# svchost.exe high cpu usage & system freezes up



## Actuarial (Nov 10, 2011)

Hi, I recently got one of my company's old PC's, and HP d530 with XP Prof (& i installed SP 3). Here's a summary of the things i've done since getting it last week: IE 8, AVG 2012 Free, Zone Alarm free firewall, Open Office 3, Firefox, all the windows updates available, Java, 7-Zip, Adobe Flash, Adobe Reader X. I also ran CCleaner as part of my attempt to solve the problems described below.

There have been a couple issues that i've seemingly fixed, such as it asking me to reactivate XP (good thing the sticker with the key is still on the tower), AVG not recognizing the license (or something similar... had to reinstall). There are also 21 updates that keep failing to install for some reason. I've also tried the "patches" that are supposed to fix the common svchost.exe usage problem (WindowsXP-KB927891-v3-x86-ENU, & windowsupdateagent30-x86), but i get an error message telling me they're unnecessary b/c my current SP is more recent.

The main issue at this point is frequent freezes, seeming coinciding with svchost.exe using the majority, if not all, of my CPU Usage capacity, usually when I'm using either Firefox or IE. The first thing to freeze up is always bottom taskbar & start menu. I can usually still type things in my browser, open desktop folders, etc for a little while when this happens, but when i drag my cursor over the taskbar, i just see an "i-beam" cursor... can't actually select anything like the start menu, quicklaunch icons, etc. i also cannot open the task manager (ctrl+alt+del will make it "think" for a bit, and then do nothing). after awhile, i can still see the mouse moving around, but can't even do anything on the desktop or in any applications that are open. at this point, i just need to manually reboot. thanks in advance for any help. here are the requested logs:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:00:24 PM, on 11/9/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5233 bytes

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702
Run by Saleshp530 at 20:07:06 on 2011-11-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1143.540 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Enabled* 
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\\SetRefresh.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: microsoft.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{EAA6C7BB-2F30-4C1A-8CCE-FC10E8EA2088} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\saleshp530\application data\mozilla\firefox\profiles\h5b72xtp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Security Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-11-5 532224]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-2-15 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-2-15 488952]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
.
=============== Created Last 30 ================
.
2011-11-10 00:56:12 388096 ----a-r- c:\documents and settings\saleshp530\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-10 00:56:12 -------- d-----w- c:\program files\Trend Micro
2011-11-09 01:36:31 -------- d--h--w- C:\$AVG
2011-11-07 01:31:38 -------- d-----w- c:\windows\system32\NtmsData
2011-11-06 22:57:20 -------- d-----w- c:\windows\system32\drivers\AVG
2011-11-06 22:19:18 -------- d-----w- c:\program files\CCleaner
2011-11-06 17:18:30 -------- d-----w- c:\windows\ie8updates
2011-11-06 15:00:27 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-11-06 14:59:20 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-11-06 14:59:16 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-11-06 14:57:52 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-11-06 14:57:23 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-11-06 14:57:05 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-11-06 14:57:04 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-11-06 14:57:03 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-11-06 14:57:02 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-11-06 14:57:02 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-11-06 14:57:01 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-11-06 14:53:53 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-11-06 14:53:29 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-11-06 04:46:20 -------- d-----w- c:\windows\pss
2011-11-06 04:01:48 -------- d-----w- c:\documents and settings\saleshp530\local settings\application data\Adobe
2011-11-06 00:20:25 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-06 00:11:54 -------- d-----w- c:\windows\system32\appmgmt
2011-11-05 18:46:24 -------- d-----w- C:\Shaun
2011-11-05 18:03:38 -------- d-----w- c:\windows\system32\scripting
2011-11-05 18:03:38 -------- d-----w- c:\windows\l2schemas
2011-11-05 18:03:37 -------- d-----w- c:\windows\system32\en
2011-11-05 18:03:36 -------- d-----w- c:\windows\system32\bits
2011-11-05 17:50:55 -------- d-----w- c:\windows\network diagnostic
2011-11-05 17:30:42 -------- d-----w- c:\documents and settings\saleshp530\application data\CheckPoint
2011-11-05 17:30:11 0 ------w- c:\windows\system32\ConduitEngine.tmp
2011-11-05 17:30:11 -------- d-----w- c:\documents and settings\saleshp530\local settings\application data\ZoneAlarm_Security
2011-11-05 17:30:09 -------- d-----w- c:\documents and settings\saleshp530\local settings\application data\Temp
2011-11-05 17:30:09 -------- d-----w- c:\documents and settings\saleshp530\local settings\application data\Conduit
2011-11-05 17:30:08 -------- d-----w- c:\program files\ZoneAlarm_Security
2011-11-05 17:29:49 -------- d-----w- c:\program files\CheckPoint
2011-11-05 17:29:26 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-11-05 17:29:26 -------- d-----w- c:\windows\system32\ZoneLabs
2011-11-05 17:24:43 -------- d-----w- c:\program files\Zone Labs
2011-11-05 17:23:14 -------- d-----w- c:\windows\Internet Logs
2011-11-05 16:35:05 -------- d-----w- c:\documents and settings\saleshp530\local settings\application data\Mozilla
2011-11-05 16:24:31 -------- d-----w- c:\documents and settings\saleshp530\application data\AVG2012
2011-11-05 16:22:54 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-11-05 16:22:51 221184 ------w- c:\windows\system32\wmpns.dll
2011-11-05 16:22:05 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-11-05 16:21:22 -------- d-----w- c:\program files\AVG
2011-11-05 16:19:02 -------- d-----w- c:\windows\ServicePackFiles
2011-11-05 16:17:21 21504 ------w- c:\windows\system32\drivers\hidserv.dll
2011-11-05 16:16:09 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-11-05 16:00:22 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2011-11-05 15:47:49 -------- d-----w- c:\documents and settings\saleshp530\application data\OpenOffice.org
2011-11-05 15:45:59 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-11-05 15:45:17 -------- d-----w- c:\program files\OpenOffice.org 3
2011-11-05 15:44:56 73728 ------w- c:\windows\system32\javacpl.cpl
2011-11-05 15:44:56 472808 ------w- c:\windows\system32\deployJava1.dll
2011-11-05 15:43:57 5120 ------w- c:\windows\system32\xpsp4res.dll
2011-11-05 15:43:57 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-11-05 15:43:24 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-11-05 15:43:19 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-11-05 15:43:16 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-11-05 15:42:51 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-11-05 15:42:51 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-11-05 15:42:04 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-11-05 15:34:05 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-11-05 15:32:39 -------- d-sh--w- c:\documents and settings\saleshp530\PrivacIE
2011-11-05 15:31:23 -------- d-sh--w- c:\documents and settings\saleshp530\IETldCache
2011-11-05 15:29:35 -------- dc-h--w- c:\windows\ie8
2011-11-05 15:21:03 -------- d-----w- c:\windows\system32\PreInstall
2011-11-05 15:21:02 26144 ------w- c:\windows\system32\spupdsvc.exe
2011-11-05 15:21:01 -------- d--h--w- c:\windows\$hf_mig$
2011-11-05 15:06:53 -------- d-sh--w- c:\documents and settings\saleshp530\UserData
2011-11-05 15:06:32 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-11-05 14:55:00 12160 -c----w- c:\windows\system32\dllcache\mouhid.sys
2011-11-05 14:55:00 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-11-05 14:54:57 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-11-05 14:54:53 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
==================== Find3M ====================
.
2011-10-07 10:23:48 230608 ------w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 10:21:42 16720 ------w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-26 16:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 10:30:10 32592 ------w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-07 16:20:06 44 ------w- c:\windows\system32\msssc.dll
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-60JKA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8764349F]<< 
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8764a728]; MOV EAX, [0x8764a89c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x87F84AB8]
3 CLASSPNP[0xBA0E8FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005c[0x87FE15E0]
5 ACPI[0xBA05F620] -> nt!IofCallDriver[0x804E37D5] -> [0x87F5B940]
\Driver\atapi[0x87C819B0] -> IRP_MJ_CREATE -> 0x8764349F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x876432C6
user & kernel MBR OK 
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:09:05.18 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-09 20:15:11
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-60JKA0 rev.05.01C05
Running: n46x38k8.exe; Driver: C:\DOCUME~1\SALESH~1\LOCALS~1\Temp\kwayrfow.sys

---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 [email protected] code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 876432C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 876432C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 876432C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 876432C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 876432C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-12 876432C6
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----


----------



## Actuarial (Nov 10, 2011)

Bump


----------



## Actuarial (Nov 10, 2011)

Bump


----------



## Cookiegal (Aug 27, 2003)

Please go to the following link and run TDSSKiller:

http://support.kaspersky.com/viruses/solutions?qid=208280684

Allow it cure anything if prompted.

Please post the log back here.


