Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with System Repair & Antivirus software will not start


  • Please log in to reply
14 replies to this topic

#1 vanillaskittles

vanillaskittles

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 22 February 2013 - 05:03 AM

My Grandmother's computer was infected with System Repair.  It would start normally, but right after log in system repair would take over and send the fake alert that there was a problem with the hard drive.  All the desktop icons were hidden except for the system repair icon, no taskbar icons were visible, and the start menu didn't show anything except system repair and the log off/shut down options.   

 

Following the instructions for the Remove System Repair (uninstall Guide), I restarted the computer and put it in safe mode with networking.  Safe mode blocked the system repair fake alerts from popping up, but none of the desktop icons were visible except system repair and the start menu was still only showing system repair and log off/shut down.  I accessed internet explorer using windows + r and entering "iexplore", downloaded and ran RKill.  Under miscellaneous checks it found the SMTMP folder and it also said something I no longer recall exactly about ZeroAccess.  Next I downloaded and ran TDSSKiller, which found a number of problems and required a restart.

 

After that restart, I reran both Rkill and TDSSKiller, then downloaded MBAM and attemted to install it.  It would start to install, then terminate right at the end of the installation.  I tried to get around this by renaming the malwarebytes setup program, which didn't work.  I eventually located and installed malwarebytes chameleon program, which did work.   After another restart, I repeated running RKill, TDSSKiller and MBAM,  this time with MBAM not detecting any problems, so I ran unhide.exe

 

After that I made the mistake of rebooting into normal mode.  I no longer had fake hard drive failure alerts taking over my computer, so I tried running Rkill and TDSSkiller, which worked, and then MBAM, which no longer would.  MBAM gives me a runtime error 372.  I tried the fix suggested at the mbam help website, and ran mbam clean and tried reinstalling.  Same problem.  I put it back in safe mode with networking, and repeated everything again - RKill, TDSSKiller, MBAM install, and got the same error.  Internet explorer no longer works - it opens up but I can't actually use it for anything, and it won't close once it's open.  Firefox does work, so on the off chance that the internet explorer problem was a seperate isssue, I tried reinstalling windows 8, which didn't help.  The antivirus software doesn't seem to be running - actually, there appears to be at least two antivirus programs installed on the computer (McAfee Security Scan Plus and AVG).  Since this is my grandmother's computer, I'm not familiar with which program she was running, or if she was actually trying to run both of them.  She says it was running McAfee, but I have no idea if that was actually the case.  Windows Firewall wasn't running, and gave me this error when I tried to access it through the control panel:

 

Due to an unidentified problem, Windows cannot display Windows Firewall settings. 

 

I eventually got the firewall running - at least I think it's running. System Repair still has an icon on my desktop, and there are still no icons on the taskbar.  Short of reformatting the hard drive I have no other ideas of how to get rid of this virus.  I would appreciate any help you could give on this problem.

