600 Service Pack 2
11:54:40.140 Number of processors: 1 586 0x207
11:54:40.140 ComputerName: DESIGNER UserName: Admin
11:54:43.687 Initialize success
11:55:19.750 AVAST engine defs: 12040900
11:57:09.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:57:09.093 Disk 0 Vendor: ST380011A 3.06 Size: 76319MB BusType: 3
11:57:09.109 Disk 0 MBR read successfully
11:57:09.109 Disk 0 MBR scan
11:57:09.593 Disk 0 Windows XP default MBR code
11:57:09.625 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
11:57:09.640 Disk 0 scanning sectors +156280320
11:57:09.953 Disk 0 scanning C:\WINDOWS\system32\drivers
11:57:49.234 Service scanning
11:58:31.203 Modules scanning
11:58:53.140 Disk 0 trace - called modules:
11:58:53.171 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys siside.sys
11:58:53.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x873c9ab8]
11:58:53.171 3 CLASSPNP.SYS[f78c005b] -> nt!IofCallDriver -> \Device\00000068[0x8738af18]
11:58:53.171 5 ACPI.sys[f7826620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x873ccd98]
11:58:56.125 AVAST engine scan C:\WINDOWS
11:59:52.500 AVAST engine scan C:\WINDOWS\system32
12:04:48.343 AVAST engine scan C:\WINDOWS\system32\drivers
12:05:02.265 AVAST engine scan C:\Documents and Settings\Admin
12:23:27.906 AVAST engine scan C:\Documents and Settings\All Users
12:26:00.500 Scan finished successfully
12:30:33.625 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Admin\Desktop\MBR.dat"
12:30:33.625 The log file has been saved successfully to "C:\Documents and Settings\Admin\Desktop\aswMBR.txt"

I hope this is what you were looking for. It also created a MBR.dat file. Would you like that as well?

I do not appear to be getting any web browser redirects.

Although my computer seems to be working great, I'm not sure it is bug free.

I probably should not have gone ahead and done anything except follow your explicit instructions.

What would you like me to do next?

Thanks so much for the help.

Adam

#10 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 09 April 2012 - 06:53 PM

Hi acbent

That's great your computer seems to be fixed., but there could be leftovers.

It also created a MBR.dat file. Would you like that as well?

No thanks, that won't be needed now.

What would you like me to do next?

Now, let's run combofix to find any leftovers.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Download Security Check by screen317 from here or here.
  • Save it to your desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Please include the C:\ComboFix.txt and the security check log in your next reply and let me know are there any more problems.

White Warrior

Edited by White Warrior, 09 April 2012 - 06:54 PM.


#11 acbent

acbent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 10 April 2012 - 04:22 PM

Hi White Warrior,

As requested:

ComboFix 12-04-10.02 - Admin 04/10/2012 17:36:31.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.417 [GMT -3:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\windows\system32\Cache
c:\windows\system32\Cache\02883672f1df9f4c.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c3e947c5af49c808.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\ctfmon(2).exe
c:\windows\system32\usp10(2).dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_USNJSVC
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-03-10 to 2012-04-10 )))))))))))))))))))))))))))))))
.
.
2012-04-04 01:47 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2012-04-04 01:20 . 2012-04-04 01:19 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-04-04 01:20 . 2012-04-04 01:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-30 23:04 . 2012-03-30 23:04 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-30 23:04 . 2012-03-30 23:04 -------- d-----w- c:\program files\Trend Micro
2012-03-30 00:44 . 2012-03-30 00:44 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2012-03-30 00:44 . 2012-03-30 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-30 00:44 . 2012-04-07 21:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-30 00:44 . 2011-12-10 18:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-25 10:10 . 2012-03-25 01:57 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-03-25 01:57 . 2012-03-25 01:57 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-25 01:46 . 2012-03-25 01:47 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\adawarebp
2012-03-25 01:46 . 2012-03-26 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2012-03-25 01:46 . 2012-03-25 01:46 -------- d-----w- c:\program files\Toolbar Cleaner
2012-03-25 01:46 . 2012-03-25 01:46 -------- d-----w- c:\documents and settings\Admin\Application Data\Blekko
2012-03-25 01:46 . 2012-03-25 01:46 -------- d-----w- c:\program files\adawaretb
2012-03-25 01:46 . 2012-03-25 01:46 -------- d-----w- c:\documents and settings\Admin\Application Data\adawaretb
2012-03-25 01:45 . 2012-03-20 16:41 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-03-25 01:45 . 2012-03-25 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2012-03-24 02:47 . 2012-03-24 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 01:19 . 2007-04-16 19:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-13 04:39 . 2012-03-25 11:39 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-06-04 22:25 . 2006-07-27 15:07 61038 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-06-04 22:25 . 2006-07-27 15:07 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-04 22:25 . 2006-07-27 15:07 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn3\yt.dll" [2012-01-12 1517368]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-03-14 01:35 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-06-17 14:02 1233288 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-17 1233288]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-03-14 1869152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-17 1233288]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-22 3905920]
"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-08-09 1176064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-05 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-04 180269]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-01-27 2077536]
"Easy Dock"="c:\documents and settings\Admin\My Documents\RCA easyRip\EZDock.exe" [2009-05-08 573440]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-03-14 982880]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-24 928096]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2012-02-28 198032]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adawarebp"="reg.exe delete HKCU\Software\AppDataLow\Software\adawarebp" [X]
"adawarebp_XP"="reg.exe delete HKCU\Software\adawarebp" [X]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2005-9-23 61440]
RCA Detective.lnk - c:\documents and settings\Admin\My Documents\RCA Detective\RCADetective.exe [2010-1-31 942592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
EnGenius Wireless Utility.lnk - c:\program files\EnGenius\Common\RaUI.exe [2009-11-17 1654784]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 1 (0x1)
"SynchronousUserGroupPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoWelcomeScreen"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-07 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-24 23:34 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\MissionRisk\\MissionRisk.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\ASRC\\asrc.exe"=
"c:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Documents and Settings\\Admin\\Desktop\\WideClient.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/24/2012 10:45 PM 64512]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/18/2009 12:03 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/18/2009 12:03 AM 243152]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 3:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 3:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 2:54 PM 116608]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/24/2010 8:34 PM 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/20/2012 1:41 PM 2152152]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/29/2012 9:44 PM 652360]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 9:21 PM 24652]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [3/13/2012 10:35 PM 918880]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/29/2012 9:44 PM 20464]
S2 BXSYLTHR;BXSYLTHR;\??\c:\windows\system32\bxsylthr.mtj --> c:\windows\system32\bxsylthr.mtj [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [10/27/2010 10:02 PM 167264]
S3 chanalog;CH Analog Devices;c:\windows\system32\drivers\chanalog.sys [12/22/2004 6:57 PM 30240]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [3/20/2012 1:41 PM 15232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2012-03-20 01:56]
.
2012-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-448539723-725345543-1004Core.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 19:31]
.
2012-04-08 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-02-23 23:20]
.
2012-04-10 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2010-02-23 23:20]
.
2012-04-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-02-23 23:20]
.
2012-04-10 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-07-01 01:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.avsim.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
TCP: DhcpNameServer = 192.168.2.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\ha5j259e.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B81557038-121e-4431-8fe6-ae9013a87ff5%7D&mid=6d76a388b2c288aebf1e5d91a7c8f459-30af0f72465264036757d097853ba744697a8c1d&ds=AVG&v=10.2.0.3&lang=us&pr=fr&d=2011-12-13%2021%3A14%3A24&sap=ku&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-ClearAllHistory - c:\program files\ClearAllHistory\cah.exe
HKLM-Run-AVG7_CC - c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe
AddRemove-CYAV2006 BETA - c:\program files\Microsoft Games\Flight Simulator 9\Addon Scenery\CYAV2006Beta\Uninstal.exe
AddRemove-CYWG (Winnipeg Int Airport) V1.01 for FS2004 - c:\program files\Microsoft Games\Flight Simulator 9\Addon Scenery\CYWG\Uninstal.exe
AddRemove-Destinator PC Portal - c:\program files\LGE PC Portal\Inst.exe \U
AddRemove-Driver Cleaner PE - c:\program files\Driver Cleaner PE\Uninst.exe
AddRemove-Rwy12 Object Placer - c:\rwy12 object placer\Uninstal.exe
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}\bm_installer.exe
AddRemove-{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk - c:\program files\Google\Google Talk\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-10 17:54
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BXSYLTHR]
"ImagePath"="\??\c:\windows\system32\bxsylthr.mtj"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-682003330-448539723-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1380)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\EnGenius\Common\RegistryWriter.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\SOUNDMAN.EXE
c:\windows\Mixer.exe
c:\windows\system32\RUNDLL32.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\OpenOffice.org 2.0\program\soffice.exe
c:\program files\OpenOffice.org 2.0\program\soffice.BIN
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2012-04-10 18:08:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-10 21:07
.
Pre-Run: 7,744,917,504 bytes free
Post-Run: 9,822,507,008 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut
.
- - End Of File - - 7BF99D4C8A2A7E09A0BB46B80B7E8632


AND...