----------



## Actuarial (Nov 10, 2011)

Hi Cookiegal, I ran it, and it cured 1 item... then it told me to reboot, but i wasn't sure if it was done running before it rebooted, so i ran it again after reboot, and it found nothing wrong. i'm assuming the log you want to see it the hijackthis log, so it's pasted below. Thanks.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:08:39 PM, on 11/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Installer] "C:\Program Files\CheckPoint\Install\Launcher.exe" "C:\Program Files\CheckPoint\Install\Install.exe" /r download /c "C:\Program Files\CheckPoint\Install\Install.xml" /l /w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 4516 bytes


----------



## Cookiegal (Aug 27, 2003)

No it's the TDSSKiller log I wanted to see. It should be at C:\TDSSKiller.**********log.txt (the stars represent the version number and date). Please post that log.


----------



## Actuarial (Nov 10, 2011)

oh sorry, didn't see a log pop up on the screen or get saved to my desktop (where the application was saved), so i didn't realize it created one. here's the log from the first run (with the cure). thanks.

18:51:30.0031 3896 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
18:51:30.0171 3896 ============================================================
18:51:30.0171 3896 Current date / time: 2011/11/12 18:51:30.0171
18:51:30.0171 3896 SystemInfo:
18:51:30.0171 3896 
18:51:30.0171 3896 OS Version: 5.1.2600 ServicePack: 3.0
18:51:30.0171 3896 Product type: Workstation
18:51:30.0171 3896 ComputerName: SALES530-0AEDD9
18:51:30.0171 3896 UserName: Saleshp530
18:51:30.0171 3896 Windows directory: C:\WINDOWS
18:51:30.0171 3896 System windows directory: C:\WINDOWS
18:51:30.0171 3896 Processor architecture: Intel x86
18:51:30.0171 3896 Number of processors: 1
18:51:30.0171 3896 Page size: 0x1000
18:51:30.0171 3896 Boot type: Normal boot
18:51:30.0171 3896 ============================================================
18:51:35.0468 3896 Initialize success
18:52:16.0453 3316 ============================================================
18:52:16.0453 3316 Scan started
18:52:16.0453 3316 Mode: Manual; 
18:52:16.0453 3316 ============================================================
18:52:17.0421 3316 Abiosdsk - ok
18:52:17.0468 3316 abp480n5 - ok
18:52:17.0515 3316 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:52:17.0515 3316 ACPI - ok
18:52:17.0671 3316 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:52:17.0921 3316 ACPIEC - ok
18:52:18.0046 3316 adpu160m - ok
18:52:18.0109 3316 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
18:52:18.0109 3316 aeaudio - ok
18:52:18.0281 3316 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:52:18.0281 3316 aec - ok
18:52:18.0359 3316 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:52:18.0390 3316 AFD - ok
18:52:18.0484 3316 Aha154x - ok
18:52:18.0531 3316 aic78u2 - ok
18:52:18.0562 3316 aic78xx - ok
18:52:18.0671 3316 AliIde - ok
18:52:18.0796 3316 amsint - ok
18:52:18.0828 3316 asc - ok
18:52:18.0859 3316 asc3350p - ok
18:52:18.0875 3316 asc3550 - ok
18:52:18.0921 3316 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:52:18.0921 3316 AsyncMac - ok
18:52:19.0078 3316 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:52:19.0078 3316 atapi - ok
18:52:19.0171 3316 Atdisk - ok
18:52:19.0250 3316 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:52:19.0250 3316 Atmarpc - ok
18:52:19.0437 3316 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:52:19.0437 3316 audstub - ok
18:52:19.0609 3316 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
18:52:19.0609 3316 AVGIDSDriver - ok
18:52:19.0765 3316 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
18:52:19.0781 3316 AVGIDSEH - ok
18:52:19.0812 3316 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
18:52:19.0812 3316 AVGIDSFilter - ok
18:52:19.0968 3316 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
18:52:19.0968 3316 AVGIDSShim - ok
18:52:20.0046 3316 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
18:52:20.0062 3316 Avgldx86 - ok
18:52:20.0218 3316 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
18:52:20.0218 3316 Avgmfx86 - ok
18:52:20.0265 3316 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
18:52:20.0265 3316 Avgrkx86 - ok
18:52:20.0468 3316 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
18:52:20.0500 3316 Avgtdix - ok
18:52:20.0656 3316 b57w2k (5175e788bcd1cb7345ab21f3e14369d2) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
18:52:20.0656 3316 b57w2k - ok
18:52:20.0828 3316 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:52:20.0828 3316 Beep - ok
18:52:20.0859 3316 Blfp (9b53d428de0a2566a03499d7aa48dec4) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
18:52:20.0875 3316 Blfp - ok
18:52:21.0031 3316 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:52:21.0062 3316 cbidf2k - ok
18:52:21.0171 3316 cd20xrnt - ok
18:52:21.0234 3316 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:52:21.0281 3316 Cdaudio - ok
18:52:21.0468 3316 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:52:21.0468 3316 Cdfs - ok
18:52:21.0625 3316 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:52:21.0625 3316 Cdrom - ok
18:52:21.0750 3316 Changer - ok
18:52:21.0781 3316 CmdIde - ok
18:52:21.0812 3316 Cpqarray - ok
18:52:21.0843 3316 dac2w2k - ok
18:52:21.0859 3316 dac960nt - ok
18:52:21.0906 3316 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:52:21.0906 3316 Disk - ok
18:52:22.0062 3316 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:52:22.0093 3316 dmboot - ok
18:52:22.0234 3316 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:52:22.0250 3316 dmio - ok
18:52:22.0281 3316 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:52:22.0281 3316 dmload - ok
18:52:22.0421 3316 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:52:22.0421 3316 DMusic - ok
18:52:22.0453 3316 dpti2o - ok
18:52:22.0609 3316 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:52:22.0609 3316 drmkaud - ok
18:52:22.0671 3316 E1000 (3044851b3c5286a908a6a4d1166328aa) C:\WINDOWS\system32\DRIVERS\e1000325.sys
18:52:22.0671 3316 E1000 - ok
18:52:22.0843 3316 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:52:22.0843 3316 Fastfat - ok
18:52:23.0000 3316 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:52:23.0000 3316 Fdc - ok
18:52:23.0031 3316 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:52:23.0031 3316 Fips - ok
18:52:23.0187 3316 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:52:23.0187 3316 Flpydisk - ok
18:52:23.0218 3316 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:52:23.0218 3316 FltMgr - ok
18:52:23.0375 3316 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:52:23.0375 3316 Fs_Rec - ok
18:52:23.0437 3316 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:52:23.0437 3316 Ftdisk - ok
18:52:23.0562 3316 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:52:23.0562 3316 Gpc - ok
18:52:23.0671 3316 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:52:23.0671 3316 HidUsb - ok
18:52:23.0734 3316 hpn - ok
18:52:23.0843 3316 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
18:52:23.0875 3316 HTTP - ok
18:52:24.0000 3316 i2omgmt - ok
18:52:24.0015 3316 i2omp - ok
18:52:24.0078 3316 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:52:24.0078 3316 i8042prt - ok
18:52:24.0234 3316 ialm (1406d6ef4436aee970efe13193123965) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
18:52:24.0234 3316 ialm - ok
18:52:24.0296 3316 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:52:24.0296 3316 Imapi - ok
18:52:24.0421 3316 ini910u - ok
18:52:24.0484 3316 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
18:52:24.0484 3316 IntelIde - ok
18:52:24.0640 3316 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:52:24.0656 3316 intelppm - ok
18:52:24.0703 3316 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:52:24.0703 3316 Ip6Fw - ok
18:52:24.0843 3316 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:52:24.0843 3316 IpFilterDriver - ok
18:52:24.0968 3316 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:52:24.0968 3316 IpInIp - ok
18:52:25.0046 3316 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:52:25.0062 3316 IpNat - ok
18:52:25.0171 3316 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:52:25.0187 3316 IPSec - ok
18:52:25.0250 3316 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:52:25.0250 3316 IRENUM - ok
18:52:25.0390 3316 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:52:25.0390 3316 isapnp - ok
18:52:25.0421 3316 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:52:25.0421 3316 Kbdclass - ok
18:52:25.0578 3316 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:52:25.0593 3316 kmixer - ok
18:52:25.0750 3316 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:52:25.0750 3316 KSecDD - ok
18:52:25.0765 3316 lbrtfdc - ok
18:52:25.0953 3316 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:52:25.0953 3316 mnmdd - ok