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.5.1
Run by Gramma at 23:33:57 on 2013-02-21
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.556 [GMT -8:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
dURLSearchHooks: {00A6FAF6-072E-44cf-8957-5838F569A31D} - <orphaned>
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\14.2.0.1\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - <orphaned>
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\14.2.0.1\AVG Secure Search_toolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanInstallStubs >{21d337f6-7548-4c7c-a931-2eeaf254b69a}
mRunOnce: [NoIE4StubProcessing] c:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed Components" /v "NoIE4StubProcessing" /f
mRunOnce: [1] c:\documents and settings\gramma\desktop\mbam-chameleon-1.62.1.1000\mbam-chameleon.exe /r /p
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Define - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: &Search - <no file>
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Look Up in &Encyclopedia - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: office,microsoft.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145661600953
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145661659593
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{53CF58B8-9965-4B96-8618-F53E8A443A6C} : DHCPNameServer = 192.168.0.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\14.2.0\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages =  msv1_0 nwprovau
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 55008]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 35552]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 164832]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-11-10 33112]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-2-21 35144]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 159712]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 93536]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg2012\avgidsagent.exe" --> c:\program files\avg\avg2012\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\avg\avg2012\avgwdsvc.exe" --> c:\program files\avg\avg2012\avgwdsvc.exe [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-12-23 95232]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\14.2.0\ToolbarUpdater.exe [2013-2-19 968880]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 177504]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys --> c:\windows\system32\drivers\avgidsfilterx.sys [?]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 19936]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-2-20 40776]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 Usbatos;LGE SP DL USB Serial Port;c:\windows\system32\drivers\lgusbatos.sys [2009-11-12 22016]
.
=============== Created Last 30 ================
.
2013-02-22 07:07:55    35144    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-02-22 06:56:29    --------    dc-h--w-    c:\windows\ie8
2013-02-22 06:56:13    --------    d--h--w-    c:\windows\msdownld.tmp
2013-02-22 06:01:46    --------    d-----w-    c:\documents and settings\gramma\application data\Ashampoo
2013-02-22 06:01:34    --------    d-----w-    c:\documents and settings\gramma\local settings\application data\ashampoo
2013-02-22 06:00:48    --------    d-----w-    c:\documents and settings\all users\application data\Ashampoo
2013-02-22 06:00:45    --------    d-----w-    c:\program files\Ashampoo
2013-02-22 04:57:54    --------    d-----w-    c:\program files\Cobian Backup 11
2013-02-21 06:26:41    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-02-21 06:26:41    --------    d-----w-    c:\documents and settings\gramma\application data\Malwarebytes
2013-02-21 06:26:32    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
2013-02-21 06:26:31    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-02-21 06:26:31    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-02-21 03:25:31    --------    d-----w-    c:\windows\PIF
2013-02-21 00:45:28    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-02-21 00:39:04    --------    d-----w-    c:\documents and settings\all users\application data\APN
.
==================== Find3M  ====================
.
2013-02-19 20:31:01    33112    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
2013-02-08 02:30:56    74096    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-08 02:30:56    697712    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-01-26 03:55:44    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-01-07 01:19:45    2148864    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01    2027520    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00    1867264    ----a-w-    c:\windows\system32\win32k.sys
2013-01-02 06:49:10    1292288    ----a-w-    c:\windows\system32\quartz.dll
2012-12-16 12:23:59    290560    ----a-w-    c:\windows\system32\atmfd.dll
.
============= FINISH: 23:34:34.09 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 24 February 2013 - 10:15 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from one of these locations:
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
 
Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
Do not mouse click ComboFix's window while it's running. That may cause it to stall
 
Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===
 
Third party programs if not up to date can be the cause of infiltration an infection.
 
Please run this security check for my review.
 
Download Security Check by screen317 from here.
  • Save it to your Desktop.

  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===
 
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.

  • Double click on AdwCleaner.exe to run the tool.

  • Click on Delete tab follow the prompts.

  • A log file will automatically open after the scan has finished.

  • Please post the content of that log file with your next answer.

  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.


#3 vanillaskittles

vanillaskittles
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 27 February 2013 - 12:06 AM

I cant disable the antivirus - it won't open at all through the start menu or program files folder, its not on the system tray, its not listed in the task manager or under services, and the avg support website was no help at all.  Is there any point in running combofix anyway?



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 27 February 2013 - 09:47 AM

Forget about ComboFix for now. Run this one and the other two programs requested in my previous post.
 
Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop. 
 
 
Quit all running programs.
 
For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
 
Click Scan to scan the system. 
When the scan completes > Close out the program > Don't Fix anything!
 
Don't run any other options, they're not all bad!!!!!!!
 
Post back the report which should be located on your desktop.