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG Free 9.0
AVG Anti-Rootkit Free
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
SUPERAntiSpyware
AVG Anti-Rootkit Free
Java™ 6 Update 31
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java version out of date!
Adobe Flash Player 10.0.32.18 Flash Player out of Date!
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````



Awaiting further instructions. THANKS!!!

#12 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 11 April 2012 - 04:31 PM

Hi acbent

That's looking good, but more to do yet.

Now, please go to http://www.virustotal.com, click on Browse, and upload the following file for analysis: You will only be able to have one file scanned at a time.

c:\windows\system32\bxsylthr.mtj

Then click Submit. Allow the file to be scanned, and then copy/paste the results here for me to see.

If you get a message saying File has already been analyzed: Click Reanalyze file now

If virustotal is busy, please go to http://virusscan.jotti.org

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
White Warrior

#13 acbent

acbent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 12 April 2012 - 04:42 AM

Hi White Warrior,

Here are the results from the Eset Scan:

C:\Documents and Settings\Admin\Desktop\DESKTOPBU\trojankiller2094-setup.exe a variant of Win32/1AntiVirus application deleted - quarantined
C:\Documents and Settings\Admin\Desktop\DESKTOPBU\downloads\NortonGhost\SYMANTEC NORTON GHOST 12 BOOT-CD ISO.zip probably a variant of Win32/Spy.Agent.JINFSQF trojan deleted - quarantined
C:\Documents and Settings\Admin\Desktop\DESKTOPBU\downloads\NortonGhost\SYMANTEC NORTON GHOST 12 BOOT-CD ISO\SYMANTEC NORTON GHOST 12 BOOT-CD ISO\norton_ghost12.iso probably a variant of Win32/Spy.Agent.JINFSQF trojan deleted - quarantined
C:\Documents and Settings\Admin\Desktop\DESKTOPBU\downloads\Pay Aircraft\Captain Sim - Legendary C-130 Pro v1.zip probably a variant of Win32/Agent.LQRQUYQ trojan deleted - quarantined
C:\Documents and Settings\Admin\Desktop\DESKTOPBU\downloads\Pay Aircraft\Legendary_C130_Pro_v11_complete.rar multiple threats deleted - quarantined
C:\Documents and Settings\Admin\Desktop\DESKTOPBU\downloads\VOXATC\VOX_Atc+keygen.rar probably a variant of Win32/Agent.MGAGSCV trojan deleted - quarantined
C:\Flight One Software\LDS763_Setup.exe Win32/SuspLibLoad.B trojan deleted - quarantined
C:\Program Files\Microsoft Games\Flight Simulator 9\Level-D Simulations\B767-300\flt1chk4.dll Win32/SuspLibLoad.B trojan cleaned - quarantined
C:\System Volume Information\_restore{2347643C-A441-4C42-8C6B-FCB1DB7242A7}\RP1536\A0319808.exe a variant of Win32/1AntiVirus application deleted - quarantined
C:\System Volume Information\_restore{2347643C-A441-4C42-8C6B-FCB1DB7242A7}\RP1536\A0319811.exe Win32/SuspLibLoad.B trojan deleted - quarantined
C:\System Volume Information\_restore{2347643C-A441-4C42-8C6B-FCB1DB7242A7}\RP1536\A0319813.dll Win32/SuspLibLoad.B trojan cleaned - quarantined
C:\WINDOWS\system32\flt1chk4.dll Win32/SuspLibLoad.B trojan cleaned - quarantined


As for the c:\windows\system32\bxsylthr.mtj file, yesterday I removed some unused programs from my computer via the control panel (add/remove software) and maybe this file was deleted because I could no longer find it in system32 or anywhere on my computer.

I hope this info is what you need.

Thanks again. Awaiting further steps.

THANK YOU!!!

Adam

#14 acbent

acbent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 12 April 2012 - 05:19 AM

Hi again White Warrior.

Once we're done, could you please recommend to me what you think is the best internet security package? I was thinking about getting the NOD32 from Eset.

Thanks again for all your extremely valuable help.

Adam

#15 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 13 April 2012 - 11:01 PM

Hi acbent

That's great! Your log looks clean.

As for the c:\windows\system32\bxsylthr.mtj file

That's ok. I just wanted to be sure it was gone.

Once we're done, could you please recommend to me what you think is the best internet security package?

I sure will.

Now for some housekeeping.

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.
You have old versions of Java installed. Go to Add or remove programs and remove all java versions
except Java™ 6 Update 31

Reboot the computer.

Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet are a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Your AVG antivirus is out of date.
Please go here and download the latest version.

Flash Player is out of date.
Go here and update it.

Let me know how you go----if you have any further problems.

White Warrior




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users