18:52:26.0000 3316 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:52:26.0156 3316 Modem - ok
18:52:26.0296 3316 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:52:26.0296 3316 Mouclass - ok
18:52:26.0343 3316 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:52:26.0343 3316 mouhid - ok
18:52:26.0515 3316 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:52:26.0515 3316 MountMgr - ok
18:52:26.0640 3316 mraid35x - ok
18:52:26.0703 3316 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:52:26.0703 3316 MRxDAV - ok
18:52:26.0875 3316 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:52:26.0890 3316 MRxSmb - ok
18:52:27.0031 3316 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:52:27.0031 3316 Msfs - ok
18:52:27.0078 3316 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:52:27.0078 3316 MSKSSRV - ok
18:52:27.0234 3316 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:52:27.0234 3316 MSPCLOCK - ok
18:52:27.0296 3316 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:52:27.0296 3316 MSPQM - ok
18:52:27.0437 3316 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:52:27.0437 3316 mssmbios - ok
18:52:27.0484 3316 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:52:27.0500 3316 Mup - ok
18:52:27.0625 3316 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:52:27.0625 3316 NDIS - ok
18:52:27.0765 3316 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:52:27.0765 3316 NdisTapi - ok
18:52:27.0828 3316 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:52:27.0828 3316 Ndisuio - ok
18:52:27.0968 3316 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:52:27.0968 3316 NdisWan - ok
18:52:28.0015 3316 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:52:28.0015 3316 NDProxy - ok
18:52:28.0171 3316 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:52:28.0171 3316 NetBIOS - ok
18:52:28.0328 3316 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:52:28.0328 3316 NetBT - ok
18:52:28.0500 3316 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:52:28.0515 3316 Npfs - ok
18:52:28.0562 3316 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:52:28.0593 3316 Ntfs - ok
18:52:28.0750 3316 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
18:52:28.0750 3316 NuidFltr - ok
18:52:28.0796 3316 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:52:28.0812 3316 Null - ok
18:52:28.0953 3316 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:52:28.0953 3316 NwlnkFlt - ok
18:52:29.0015 3316 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:52:29.0015 3316 NwlnkFwd - ok
18:52:29.0140 3316 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:52:29.0140 3316 Parport - ok
18:52:29.0296 3316 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:52:29.0296 3316 PartMgr - ok
18:52:29.0359 3316 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:52:29.0359 3316 ParVdm - ok
18:52:29.0500 3316 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:52:29.0531 3316 PCI - ok
18:52:29.0562 3316 PCIDump - ok
18:52:29.0703 3316 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:52:29.0703 3316 PCIIde - ok
18:52:29.0765 3316 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:52:29.0812 3316 Pcmcia - ok
18:52:29.0937 3316 PDCOMP - ok
18:52:29.0968 3316 PDFRAME - ok
18:52:29.0984 3316 PDRELI - ok
18:52:30.0000 3316 PDRFRAME - ok
18:52:30.0015 3316 perc2 - ok
18:52:30.0031 3316 perc2hib - ok
18:52:30.0109 3316 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:52:30.0109 3316 PptpMiniport - ok
18:52:30.0265 3316 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:52:30.0265 3316 PSched - ok
18:52:30.0343 3316 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:52:30.0343 3316 Ptilink - ok
18:52:30.0453 3316 ql1080 - ok
18:52:30.0609 3316 Ql10wnt - ok
18:52:30.0703 3316 ql12160 - ok
18:52:30.0765 3316 ql1240 - ok
18:52:30.0859 3316 ql1280 - ok
18:52:30.0937 3316 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:52:30.0953 3316 RasAcd - ok
18:52:31.0093 3316 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:52:31.0093 3316 Rasl2tp - ok
18:52:31.0125 3316 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:52:31.0125 3316 RasPppoe - ok
18:52:31.0281 3316 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:52:31.0281 3316 Raspti - ok
18:52:31.0390 3316 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:52:31.0406 3316 Rdbss - ok
18:52:31.0500 3316 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:52:31.0500 3316 RDPCDD - ok
18:52:31.0671 3316 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:52:31.0671 3316 rdpdr - ok
18:52:31.0843 3316 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
18:52:31.0843 3316 RDPWD - ok
18:52:31.0984 3316 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:52:31.0984 3316 redbook - ok
18:52:32.0140 3316 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:52:32.0140 3316 Secdrv - ok
18:52:32.0234 3316 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:52:32.0234 3316 serenum - ok
18:52:32.0343 3316 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:52:32.0359 3316 Serial - ok
18:52:32.0421 3316 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:52:32.0484 3316 Sfloppy - ok
18:52:32.0609 3316 Simbad - ok
18:52:32.0703 3316 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
18:52:32.0734 3316 smwdm - ok
18:52:32.0828 3316 Sparrow - ok
18:52:32.0906 3316 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:52:32.0906 3316 splitter - ok
18:52:33.0015 3316 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:52:33.0031 3316 sr - ok
18:52:33.0140 3316 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:52:33.0171 3316 Srv - ok
18:52:33.0328 3316 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:52:33.0328 3316 swenum - ok
18:52:33.0375 3316 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:52:33.0375 3316 swmidi - ok
18:52:33.0515 3316 symc810 - ok
18:52:33.0531 3316 symc8xx - ok
18:52:33.0546 3316 sym_hi - ok
18:52:33.0562 3316 sym_u3 - ok
18:52:33.0625 3316 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:52:33.0640 3316 sysaudio - ok
18:52:33.0781 3316 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:52:33.0796 3316 Tcpip - ok
18:52:33.0937 3316 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:52:34.0015 3316 TDPIPE - ok
18:52:34.0156 3316 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:52:34.0203 3316 TDTCP - ok
18:52:34.0343 3316 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:52:34.0359 3316 TermDD - ok
18:52:34.0390 3316 TosIde - ok
18:52:34.0546 3316 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:52:34.0609 3316 Udfs - ok
18:52:34.0734 3316 ultra - ok
18:52:34.0796 3316 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:52:34.0812 3316 Update - ok
18:52:34.0968 3316 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:52:34.0968 3316 usbehci - ok
18:52:35.0015 3316 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:52:35.0031 3316 usbhub - ok
18:52:35.0171 3316 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:52:35.0171 3316 USBSTOR - ok
18:52:35.0218 3316 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:52:35.0218 3316 usbuhci - ok
18:52:35.0359 3316 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:52:35.0359 3316 VgaSave - ok
18:52:35.0390 3316 ViaIde - ok
18:52:35.0421 3316 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:52:35.0421 3316 VolSnap - ok
18:52:35.0578 3316 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:52:35.0593 3316 Wanarp - ok
18:52:35.0734 3316 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
18:52:35.0765 3316 Wdf01000 - ok
18:52:35.0875 3316 WDICA - ok
18:52:35.0937 3316 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:52:35.0937 3316 wdmaud - ok
18:52:36.0156 3316 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
18:52:36.0156 3316 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
18:52:36.0312 3316 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
18:52:36.0312 3316 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
18:52:36.0343 3316 MBR (0x1B8) (b0b17de2470979f6aa7d36e451109b01) \Device\Harddisk0\DR0
18:52:36.0343 3316 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
18:52:36.0343 3316 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
18:52:36.0343 3316 Boot (0x1200) (17773c5b0d92ef2130d8e0b17345be53) \Device\Harddisk0\DR0\Partition0
18:52:36.0343 3316 \Device\Harddisk0\DR0\Partition0 - ok
18:52:36.0343 3316 ============================================================
18:52:36.0343 3316 Scan finished
18:52:36.0343 3316 ============================================================
18:52:36.0375 1768 Detected object count: 1
18:52:36.0375 1768 Actual detected object count: 1
18:52:51.0796 1768 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
18:52:51.0796 1768 \Device\Harddisk0\DR0 - ok
18:52:51.0796 1768 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure 
18:53:00.0468 3764 Deinitialize success