#5 vanillaskittles

vanillaskittles
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 01 March 2013 - 12:33 AM

Here are the logs you asked for

 

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User : Gramma [Admin rights]
Mode : Scan -- Date : 02/28/2013 21:06:53
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK8032GSX +++++
--- User ---
[MBR] 3a76d3cc62ecb31315051826e0c36f2d
[BSP] 0865dbc3033a5b0d1557ae0b87d99f0b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 74873 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_02282013_02d2106.txt >>
RKreport[1]_S_02282013_02d2106.txt
 

 

 

 


 Results of screen317's Security Check version 0.99.60  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
A
V
G
ECHO is off.
A
n
t
i
V
i
r
u
s
ECHO is off.
F
r
e
ECHO is off.
E
d
i
t
i
o
n
ECHO is off.
2
0
1
2
ECHO is off.
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Windows Defender Signatures   
 McAfee SiteAdvisor    
 Malwarebytes Anti-Malware version 1.70.0.1100  
 CCleaner     
 JavaFX 2.1.1    
 Java™ 7 Update 5  
 Java version out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
 Adobe Reader 10.1.5 Adobe Reader out of Date!  
 Mozilla Firefox 17.0.1 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 7%
````````````````````End of Log``````````````````````

 

 

 

 

# AdwCleaner v2.113 - Logfile created 02/28/2013 at 21:15:04
# Updated 23/02/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Gramma - KATHRYN
# Boot Mode : Safe mode with networking
# Running from : C:\Documents and Settings\Gramma\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\DOCUME~1\Gramma\LOCALS~1\Temp\Uninstall.exe
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
Folder Deleted : C:\Documents and Settings\All Users\Application Data\APN
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia

***** [Registry] *****

Key Deleted : HKCU\Software\FunWebProducts
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Search
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467E-B8D4-7786EDA79AE0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\mywebsearch bar uninstall
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Documents and Settings\Gramma\Application Data\Mozilla\Firefox\Profiles\4g82p0p7.default\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");

*************************

AdwCleaner[R1].txt - [3020 octets] - [28/02/2013 21:11:18]
AdwCleaner[S1].txt - [2845 octets] - [28/02/2013 21:15:04]

########## EOF - C:\AdwCleaner[S1].txt - [2905 octets] ##########



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 01 March 2013 - 08:52 AM

 
 
Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these item below and uncheck the rest: (if found)
 
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
Now click Delete on the right hand column under Options
 
Post back the report which should be located on your desktop.
===
 
Secure your system by updating 3rd party programs.
 
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
 
Be careful not to install malware posing as Java update!
Important read this blog.
 
Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
 
How to disable Java in your browsers
 
You can manually check your present version and update as recommended.
 
If present remove the old version(s) of Java using the Add/Remove Programs applet.
 
 
Java™ 7 Update 5
 
 
Java 7 update 10 introduced important new security controls
You can read about it here.
 
Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===
 
Get the latest version of the  Adobe Reader.
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
 
When installed remove your old version of the Reader using the Add/Remove Programs applet.
Adobe Reader 9 Adobe Reader out of Date!
Adobe Reader 10.1.5 Adobe Reader out of Date!
===
 
Remove the proxy settings is set.
 
In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to Any site if found, then uncheck "Use a proxy server" and check "Automatically detect settings".
===
 
If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.
===
 
Restart the computer normally.
Run the ComboFix log and let me know what problem persists.


#7 vanillaskittles

vanillaskittles
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 03 March 2013 - 11:51 PM

Here's the Roguekiller log you requested.  I updated java and adobe and removed the old java update, but I still can't access avg to shut it down.  Do you still want combofix run?

 

 

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User : Gramma [Admin rights]
Mode : Remove -- Date : 03/03/2013 19:10:10