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## Actuarial (Nov 10, 2011)

Not sure if this matters, but the method I used for disabling AVG was as stated in their linked page (http://www.bleepingcomputer.com/forums/topic114351.html), so it was just a 15 minute temporary disable. I guess it re-activated during the Combofix run because an AVG "threat" alert window popped up warning about a process named "CF5992.3XE." I didn't vault it, so maybe it didn't mess up the Combofix run. Anyway, here are the 2 logs:

*Combofix:*

ComboFix 11-11-12.04 - Saleshp530 11/12/2011 22:49:37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1143.807 [GMT -5:00]
Running from: c:\documents and settings\Saleshp530\Desktop\puppy.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\msssc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))
.
.
2011-11-13 00:00 . 2011-11-13 00:00 -------- d-----w- c:\windows\LastGood
2011-11-12 20:17 . 2011-11-12 20:17 -------- d-----w- c:\windows\Internet Logs
2011-11-10 12:45 . 2011-11-10 12:45 -------- d-sh--w- c:\documents and settings\Saleshp530\IECompatCache
2011-11-10 00:56 . 2011-11-10 00:56 388096 ----a-r- c:\documents and settings\Saleshp530\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-10 00:56 . 2011-11-10 00:56 -------- d-----w- c:\program files\Trend Micro
2011-11-09 15:43 . 2011-11-09 15:44 -------- d-----w- c:\documents and settings\Christy
2011-11-09 03:36 . 2011-11-09 04:01 -------- d-----w- c:\documents and settings\Administrator
2011-11-09 03:24 . 2011-11-09 03:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-09 03:24 . 2011-11-09 03:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-11-09 01:36 . 2011-11-09 01:36 -------- d-----w- C:\$AVG
2011-11-07 01:31 . 2011-11-07 04:47 -------- d-----w- c:\windows\system32\NtmsData
2011-11-06 22:57 . 2011-11-12 22:35 -------- d-----w- c:\windows\system32\drivers\AVG
2011-11-06 17:16 . 2011-11-06 17:16 -------- d-----w- c:\windows\Sun
2011-11-06 15:00 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-11-06 14:59 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-11-06 14:59 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-11-06 14:57 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-11-06 14:57 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-11-06 14:57 . 2011-08-22 23:48 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-11-06 14:57 . 2011-08-22 23:48 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-11-06 14:57 . 2011-08-22 23:48 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-11-06 14:57 . 2011-08-22 23:48 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-11-06 14:57 . 2011-08-22 23:48 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-11-06 14:57 . 2011-08-22 23:48 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-11-06 14:53 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-11-06 14:53 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-11-06 04:06 . 2011-11-06 04:06 -------- d-----w- c:\program files\Common Files\Adobe
2011-11-06 04:01 . 2011-11-06 04:08 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Adobe
2011-11-06 00:56 . 2011-11-06 00:56 -------- d-----w- c:\program files\7-Zip
2011-11-06 00:20 . 2011-11-10 01:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-05 18:46 . 2011-11-10 03:00 -------- d-----w- C:\Shaun
2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\system32\scripting
2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\l2schemas
2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\system32\en
2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\system32\bits
2011-11-05 17:30 . 2011-11-05 17:30 -------- d-----w- c:\documents and settings\Saleshp530\Application Data\CheckPoint
2011-11-05 17:30 . 2011-11-12 18:59 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\ZoneAlarm_Security
2011-11-05 17:30 . 2011-11-05 17:30 0 ------w- c:\windows\system32\ConduitEngine.tmp
2011-11-05 17:30 . 2011-11-06 04:08 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Temp
2011-11-05 17:30 . 2011-11-05 18:26 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Conduit
2011-11-05 17:30 . 2011-11-05 17:30 -------- d-----w- c:\program files\ZoneAlarm_Security
2011-11-05 17:29 . 2011-11-12 20:25 -------- d-----w- c:\program files\CheckPoint
2011-11-05 16:35 . 2011-11-05 16:35 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Mozilla
2011-11-05 16:24 . 2011-11-05 16:24 -------- d-----w- c:\documents and settings\Saleshp530\Application Data\AVG2012
2011-11-05 16:22 . 2011-11-05 16:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-11-05 16:22 . 2008-04-14 00:12 221184 ------w- c:\windows\system32\wmpns.dll
2011-11-05 16:22 . 2011-11-05 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-11-05 16:21 . 2011-11-05 16:21 -------- d-----w- c:\program files\AVG
2011-11-05 16:19 . 2011-11-05 17:56 -------- d-----w- c:\windows\ServicePackFiles
2011-11-05 16:17 . 2004-08-04 05:56 21504 ------w- c:\windows\system32\drivers\hidserv.dll
2011-11-05 16:16 . 2011-11-12 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-11-05 16:00 . 2004-08-04 03:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2011-11-05 15:47 . 2011-11-05 15:47 -------- d-----w- c:\documents and settings\Saleshp530\Application Data\OpenOffice.org
2011-11-05 15:45 . 2010-12-09 13:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-11-05 15:45 . 2011-11-05 15:45 -------- d-----w- c:\program files\OpenOffice.org 3
2011-11-05 15:45 . 2011-11-05 15:45 -------- d-----w- c:\program files\Common Files\Java
2011-11-05 15:44 . 2011-11-05 15:44 73728 ------w- c:\windows\system32\javacpl.cpl
2011-11-05 15:44 . 2011-11-05 15:44 472808 ------w- c:\windows\system32\deployJava1.dll
2011-11-05 15:44 . 2011-11-05 15:44 -------- d-----w- c:\program files\Java
2011-11-05 15:43 . 2011-02-17 12:32 5120 ------w- c:\windows\system32\xpsp4res.dll
2011-11-05 15:43 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-11-05 15:43 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-11-05 15:43 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-11-05 15:43 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-11-05 15:42 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-11-05 15:42 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-11-05 15:42 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-11-05 15:34 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-11-05 15:32 . 2011-11-05 15:32 -------- d-sh--w- c:\documents and settings\Saleshp530\PrivacIE
2011-11-05 15:31 . 2011-11-05 15:31 -------- d-sh--w- c:\documents and settings\Saleshp530\IETldCache
2011-11-05 15:29 . 2011-11-05 15:30 -------- dc-h--w- c:\windows\ie8
2011-11-05 15:21 . 2009-01-07 23:21 26144 ------w- c:\windows\system32\spupdsvc.exe
2011-11-05 15:21 . 2011-11-10 20:29 -------- d--h--w- c:\windows\$hf_mig$
2011-11-05 15:06 . 2011-11-12 18:50 -------- d-sh--w- c:\documents and settings\Saleshp530\UserData
2011-11-05 14:55 . 2001-08-17 18:48 12160 -c----w- c:\windows\system32\dllcache\mouhid.sys
2011-11-05 14:55 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-11-05 14:54 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-11-05 14:54 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 10:23 . 2011-10-07 10:23 230608 ------w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 10:21 . 2011-10-04 10:21 16720 ------w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-26 16:41 . 2011-09-26 16:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 10:30 . 2011-09-13 10:30 32592 ------w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-07 16:21 . 2011-09-07 16:21 40960 ------r- c:\documents and settings\Saleshp530\Application Data\Microsoft\Installer\{F5242227-2051-4158-AC42-0F2BAA3CD3D6}\New_Shortcut_S1425_ADB54615A0E240F89C5EFD8513472ED3.exe
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-12 00:11 . 2011-11-05 16:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-03-28 16:22 176936 ------w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 525824]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ------w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 12:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 5:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 5:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 12:14 AM 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 12:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 12:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 5:21 AM 16720]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 89317684
*Deregistered* - 89317684
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: microsoft.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Saleshp530\Application Data\Mozilla\Firefox\Profiles\h5b72xtp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Security Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ZoneAlarm Installer - c:\program files\CheckPoint\Install\Launcher.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-12 23:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1052)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2011-11-12 23:12:19
ComboFix-quarantined-files.txt 2011-11-13 04:12
.
Pre-Run: 29,572,001,792 bytes free
Post-Run: 30,634,790,912 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0E834832EE18525EF6CFB82AC2EDC36C
__________________________________________________________________________

*Hijackthis:*

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:21:00 PM, on 11/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 4328 bytes


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes' Anti-Malware from *Here*.

Double Click *mbam-setup.exe* to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.*


----------



## Actuarial (Nov 10, 2011)

I just had a barrage of attacks, with warning windows repeatedly popping up from AVG and something else called "Privacy Protection" or something like that... which I'd never heard of but it uses the windows security shield as its icon. Anyway, i checked back here after getting through the warnings and just ran the mbam scan. here's the log. thanks again.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8154
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/13/2011 3:49:45 PM
mbam-log-2011-11-13 (15-49-45).txt
Scan type: Quick scan
Objects scanned: 187398
Time elapsed: 9 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent.Gen) -> Value: Shell -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\drivers\cdrom.sys (Trojan.Patched) -> Quarantined and deleted successfully.


----------



## Cookiegal (Aug 27, 2003)

Please go to the following link and run TDSSKiller:

http://support.kaspersky.com/viruses/solutions?qid=208280684

Allow it cure anything if prompted.

Please post the log back here.


----------



## Actuarial (Nov 10, 2011)

i still have tdsskiller installed from the earlier run... is it ok to just run that, or do i need a reinstall?


----------



## Actuarial (Nov 10, 2011)

i just ran the application installed earlier. please let me know if i should reinstall & run again (maybe there are updates?). here's the log:


16:43:01.0390 2420 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
16:43:01.0546 2420 ============================================================
16:43:01.0546 2420 Current date / time: 2011/11/13 16:43:01.0546
16:43:01.0546 2420 SystemInfo:
16:43:01.0546 2420 
16:43:01.0546 2420 OS Version: 5.1.2600 ServicePack: 3.0
16:43:01.0546 2420 Product type: Workstation
16:43:01.0546 2420 ComputerName: SALES530-0AEDD9
16:43:01.0546 2420 UserName: Saleshp530
16:43:01.0546 2420 Windows directory: C:\WINDOWS
16:43:01.0546 2420 System windows directory: C:\WINDOWS
16:43:01.0546 2420 Processor architecture: Intel x86
16:43:01.0546 2420 Number of processors: 1
16:43:01.0546 2420 Page size: 0x1000
16:43:01.0546 2420 Boot type: Normal boot
16:43:01.0546 2420 ============================================================
16:43:02.0640 2420 Initialize success
16:43:09.0125 2132 ============================================================
16:43:09.0125 2132 Scan started
16:43:09.0125 2132 Mode: Manual; 
16:43:09.0125 2132 ============================================================
16:43:10.0421 2132 Abiosdsk - ok
16:43:10.0453 2132 abp480n5 - ok
16:43:10.0500 2132 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:43:10.0500 2132 ACPI - ok
16:43:10.0671 2132 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:43:10.0671 2132 ACPIEC - ok
16:43:10.0703 2132 adpu160m - ok
16:43:10.0875 2132 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
16:43:10.0875 2132 aeaudio - ok
16:43:11.0031 2132 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:43:11.0031 2132 aec - ok
16:43:11.0203 2132 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
16:43:11.0203 2132 AFD - ok
16:43:11.0296 2132 Aha154x - ok
16:43:11.0343 2132 aic78u2 - ok
16:43:11.0484 2132 aic78xx - ok
16:43:11.0531 2132 AliIde - ok
16:43:11.0593 2132 amsint - ok
16:43:11.0609 2132 asc - ok
16:43:11.0640 2132 asc3350p - ok
16:43:11.0656 2132 asc3550 - ok
16:43:11.0703 2132 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:43:11.0703 2132 AsyncMac - ok
16:43:11.0875 2132 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:43:11.0875 2132 atapi - ok
16:43:12.0000 2132 Atdisk - ok
16:43:12.0062 2132 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:43:12.0062 2132 Atmarpc - ok
16:43:12.0218 2132 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:43:12.0234 2132 audstub - ok
16:43:12.0296 2132 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
16:43:12.0296 2132 AVGIDSDriver - ok
16:43:12.0453 2132 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
16:43:12.0468 2132 AVGIDSEH - ok
16:43:12.0562 2132 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
16:43:12.0562 2132 AVGIDSFilter - ok
16:43:12.0656 2132 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
16:43:12.0656 2132 AVGIDSShim - ok
16:43:12.0828 2132 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
16:43:12.0843 2132 Avgldx86 - ok
16:43:13.0015 2132 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
16:43:13.0015 2132 Avgmfx86 - ok
16:43:13.0078 2132 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
16:43:13.0078 2132 Avgrkx86 - ok
16:43:13.0250 2132 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
16:43:13.0281 2132 Avgtdix - ok
16:43:13.0453 2132 b57w2k (5175e788bcd1cb7345ab21f3e14369d2) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
16:43:13.0468 2132 b57w2k - ok
16:43:13.0640 2132 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:43:13.0640 2132 Beep - ok
16:43:13.0750 2132 Blfp (9b53d428de0a2566a03499d7aa48dec4) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
16:43:13.0765 2132 Blfp - ok
16:43:13.0859 2132 catchme - ok
16:43:14.0000 2132 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:43:14.0015 2132 cbidf2k - ok
16:43:14.0046 2132 cd20xrnt - ok
16:43:14.0203 2132 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:43:14.0203 2132 Cdaudio - ok
16:43:14.0359 2132 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:43:14.0359 2132 Cdfs - ok
16:43:14.0390 2132 Cdrom - ok
16:43:14.0515 2132 Changer - ok
16:43:14.0562 2132 CmdIde - ok
16:43:14.0593 2132 Cpqarray - ok
16:43:14.0640 2132 dac2w2k - ok
16:43:14.0656 2132 dac960nt - ok
16:43:14.0718 2132 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:43:14.0718 2132 Disk - ok
16:43:14.0890 2132 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:43:14.0921 2132 dmboot - ok
16:43:15.0078 2132 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:43:15.0078 2132 dmio - ok
16:43:15.0250 2132 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:43:15.0250 2132 dmload - ok
16:43:15.0312 2132 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:43:15.0312 2132 DMusic - ok
16:43:15.0437 2132 dpti2o - ok
16:43:15.0484 2132 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:43:15.0484 2132 drmkaud - ok
16:43:15.0656 2132 E1000 (3044851b3c5286a908a6a4d1166328aa) C:\WINDOWS\system32\DRIVERS\e1000325.sys
16:43:15.0656 2132 E1000 - ok
16:43:15.0750 2132 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:43:15.0750 2132 Fastfat - ok
16:43:15.0906 2132 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:43:15.0906 2132 Fdc - ok
16:43:15.0937 2132 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:43:15.0937 2132 Fips - ok
16:43:16.0093 2132 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:43:16.0093 2132 Flpydisk - ok
16:43:16.0140 2132 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:43:16.0140 2132 FltMgr - ok
16:43:16.0296 2132 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:43:16.0296 2132 Fs_Rec - ok
16:43:16.0328 2132 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:43:16.0328 2132 Ftdisk - ok
16:43:16.0484 2132 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:43:16.0484 2132 Gpc - ok
16:43:16.0562 2132 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:43:16.0562 2132 HidUsb - ok
16:43:16.0703 2132 hpn - ok
16:43:16.0750 2132 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:43:16.0781 2132 HTTP - ok
16:43:16.0937 2132 i2omgmt - ok
16:43:16.0953 2132 i2omp - ok
16:43:17.0015 2132 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:43:17.0015 2132 i8042prt - ok
16:43:17.0171 2132 ialm (1406d6ef4436aee970efe13193123965) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
16:43:17.0171 2132 ialm - ok
16:43:17.0234 2132 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:43:17.0234 2132 Imapi - ok
16:43:17.0421 2132 ini910u - ok
16:43:17.0609 2132 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
16:43:17.0609 2132 IntelIde - ok
16:43:17.0687 2132 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:43:17.0703 2132 intelppm - ok
16:43:17.0859 2132 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:43:17.0859 2132 Ip6Fw - ok
16:43:17.0968 2132 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:43:17.0984 2132 IpFilterDriver - ok
16:43:18.0062 2132 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:43:18.0062 2132 IpInIp - ok
16:43:18.0171 2132 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:43:18.0171 2132 IpNat - ok
16:43:18.0250 2132 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:43:18.0265 2132 IPSec - ok
16:43:18.0421 2132 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:43:18.0437 2132 IRENUM - ok
16:43:18.0484 2132 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:43:18.0484 2132 isapnp - ok
16:43:18.0640 2132 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:43:18.0640 2132 Kbdclass - ok
16:43:18.0718 2132 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:43:18.0718 2132 kmixer - ok
16:43:18.0859 2132 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
16:43:18.0859 2132 KSecDD - ok
16:43:18.0984 2132 lbrtfdc - ok
16:43:19.0062 2132 MBAMSwissArmy - ok
16:43:19.0234 2132 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:43:19.0234 2132 mnmdd - ok
16:43:19.0296 2132 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:43:19.0296 2132 Modem - ok
16:43:19.0437 2132 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:43:19.0437 2132 Mouclass - ok
16:43:19.0546 2132 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:43:19.0546 2132 mouhid - ok
16:43:19.0625 2132 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:43:19.0625 2132 MountMgr - ok
16:43:19.0734 2132 mraid35x - ok
16:43:19.0812 2132 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:43:19.0828 2132 MRxDAV - ok
16:43:20.0000 2132 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:43:20.0015 2132 MRxSmb - ok
16:43:20.0171 2132 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:43:20.0171 2132 Msfs - ok
16:43:20.0250 2132 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:43:20.0250 2132 MSKSSRV - ok
16:43:20.0390 2132 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:43:20.0390 2132 MSPCLOCK - ok
16:43:20.0437 2132 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:43:20.0453 2132 MSPQM - ok
16:43:20.0593 2132 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:43:20.0593 2132 mssmbios - ok
16:43:20.0765 2132 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
16:43:20.0765 2132 Mup - ok
16:43:20.0921 2132 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:43:20.0937 2132 NDIS - ok
16:43:21.0078 2132 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:43:21.0078 2132 NdisTapi - ok
16:43:21.0125 2132 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:43:21.0140 2132 Ndisuio - ok
16:43:21.0296 2132 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:43:21.0296 2132 NdisWan - ok
16:43:21.0453 2132 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
16:43:21.0453 2132 NDProxy - ok
16:43:21.0531 2132 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:43:21.0531 2132 NetBIOS - ok
16:43:21.0703 2132 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:43:21.0703 2132 NetBT - ok
16:43:21.0906 2132 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:43:21.0906 2132 Npfs - ok
16:43:21.0953 2132 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:43:21.0984 2132 Ntfs - ok
16:43:22.0140 2132 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
16:43:22.0156 2132 NuidFltr - ok
16:43:22.0203 2132 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:43:22.0203 2132 Null - ok
16:43:22.0375 2132 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:43:22.0375 2132 NwlnkFlt - ok
16:43:22.0421 2132 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:43:22.0421 2132 NwlnkFwd - ok
16:43:22.0593 2132 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
16:43:22.0593 2132 Parport - ok
16:43:22.0687 2132 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:43:22.0703 2132 PartMgr - ok
16:43:22.0781 2132 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:43:22.0781 2132 ParVdm - ok
16:43:22.0906 2132 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:43:22.0921 2132 PCI - ok
16:43:22.0968 2132 PCIDump - ok
16:43:23.0140 2132 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:43:23.0140 2132 PCIIde - ok
16:43:23.0203 2132 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:43:23.0203 2132 Pcmcia - ok
16:43:23.0312 2132 PDCOMP - ok
16:43:23.0375 2132 PDFRAME - ok
16:43:23.0390 2132 PDRELI - ok
16:43:23.0406 2132 PDRFRAME - ok
16:43:23.0421 2132 perc2 - ok
16:43:23.0453 2132 perc2hib - ok
16:43:23.0531 2132 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:43:23.0531 2132 PptpMiniport - ok
16:43:23.0656 2132 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:43:23.0656 2132 PSched - ok
16:43:23.0781 2132 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:43:23.0781 2132 Ptilink - ok
16:43:23.0859 2132 ql1080 - ok
16:43:23.0984 2132 Ql10wnt - ok
16:43:24.0031 2132 ql12160 - ok
16:43:24.0046 2132 ql1240 - ok
16:43:24.0062 2132 ql1280 - ok
16:43:24.0109 2132 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:43:24.0125 2132 RasAcd - ok
16:43:24.0281 2132 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:43:24.0281 2132 Rasl2tp - ok
16:43:24.0359 2132 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:43:24.0359 2132 RasPppoe - ok
16:43:24.0484 2132 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:43:24.0484 2132 Raspti - ok
16:43:24.0609 2132 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:43:24.0609 2132 Rdbss - ok
16:43:24.0703 2132 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:43:24.0703 2132 RDPCDD - ok
16:43:24.0875 2132 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:43:24.0906 2132 rdpdr - ok
16:43:25.0000 2132 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
16:43:25.0000 2132 RDPWD - ok
16:43:25.0156 2132 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:43:25.0156 2132 redbook - ok
16:43:25.0359 2132 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:43:25.0359 2132 Secdrv - ok
16:43:25.0515 2132 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:43:25.0515 2132 serenum - ok
16:43:25.0640 2132 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
16:43:25.0640 2132 Serial - ok
16:43:25.0765 2132 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:43:25.0765 2132 Sfloppy - ok
16:43:25.0921 2132 Simbad - ok
16:43:26.0000 2132 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
16:43:26.0031 2132 smwdm - ok
16:43:26.0171 2132 Sparrow - ok
16:43:26.0234 2132 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:43:26.0234 2132 splitter - ok
16:43:26.0390 2132 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:43:26.0390 2132 sr - ok
16:43:26.0468 2132 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
16:43:26.0500 2132 Srv - ok
16:43:26.0625 2132 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:43:26.0625 2132 swenum - ok
16:43:26.0687 2132 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:43:26.0687 2132 swmidi - ok
16:43:26.0796 2132 symc810 - ok
16:43:26.0812 2132 symc8xx - ok
16:43:26.0843 2132 sym_hi - ok
16:43:26.0859 2132 sym_u3 - ok
16:43:26.0890 2132 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:43:26.0890 2132 sysaudio - ok
16:43:26.0984 2132 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:43:27.0000 2132 Tcpip - ok
16:43:27.0156 2132 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:43:27.0156 2132 TDPIPE - ok
16:43:27.0218 2132 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:43:27.0218 2132 TDTCP - ok
16:43:27.0359 2132 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:43:27.0359 2132 TermDD - ok
16:43:27.0437 2132 TosIde - ok
16:43:27.0593 2132 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:43:27.0593 2132 Udfs - ok
16:43:27.0687 2132 ultra - ok
16:43:27.0765 2132 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:43:27.0781 2132 Update - ok
16:43:27.0953 2132 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:43:27.0953 2132 usbehci - ok
16:43:28.0031 2132 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:43:28.0031 2132 usbhub - ok
16:43:28.0187 2132 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:43:28.0187 2132 USBSTOR - ok
16:43:28.0234 2132 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:43:28.0234 2132 usbuhci - ok
16:43:28.0390 2132 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:43:28.0390 2132 VgaSave - ok
16:43:28.0484 2132 ViaIde - ok
16:43:28.0593 2132 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:43:28.0593 2132 VolSnap - ok
16:43:28.0734 2132 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:43:28.0750 2132 Wanarp - ok
16:43:28.0812 2132 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
16:43:28.0828 2132 Wdf01000 - ok
16:43:28.0953 2132 WDICA - ok
16:43:29.0015 2132 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:43:29.0015 2132 wdmaud - ok
16:43:29.0296 2132 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
16:43:29.0296 2132 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
16:43:29.0468 2132 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
16:43:29.0468 2132 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
16:43:29.0500 2132 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
16:43:29.0640 2132 \Device\Harddisk0\DR0 - ok
16:43:29.0656 2132 Boot (0x1200) (17773c5b0d92ef2130d8e0b17345be53) \Device\Harddisk0\DR0\Partition0
16:43:29.0656 2132 \Device\Harddisk0\DR0\Partition0 - ok
16:43:29.0656 2132 ============================================================
16:43:29.0656 2132 Scan finished
16:43:29.0656 2132 ============================================================
16:43:29.0687 0576 Detected object count: 0
16:43:29.0687 0576 Actual detected object count: 0
16:43:42.0296 2416 Deinitialize success


----------



## Cookiegal (Aug 27, 2003)

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)

Click *Scan*.

Upon completion of the scan, click *Save log* then save it to your desktop and post that log in your next reply for review. 
*Note - do NOT attempt any Fix yet. *


----------



## Actuarial (Nov 10, 2011)

when i open aswMRB.exe, i get the pop-up shown in the attached file. should i download the latest avast definitions? thanks.


----------



## Actuarial (Nov 10, 2011)

sorry, forgot to attach the file. my paint file is too big to attach. i was going to just type the text of the window here, but while doing so, i accidentally hit enter, so it's currently downloading the definitions database. i'll scan when it's done.


----------



## Actuarial (Nov 10, 2011)

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-13 18:45:56
-----------------------------
18:45:56.312 OS Version: Windows 5.1.2600 Service Pack 3
18:45:56.312 Number of processors: 1 586 0x304
18:45:56.312 ComputerName: SALES530-0AEDD9 UserName: Saleshp530
18:45:56.859 Initialize success
18:54:19.906 AVAST engine defs: 11111302
18:55:37.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:55:37.687 Disk 0 Vendor: WDC_WD400BB-60JKA0 05.01C05 Size: 38166MB BusType: 3
18:55:39.703 Disk 0 MBR read successfully
18:55:39.703 Disk 0 MBR scan
18:55:39.734 Disk 0 Windows XP default MBR code
18:55:39.734 Disk 0 scanning sectors +78140160
18:55:39.781 Disk 0 scanning C:\WINDOWS\system32\drivers
18:55:59.078 Service scanning
18:56:00.031 Modules scanning
18:56:06.734 Disk 0 trace - called modules:
18:56:06.765 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 
18:56:06.765 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87f84ab8]
18:56:06.765 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000005c[0x87fe15e0]
18:56:07.281 5 ACPI.sys[ba05f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87f5b940]
18:56:07.562 AVAST engine scan C:\WINDOWS
18:56:16.750 AVAST engine scan C:\WINDOWS\system32
18:59:27.312 AVAST engine scan C:\WINDOWS\system32\drivers
18:59:49.187 AVAST engine scan C:\Documents and Settings\Saleshp530
19:03:03.875 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Saleshp530\Desktop\MBR.dat"
19:03:03.890 The log file has been saved successfully to "C:\Documents and Settings\Saleshp530\Desktop\aswMBR.txt"


----------



## Cookiegal (Aug 27, 2003)

That's good. 

Please run the following on-line scanner. Note that you must use Internet Explorer to perform the scan.

Note: If you're running a 64-bit system you have to choose the 32-bit option in IE. To do that, go to the Start Menu and right-click the Internet Explorer (32-bit) icon and then select 'Run as administrator' from the right-click menu.

http://www.eset.com/online-scanner

Accept the Terms of Use and then press the Start button

Allow the ActiveX control to be installed.

Put a check by Remove found threats and then run the scan.

When the scan is finished, you will see the results in a window.

A log.txt file is created here: C:\Program Files\EsetOnlineScanner\log.txt.

Open the log file with Notepad and copy and paste the contents here please.


----------



## Actuarial (Nov 10, 2011)

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0d8accc03f80af4bb56b18f8282d8e85
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-11-14 12:59:27
# local_time=2011-11-13 07:59:27 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 261029 261029 0 0
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=55174
# found=3
# cleaned=2
# scan_time=1967
C:\Documents and Settings\Saleshp530\Local Settings\Application Data\803183da\U\[email protected] probably a variant of Win32/Kryptik.JDI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Saleshp530\My Documents\Downloads\cnet_pc-decrapifier-2_2_8_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
${Memory} probably a variant of Win32/Sirefef.DA trojan 00000000000000000000000000000000 I


----------



## Cookiegal (Aug 27, 2003)

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
In *Additional Scans *section put a check in Disabled MS Config Items and EventViewer logs
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## Actuarial (Nov 10, 2011)

just within the past couple hours, i've had random IE windows pop up a few times with "nailingsearchsystem.com/***" websites. a quick google search seems to indicate this would be a virus, but not sure. OTS log is attached. thanks again.