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK8032GSX +++++
--- User ---
[MBR] 3a76d3cc62ecb31315051826e0c36f2d
[BSP] 0865dbc3033a5b0d1557ae0b87d99f0b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 74873 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_03032013_02d1910.txt >>
RKreport[1]_S_02282013_02d2106.txt ; RKreport[2]_S_03032013_02d1907.txt ; RKreport[3]_D_03032013_02d1910.txt


 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 04 March 2013 - 11:42 AM

Run this tool to remove AVG.
 
Please download the AVG Remover tools and Save it to your Desktop.
Select the tool that meets your operating system ( 32 or 64 bit) and the version of your AVG version installed.
  • Close all programs and double-click AVG removal tool then click Run
  • In Vista/Win7, right-click and choose 'Run as administrator'. 
  • Follow the on-screen instructions.
  • Restart your computer if asked.
  • Then delete AVG Removal tool from your desktop.
  •  
    Run ComboFix save the log.
     
    Reinstall AVG and post the ComboFix log.


    #9 vanillaskittles

    vanillaskittles
    • Topic Starter

    • Members
    • 7 posts
    • OFFLINE
    •  
    • Local time:07:41 PM

    Posted 07 March 2013 - 01:09 AM

    ComboFix 13-03-05.01 - Gramma 03/05/2013   9:17.1.2 - x86
    Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.528 [GMT -8:00]
    Running from: c:\documents and settings\Gramma\Desktop\ComboFix.exe
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\Adobe\gccheck.exe
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
    c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
    c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
    c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
    c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
    c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini
    c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
    c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns
    c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
    c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
    c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
    c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
    c:\documents and settings\All Users\Application Data\VJqeiIpbxgLlY
    c:\documents and settings\Gramma\Application Data\alot
    c:\documents and settings\Gramma\Application Data\alot\BrowserSearch\BrowserSearch.xml
    c:\documents and settings\Gramma\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\Button_0\Button_0.xml
    c:\documents and settings\Gramma\Application Data\alot\Button_0\Button_0.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\Button_1\Button_1.xml
    c:\documents and settings\Gramma\Application Data\alot\Button_1\Button_1.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\Button_2\Button_2.xml
    c:\documents and settings\Gramma\Application Data\alot\Button_2\Button_2.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\Button_3\Button_3.xml
    c:\documents and settings\Gramma\Application Data\alot\Button_3\Button_3.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\Button_4\Button_4.xml
    c:\documents and settings\Gramma\Application Data\alot\Button_4\Button_4.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\Button_5\Button_5.xml
    c:\documents and settings\Gramma\Application Data\alot\Button_5\Button_5.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\Button_6\Button_6.xml
    c:\documents and settings\Gramma\Application Data\alot\Button_6\Button_6.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\Button_7\Button_7.xml
    c:\documents and settings\Gramma\Application Data\alot\Button_7\Button_7.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\Button_8\Button_8.xml
    c:\documents and settings\Gramma\Application Data\alot\Button_8\Button_8.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\configurator\configurator.xml
    c:\documents and settings\Gramma\Application Data\alot\configurator\configurator.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\contextMenu\contextMenu.xml
    c:\documents and settings\Gramma\Application Data\alot\contextMenu\contextMenu.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\ErrorSearch\ErrorSearch.xml
    c:\documents and settings\Gramma\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\postInstallLayout\postInstallLayout.xml
    c:\documents and settings\Gramma\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\products\products.xml