----------



## Cookiegal (Aug 27, 2003)

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YY -> C:\Documents and Settings\Saleshp530\Local Settings\Application Data\803183da\X -> C:\Documents and Settings\Saleshp530\Local Settings\Application Data\803183da\X
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\explorer.exe" -> C:\WINDOWS\explorer.exe [C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer]
[Files/Folders - Created Within 30 Days]
NY ->  803183da -> C:\Documents and Settings\Saleshp530\Local Settings\Application Data\803183da
NY ->  4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[Start Explorer]
[Reboot]
```


----------



## Actuarial (Nov 10, 2011)

*Fix log:*

All Processes Killed
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Documents and Settings\Saleshp530\Local Settings\Application Data\803183da\X deleted successfully.
C:\Documents and Settings\Saleshp530\Local Settings\Application Data\803183da\X moved successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\explorer.exe deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\Documents and Settings\Saleshp530\Local Settings\Application Data\803183da\U folder moved successfully.
C:\Documents and Settings\Saleshp530\Local Settings\Application Data\803183da folder moved successfully.
C:\WINDOWS\002834_.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\ConduitEngine.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
[Files/Folders - Modified Within 30 Days]
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56475 bytes

User: All Users

User: Christy
->Temp folder emptied: 59164 bytes
->Temporary Internet Files folder emptied: 14694316 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 57086 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 4216 bytes
->Temporary Internet Files folder emptied: 47988975 bytes

User: NetworkService
->Temp folder emptied: 4216 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 16608 bytes
->Flash cache emptied: 35692 bytes

User: Saleshp530
->Temp folder emptied: 55940538 bytes
->Temporary Internet Files folder emptied: 303423953 bytes
->Java cache emptied: 12200 bytes
->FireFox cache emptied: 37402531 bytes
->Flash cache emptied: 10153 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4821 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 8727594 bytes

Total Files Cleaned = 447.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Christy
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Saleshp530
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Administrator

User: All Users

User: Christy

User: Default User

User: LocalService

User: NetworkService
->Java cache emptied: 0 bytes

User: Saleshp530
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.46.0 fix logfile created on 11142011_184437
Files\Folders moved on Reboot...
C:\Documents and Settings\Saleshp530\Local Settings\Temporary Internet Files\Content.IE5\5QEICKC0\1026210-svchost-exe-high-cpu-usage-2[1].html moved successfully.
C:\Documents and Settings\Saleshp530\Local Settings\Temporary Internet Files\Content.IE5\2NFA1G3T\1953011905[1].htm moved successfully.
C:\Documents and Settings\Saleshp530\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
Registry entries deleted on Reboot...
_________________________________________________________________-

*Hijackthis log:*

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:53:08 PM, on 11/14/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - Unknown owner - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 4319 bytes


----------



## Cookiegal (Aug 27, 2003)

Please remove ComboFix by dragging it to the Recycle Bin and grab the latest version then run a new scan and post the log.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.


----------



## Actuarial (Nov 10, 2011)

it's not letting me disable AVG. when i try to temporarily disable for 15 minutes, i get a pop-up with the following message:

"An error occurred when saving the configuration.
Connection is offline"

also, there are several components that used to be in the AVG "Overview" area but are now missing. I assume these were removed during one of the "fixes" performed? anyway, any idea what's going on with the disabling feature refusing to work? thanks.


----------



## Cookiegal (Aug 27, 2003)

Try uninstalling AVG completely and then run ComboFix and then reinstall AVG.


----------



## Actuarial (Nov 10, 2011)

here's the combofix log. thanks.

ComboFix 11-11-16.02 - Saleshp530 11/16/2011 19:44:10.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1143.896 [GMT -5:00]
Running from: c:\documents and settings\Saleshp530\Desktop\puppy.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB64532$
c:\windows\$NtUninstallKB64532$\19782598
c:\windows\$NtUninstallKB64532$\2150728666\@
c:\windows\$NtUninstallKB64532$\2150728666\L\miewqzne
c:\windows\$NtUninstallKB64532$\2150728666\loader.tlb
c:\windows\$NtUninstallKB64532$\2150728666\U\@00000001
c:\windows\$NtUninstallKB64532$\2150728666\U\@000000c0
c:\windows\$NtUninstallKB64532$\2150728666\U\@000000cb
c:\windows\$NtUninstallKB64532$\2150728666\U\@000000cf
c:\windows\$NtUninstallKB64532$\2150728666\U\@80000000
c:\windows\$NtUninstallKB64532$\2150728666\U\@800000c0
c:\windows\$NtUninstallKB64532$\2150728666\U\@800000cb
c:\windows\$NtUninstallKB64532$\2150728666\U\@800000cf
c:\windows\system32\ 
c:\windows\system32\c_91442.nl_
c:\windows\system32\c_91442.nls
.
Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected 
Restored copy from - The cat found it  
c:\windows\system32\drivers\cdrom.sys was missing 
Restored copy from - c:\windows\system32\dllcache\cdrom.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_803183da
.
.
((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))
.
.
2011-11-17 00:49 . 2008-04-13 19:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-11-17 00:49 . 2008-04-13 19:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-17 00:42 . 2008-04-13 19:15 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2011-11-17 00:42 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-11-14 23:44 . 2011-11-14 23:44 -------- d-----w- C:\_OTS
2011-11-14 00:20 . 2011-11-14 00:20 -------- d-----w- c:\program files\ESET
2011-11-13 20:32 . 2011-11-13 20:32 -------- d-----w- c:\documents and settings\Saleshp530\Application Data\Malwarebytes
2011-11-13 20:32 . 2011-11-13 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-13 20:32 . 2011-11-13 20:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-13 20:32 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-12 20:17 . 2011-11-12 20:17 -------- d-----w- c:\windows\Internet Logs
2011-11-10 12:45 . 2011-11-10 12:45 -------- d-sh--w- c:\documents and settings\Saleshp530\IECompatCache
2011-11-10 00:56 . 2011-11-10 00:56 388096 ----a-r- c:\documents and settings\Saleshp530\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-10 00:56 . 2011-11-10 00:56 -------- d-----w- c:\program files\Trend Micro
2011-11-09 15:43 . 2011-11-09 15:44 -------- d-----w- c:\documents and settings\Christy
2011-11-09 03:36 . 2011-11-09 04:01 -------- d-----w- c:\documents and settings\Administrator
2011-11-09 03:24 . 2011-11-09 03:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-09 03:24 . 2011-11-09 03:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-11-09 01:36 . 2011-11-09 01:36 -------- d-----w- C:\$AVG
2011-11-07 01:31 . 2011-11-07 04:47 -------- d-----w- c:\windows\system32\NtmsData
2011-11-06 17:16 . 2011-11-06 17:16 -------- d-----w- c:\windows\Sun
2011-11-06 15:00 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-11-06 14:59 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-11-06 14:59 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-11-06 14:57 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-11-06 14:57 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-11-06 14:57 . 2011-08-22 23:48 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-11-06 14:57 . 2011-08-22 23:48 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-11-06 14:57 . 2011-08-22 23:48 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-11-06 14:57 . 2011-08-22 23:48 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-11-06 14:57 . 2011-08-22 23:48 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-11-06 14:57 . 2011-08-22 23:48 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-11-06 14:53 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-11-06 14:53 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-11-06 04:06 . 2011-11-06 04:06 -------- d-----w- c:\program files\Common Files\Adobe
2011-11-06 04:01 . 2011-11-06 04:08 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Adobe
2011-11-06 00:56 . 2011-11-06 00:56 -------- d-----w- c:\program files\7-Zip
2011-11-06 00:20 . 2011-11-10 01:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-05 18:46 . 2011-11-13 04:36 -------- d-----w- C:\Shaun
2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\system32\scripting
2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\l2schemas
2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\system32\en
2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\system32\bits