    c:\documents and settings\Gramma\Application Data\alot\products\products.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_1\images\alot_search_button.png
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_2\images\default_1033_alot_music_search.bmp
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_2\images\default_1033_alot_music_search.png
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_3\images\default_1891_www.grammy.com_button.bmp
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_3\images\default_1891_www.grammy.com_button.png
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_4\images\default_1029_alot_rss.bmp
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_4\images\default_1029_alot_rss.png
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_5\images\default_1743_www.mtv.com_button.bmp
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_5\images\default_1743_www.mtv.com_button.png
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_6\images\default_1100_alot_mus_mymusic.bmp
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_6\images\default_1100_alot_mus_mymusic.png
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_7\images\default_1726_rhapsody.bmp
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_7\images\default_1726_rhapsody.png
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_8\images\default_1602_alot_mrkt_livinghealthy.bmp
    c:\documents and settings\Gramma\Application Data\alot\Resources\Button_8\images\default_1602_alot_mrkt_livinghealthy.png
    c:\documents and settings\Gramma\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
    c:\documents and settings\Gramma\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
    c:\documents and settings\Gramma\Application Data\alot\Resources\Shared\images\alot_brand.png
    c:\documents and settings\Gramma\Application Data\alot\Resources\Shared\images\alot_splitter.png
    c:\documents and settings\Gramma\Application Data\alot\SiteMetrics\SiteMetrics.xml
    c:\documents and settings\Gramma\Application Data\alot\SiteMetrics\SiteMetrics.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\TimerManager\TimerManager.xml
    c:\documents and settings\Gramma\Application Data\alot\TimerManager\TimerManager.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\toolbar.xml
    c:\documents and settings\Gramma\Application Data\alot\toolbar.xml.backup
    c:\documents and settings\Gramma\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
    c:\documents and settings\Gramma\Application Data\alot\Updater\Updater.xml
    c:\documents and settings\Gramma\Application Data\alot\Updater\Updater.xml.backup
    c:\documents and settings\Gramma\Application Data\Microsoft\Internet Explorer\Quick Launch\System Repair.lnk
    c:\documents and settings\Gramma\Desktop\System Repair.lnk
    c:\documents and settings\Gramma\Start Menu\Programs\System Repair
    c:\documents and settings\Gramma\Start Menu\Programs\System Repair\System Repair.lnk
    c:\documents and settings\Gramma\Start Menu\Programs\System Repair\Uninstall System Repair.lnk
    c:\documents and settings\Gramma\WINDOWS
    c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
    c:\windows\system32\Cache
    c:\windows\system32\Cache\170af6dc289b08f5.fb
    c:\windows\system32\Cache\18a9ce1d419d28c6.fb
    c:\windows\system32\Cache\26c630d098e22dd5.fb
    c:\windows\system32\Cache\272512937d9e61a4.fb
    c:\windows\system32\Cache\287204568329e189.fb
    c:\windows\system32\Cache\28bc8f716fd76a47.fb
    c:\windows\system32\Cache\291fb76993856ff1.fb
    c:\windows\system32\Cache\2c53092c95605355.fb
    c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
    c:\windows\system32\Cache\32c84fe32bb74d60.fb
    c:\windows\system32\Cache\34f6b55e9f512bab.fb
    c:\windows\system32\Cache\3917078cb68ec657.fb
    c:\windows\system32\Cache\3aed500b815606d4.fb
    c:\windows\system32\Cache\590ba23ce359fd0c.fb
    c:\windows\system32\Cache\60b6aacb13969248.fb
    c:\windows\system32\Cache\610289e025a3ee9a.fb
    c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
    c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
    c:\windows\system32\Cache\6d03dad1035885d3.fb
    c:\windows\system32\Cache\7fd489efbc019a2f.fb
    c:\windows\system32\Cache\86c1ad1b596d8e21.fb
    c:\windows\system32\Cache\95f567698be8a182.fb
    c:\windows\system32\Cache\a8556537add6dfc5.fb
    c:\windows\system32\Cache\ad10a52aff5e038d.fb
    c:\windows\system32\Cache\c1fa887b03019701.fb
    c:\windows\system32\Cache\c4d28dca2e7648be.fb
    c:\windows\system32\Cache\d201ef9910cd39de.fb
    c:\windows\system32\Cache\d2e94710a5708128.fb
    c:\windows\system32\Cache\d79b9dfe81484ec4.fb
    c:\windows\system32\Cache\ddd70170be70d934.fb
    c:\windows\system32\Cache\e0de16f883bea794.fb
    c:\windows\system32\Cache\eaedf994dbb7ee66.fb
    c:\windows\system32\Cache\f5f2c58e54e41fcf.fb
    c:\windows\system32\Cache\f998975c9cc711ee.fb
    c:\windows\system32\SET163.tmp
    c:\windows\system32\SET5D.tmp
    c:\windows\system32\SET69.tmp
    c:\windows\system32\SETAC.tmp
    c:\windows\system32\SETAE.tmp
    c:\windows\system32\SETB1.tmp
    c:\windows\system32\SETC.tmp
    c:\windows\system32\SETD.tmp
    c:\windows\system32\URTTemp
    c:\windows\system32\URTTemp\fusion.dll
    c:\windows\system32\URTTemp\mscoree.dll
    c:\windows\system32\URTTemp\mscoree.dll.local
    c:\windows\system32\URTTemp\mscorsn.dll
    c:\windows\system32\URTTemp\mscorwks.dll
    c:\windows\system32\URTTemp\msvcr71.dll
    c:\windows\system32\URTTemp\regtlib.exe
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-02-05 to 2013-03-05  )))))))))))))))))))))))))))))))
    .
    .
    2013-03-04 04:12 . 2013-03-04 04:12    --------    d-----w-    c:\program files\Common Files\Java
    2013-03-04 04:12 . 2013-03-04 04:11    143872    ----a-w-    c:\windows\system32\javacpl.cpl
    2013-03-04 04:11 . 2013-03-04 04:11    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
    2013-03-04 04:11 . 2013-03-04 04:11    --------    d-----w-    c:\program files\Java
    2013-03-04 03:06 . 2013-03-04 03:06    15616    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
    2013-03-01 05:30 . 2013-03-01 05:30    15846768    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
    2013-02-25 08:18 . 2013-02-25 08:18    --------    d-----w-    c:\program files\VS Revo Group
    2013-02-25 07:18 . 2013-02-25 07:18    73696    ----a-w-    c:\program files\Mozilla Firefox\breakpadinjector.dll
    2013-02-25 07:18 . 2013-02-25 07:18    770384    ----a-w-    c:\program files\Mozilla Firefox\msvcr100.dll
    2013-02-25 07:18 . 2013-02-25 07:18    421200    ----a-w-    c:\program files\Mozilla Firefox\msvcp100.dll
    2013-02-25 07:18 . 2013-02-25 07:18    96224    ----a-w-    c:\program files\Mozilla Firefox\webapprt-stub.exe
    2013-02-25 07:18 . 2013-02-25 07:18    157272    ----a-w-    c:\program files\Mozilla Firefox\webapp-uninstaller.exe
    2013-02-25 06:57 . 2013-02-25 06:57    35144    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
    2013-02-22 06:56 . 2013-02-22 06:58    --------    dc-h--w-    c:\windows\ie8
    2013-02-22 06:56 . 2013-02-22 06:58    --------    d--h--w-    c:\windows\msdownld.tmp
    2013-02-22 06:01 . 2013-02-22 06:01    --------    d-----w-    c:\documents and settings\Gramma\Application Data\Ashampoo
    2013-02-22 06:01 . 2013-02-22 06:01    --------    d-----w-    c:\documents and settings\Gramma\Local Settings\Application Data\ashampoo
    2013-02-22 06:00 . 2013-02-22 06:01    --------    d-----w-    c:\documents and settings\All Users\Application Data\Ashampoo
    2013-02-22 06:00 . 2013-02-22 06:00    --------    d-----w-    c:\program files\Ashampoo
    2013-02-22 04:57 . 2013-02-22 05:15    --------    d-----w-    c:\program files\Cobian Backup 11
    2013-02-21 06:26 . 2013-02-25 06:57    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
    2013-02-21 06:26 . 2013-02-21 06:26    --------    d-----w-    c:\documents and settings\Gramma\Application Data\Malwarebytes
    2013-02-21 06:26 . 2013-02-21 06:26    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
    2013-02-21 06:26 . 2013-02-21 06:26    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
    2013-02-21 06:26 . 2012-12-15 00:49    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
    2013-02-21 03:25 . 2013-02-21 03:25    --------    d-----w-    c:\windows\PIF
    2013-02-21 00:45 . 2013-02-21 00:45    --------    d-----w-    C:\TDSSKiller_Quarantine
    2013-02-20 20:15 . 2013-02-20 20:15    --------    d-----w-    c:\windows\Sun
    2013-02-15 22:04 . 2013-02-15 22:04    208448    ----a-w-    c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2013-02-15 22:04 . 2013-02-15 22:04    208448    ----a-w-    c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-03-04 04:11 . 2012-08-08 16:50    782240    ----a-w-    c:\windows\system32\deployJava1.dll
    2013-03-04 04:11 . 2012-08-08 16:50    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
    2013-03-01 05:30 . 2012-08-07 22:52    691568    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
    2013-03-01 05:30 . 2011-09-12 20:16    71024    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-02-19 20:31 . 2012-11-10 22:50    33112    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
    2013-01-26 03:55 . 2004-08-10 11:00    552448    ----a-w-    c:\windows\system32\oleaut32.dll
    2013-01-07 01:19 . 2004-08-10 11:00    2148864    ----a-w-    c:\windows\system32\ntoskrnl.exe
    2013-01-07 00:37 . 2004-08-03 22:59    2027520    ----a-w-    c:\windows\system32\ntkrnlpa.exe
    2013-01-04 01:20 . 2004-08-10 11:00    1867264    ----a-w-    c:\windows\system32\win32k.sys
    2013-01-02 06:49 . 2004-08-10 11:00    1292288    ----a-w-    c:\windows\system32\quartz.dll
    2012-12-26 20:16 . 2004-08-10 11:00    916480    ----a-w-    c:\windows\system32\wininet.dll
    2012-12-26 20:16 . 2004-08-10 11:00    43520    ----a-w-    c:\windows\system32\licmgr10.dll
    2012-12-26 20:16 . 2004-08-10 11:00    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
    2012-12-24 06:40 . 2004-08-10 11:00    385024    ----a-w-    c:\windows\system32\html.iec
    2012-12-16 12:23 . 2004-08-10 11:00    290560    ----a-w-    c:\windows\system32\atmfd.dll
    2013-02-25 07:18 . 2011-12-24 19:58    262112    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Works Calendar Reminders.lnk -  [N/A]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute    REG_MULTI_SZ       autocheck autochk *\0c:\progra~1\avg\avg2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages    REG_MULTI_SZ       msv1_0 nwprovau
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Gramma^Start Menu^Programs^Startup^Stickies.lnk]
    path=c:\documents and settings\Gramma\Start Menu\Programs\Startup\Stickies.lnk
    backup=c:\windows\pss\Stickies.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-12-18 19:08    946352    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2011-11-02 07:25    59240    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2007-04-04 01:50    1603152    ----a-w-    c:\program files\Canon\MyPrinter\BJMYPRT.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2007-05-15 01:01    644696    ----a-w-    c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12    15360    ----a-w-    c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-08-05 20:56    64512    ----a-w-    c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2005-12-14 00:41    77824    ----a-w-    c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2005-12-14 00:45    118784    ----a-w-    c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2005-12-14 00:44    98304    ----a-w-    c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
    2005-12-28 18:56    602182    ----a-w-    c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
    2005-12-28 18:55    667718    ----a-w-    c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-12-08 09:36    421736    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
    2000-08-08 20:00    311350    ----a-w-    c:\program files\Microsoft Works\wkssb.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    2000-08-08 20:00    28739    ----a-w-    c:\program files\Microsoft Works\WkDetect.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
    2007-02-04 19:02    79400    ----a-w-    c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
    2001-09-06 10:45    36864    ----a-w-    c:\windows\system32\spool\drivers\w32x86\2\printray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 22:28    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2005-09-10 01:19    393216    ----a-w-    c:\windows\stsystra.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2006-10-25 16:03    210472    ----a-w-    c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Stickies]
    2006-03-30 04:03    348160    ----a-w-    c:\program files\Stickies\stickies.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2007-07-30 19:42    68856    ----a-w-    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2006-03-08 19:48    761947    ----a-w-    c:\program files\Synaptics\SynTP\SynTPEnh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 03:05    204288    ------w-    c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
    2000-08-08 20:00    24576    ----a-w-    c:\program files\Microsoft Works\wkfud.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    .
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [11/10/2012 2:50 PM 33112]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [12/23/2010 8:15 PM 95232]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys --> c:\windows\system32\DRIVERS\avgidsdriverx.sys [?]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys --> c:\windows\system32\DRIVERS\avgidsfilterx.sys [?]
    S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2/24/2013 10:57 PM 35144]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/20/2013 10:26 PM 40776]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 4:49 AM 227232]
    S3 Usbatos;LGE SP DL USB Serial Port;c:\windows\system32\drivers\lgusbatos.sys [11/12/2009 11:53 AM 22016]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper    REG_MULTI_SZ       getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-03-04 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-07 05:30]
    .
    2013-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 01:57]
    .
    2013-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-05 23:43]
    .
    2013-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-05 23:43]
    .
    2013-03-05 c:\windows\Tasks\User_Feed_Synchronization-{5043E0DB-6247-427F-A440-8165CC2C927F}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 12:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    Trusted Zone: microsoft.com\office
    Trusted Zone: office,microsoft.com
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-60946946.sys
    MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
    MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
    MSConfigStartUp-LXSUPMON - c:\windows\system32\LXSUPMON.EXE
    MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
    MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    MSConfigStartUp-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
    MSConfigStartUp-vProt - c:\program files\AVG Secure Search\vprot.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-03-05 09:26
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...  
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...  
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2013-03-05  09:28:03
    ComboFix-quarantined-files.txt  2013-03-05 17:28
    .
    Pre-Run: 55,009,394,688 bytes free
    Post-Run: 55,916,728,320 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptOut
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition"=optin /fastdetect
    .
    - - End Of File - - D35BEEED0B4BA04EC5948F67E4BBE24B
     



    #10 nasdaq

    nasdaq

    • Malware Response Team
    • 39,531 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:10:41 PM

    Posted 07 March 2013 - 08:33 AM

    Looking better.

     

    Did you reinstall AVG, if not do it.

     

    Any remaining issues with this computer?



    #11 vanillaskittles

    vanillaskittles
    • Topic Starter

    • Members
    • 7 posts
    • OFFLINE
    •  
    • Local time:07:41 PM

    Posted 10 March 2013 - 07:27 AM

    I tried to reinstall AVG, but it kept having problems so I pulled it and installed avast instead.  Avast picked up 3 infected files - win32 and mbr and a bunch of stuff on the bootkit scan which got deleted.  The full scan is now coming out clean, but I'm still having the same problems with mbam and internet explorer, and microsoft word is now giving me this weird error every time I open it  - An error occurred & this feature is no longer functioning properly - run setup & select repair to restore this application - which I'm still in the middle of trying to fix. 



    #12 nasdaq

    nasdaq

    • Malware Response Team
    • 39,531 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:10:41 PM

    Posted 10 March 2013 - 09:20 AM

    Check to make sure you have all the necessary Operating system files.
     
    From the Start menu, select Run. 
    In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow) 
    Select the OK button. 
    Follow the prompts throughout the System File Checker process. 
    Reboot the computer when System File Checker completes.


    #13 nasdaq

    nasdaq

    • Malware Response Team
    • 39,531 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:10:41 PM

    Posted 16 March 2013 - 08:23 AM

    Are you still with me?

    #14 vanillaskittles

    vanillaskittles
    • Topic Starter

    • Members
    • 7 posts
    • OFFLINE
    •  
    • Local time:07:41 PM

    Posted 17 March 2013 - 12:33 AM

    Yes, sorry, still here.  I don't have the windows xp cd to run scannnow, so I'm working thru some the other help posts to to try to get around that.



    #15 nasdaq

    nasdaq

    • Malware Response Team
    • 39,531 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:10:41 PM

    Posted 23 March 2013 - 08:40 AM

    Were do we stand?






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users