2011-11-05 17:30 . 2011-11-05 17:30 -------- d-----w- c:\documents and settings\Saleshp530\Application Data\CheckPoint
2011-11-05 17:30 . 2011-11-12 18:59 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\ZoneAlarm_Security
2011-11-05 17:30 . 2011-11-06 04:08 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Temp
2011-11-05 17:30 . 2011-11-05 18:26 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Conduit
2011-11-05 17:30 . 2011-11-05 17:30 -------- d-----w- c:\program files\ZoneAlarm_Security
2011-11-05 17:29 . 2011-11-12 20:25 -------- d-----w- c:\program files\CheckPoint
2011-11-05 16:35 . 2011-11-05 16:35 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Mozilla
2011-11-05 16:24 . 2011-11-05 16:24 -------- d-----w- c:\documents and settings\Saleshp530\Application Data\AVG2012
2011-11-05 16:22 . 2011-11-05 16:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-11-05 16:22 . 2008-04-14 00:12 221184 ------w- c:\windows\system32\wmpns.dll
2011-11-05 16:22 . 2011-11-17 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-11-05 16:21 . 2011-11-05 16:21 -------- d-----w- c:\program files\AVG
2011-11-05 16:19 . 2011-11-05 17:56 -------- d-----w- c:\windows\ServicePackFiles
2011-11-05 16:17 . 2004-08-04 05:56 21504 ------w- c:\windows\system32\drivers\hidserv.dll
2011-11-05 16:16 . 2011-11-17 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-11-05 16:00 . 2004-08-04 03:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2011-11-05 15:47 . 2011-11-05 15:47 -------- d-----w- c:\documents and settings\Saleshp530\Application Data\OpenOffice.org
2011-11-05 15:45 . 2010-12-09 13:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-11-05 15:45 . 2011-11-05 15:45 -------- d-----w- c:\program files\OpenOffice.org 3
2011-11-05 15:45 . 2011-11-05 15:45 -------- d-----w- c:\program files\Common Files\Java
2011-11-05 15:44 . 2011-11-05 15:44 73728 ------w- c:\windows\system32\javacpl.cpl
2011-11-05 15:44 . 2011-11-05 15:44 472808 ------w- c:\windows\system32\deployJava1.dll
2011-11-05 15:44 . 2011-11-05 15:44 -------- d-----w- c:\program files\Java
2011-11-05 15:43 . 2011-02-17 12:32 5120 ------w- c:\windows\system32\xpsp4res.dll
2011-11-05 15:43 . 2010-07-12 12:55 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-11-05 15:43 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-11-05 15:43 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-11-05 15:43 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-11-05 15:42 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-11-05 15:42 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-11-05 15:42 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-11-05 15:34 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-11-05 15:32 . 2011-11-05 15:32 -------- d-sh--w- c:\documents and settings\Saleshp530\PrivacIE
2011-11-05 15:31 . 2011-11-05 15:31 -------- d-sh--w- c:\documents and settings\Saleshp530\IETldCache
2011-11-05 15:29 . 2011-11-05 15:30 -------- dc-h--w- c:\windows\ie8
2011-11-05 15:21 . 2009-01-07 23:21 26144 ------w- c:\windows\system32\spupdsvc.exe
2011-11-05 15:21 . 2011-11-10 20:29 -------- d--h--w- c:\windows\$hf_mig$
2011-11-05 15:06 . 2011-11-12 18:50 -------- d-sh--w- c:\documents and settings\Saleshp530\UserData
2011-11-05 14:55 . 2001-08-17 18:48 12160 -c----w- c:\windows\system32\dllcache\mouhid.sys
2011-11-05 14:55 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-11-05 14:54 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-11-05 14:54 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2011-09-02 20:01 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2011-09-26 16:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-07 16:21 . 2011-09-07 16:21 40960 ------r- c:\documents and settings\Saleshp530\Application Data\Microsoft\Installer\{F5242227-2051-4158-AC42-0F2BAA3CD3D6}\New_Shortcut_S1425_ADB54615A0E240F89C5EFD8513472ED3.exe
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-11-12 00:11 . 2011-11-05 16:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( [email protected]_04.00.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2008-04-14 00:12 90112 c:\windows\system32\wshext.dll
+ 2004-08-04 12:00 . 2008-05-09 10:53 90112 c:\windows\system32\wshext.dll
+ 2004-08-04 12:00 . 2009-10-21 05:38 75776 c:\windows\system32\strmfilt.dll
- 2004-08-04 12:00 . 2008-04-14 00:12 75776 c:\windows\system32\strmfilt.dll
+ 2004-08-04 12:00 . 2010-08-27 05:57 99840 c:\windows\system32\srvsvc.dll
+ 2004-08-04 12:00 . 2010-08-17 13:17 58880 c:\windows\system32\spoolsv.exe
- 2004-08-04 12:00 . 2011-11-06 17:30 40196 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2011-11-13 12:26 40196 c:\windows\system32\perfc009.dat
+ 2011-09-02 20:01 . 2010-11-18 18:12 81920 c:\windows\system32\isign32.dll
- 2011-09-02 20:01 . 2008-04-14 00:11 81920 c:\windows\system32\isign32.dll
+ 2004-08-04 12:00 . 2009-10-21 05:38 25088 c:\windows\system32\httpapi.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 90112 c:\windows\system32\dllcache\wshext.dll
+ 2009-10-21 05:38 . 2009-10-21 05:38 75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2010-08-27 05:57 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll
+ 2004-08-04 12:00 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
+ 2010-11-18 18:12 . 2010-11-18 18:12 81920 c:\windows\system32\dllcache\isign32.dll
+ 2009-10-21 05:38 . 2009-10-21 05:38 25088 c:\windows\system32\dllcache\httpapi.dll
+ 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2004-08-04 12:00 . 2009-12-14 07:08 33280 c:\windows\system32\csrsrv.dll
+ 2004-08-04 12:00 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll
+ 2004-08-04 12:00 . 2008-05-08 11:24 155648 c:\windows\system32\wscript.exe
- 2004-08-04 12:00 . 2008-04-14 00:12 155648 c:\windows\system32\wscript.exe
+ 2004-08-04 12:00 . 2011-06-20 17:44 293376 c:\windows\system32\winsrv.dll
- 2004-08-04 12:00 . 2008-04-14 00:12 293376 c:\windows\system32\winsrv.dll
+ 2004-08-04 12:00 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll
- 2004-08-04 12:00 . 2008-04-14 00:12 406016 c:\windows\system32\usp10.dll
- 2004-08-04 12:00 . 2009-10-15 16:28 119808 c:\windows\system32\t2embed.dll
+ 2004-08-04 12:00 . 2010-08-27 08:02 119808 c:\windows\system32\t2embed.dll
+ 2004-08-04 12:00 . 2011-01-21 14:44 439296 c:\windows\system32\shimgvw.dll
+ 2004-08-04 12:00 . 2008-05-09 10:53 172032 c:\windows\system32\scrrun.dll
- 2004-08-04 12:00 . 2008-04-14 00:12 172032 c:\windows\system32\scrrun.dll
- 2004-08-04 12:00 . 2008-04-14 00:12 180224 c:\windows\system32\scrobj.dll
+ 2004-08-04 12:00 . 2008-05-09 10:53 180224 c:\windows\system32\scrobj.dll
- 2004-08-04 12:00 . 2008-04-14 00:12 270848 c:\windows\system32\sbe.dll
+ 2004-08-04 12:00 . 2011-02-09 13:53 270848 c:\windows\system32\sbe.dll
- 2004-08-04 12:00 . 2011-11-06 17:30 311934 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2011-11-13 12:26 311934 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2008-04-14 00:12 551936 c:\windows\system32\oleaut32.dll
+ 2004-08-04 12:00 . 2010-12-20 17:32 551936 c:\windows\system32\oleaut32.dll
- 2011-09-02 19:59 . 2008-04-14 00:12 677888 c:\windows\system32\mstsc.exe
+ 2011-09-02 19:59 . 2011-01-27 11:57 677888 c:\windows\system32\mstsc.exe
- 2004-08-04 12:00 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll
+ 2004-08-04 12:00 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll
- 2011-09-02 15:39 . 2011-11-05 18:31 118952 c:\windows\system32\FNTCACHE.DAT
+ 2011-09-02 15:39 . 2011-11-13 12:24 118952 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-04 12:00 . 2011-02-09 13:53 186880 c:\windows\system32\encdec.dll
- 2004-08-04 12:00 . 2008-04-14 00:11 186880 c:\windows\system32\encdec.dll
+ 2004-08-04 12:00 . 2009-10-20 16:20 265728 c:\windows\system32\drivers\http.sys
+ 2008-05-08 11:24 . 2008-05-08 11:24 155648 c:\windows\system32\dllcache\wscript.exe
+ 2011-04-26 11:07 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2010-04-16 15:36 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll
+ 2011-01-21 14:44 . 2011-01-21 14:44 439296 c:\windows\system32\dllcache\shimgvw.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 172032 c:\windows\system32\dllcache\scrrun.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 180224 c:\windows\system32\dllcache\scrobj.dll
+ 2011-02-09 13:53 . 2011-02-09 13:53 270848 c:\windows\system32\dllcache\sbe.dll
+ 2010-12-20 17:32 . 2010-12-20 17:32 551936 c:\windows\system32\dllcache\oleaut32.dll
+ 2011-01-27 11:57 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe
+ 2009-06-25 08:25 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
- 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
+ 2010-01-29 15:01 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2010-01-29 15:01 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\system32\dllcache\http.sys
+ 2011-02-09 13:53 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll
+ 2008-05-07 09:07 . 2008-05-07 09:07 135168 c:\windows\system32\dllcache\cscript.exe
+ 2011-09-28 07:06 . 2011-09-28 07:06 599040 c:\windows\system32\dllcache\crypt32.dll
+ 2004-08-04 12:00 . 2011-02-15 12:56 290432 c:\windows\system32\dllcache\atmfd.dll
+ 2004-08-04 12:00 . 2008-05-07 09:07 135168 c:\windows\system32\cscript.exe
+ 2004-08-04 12:00 . 2011-02-15 12:56 290432 c:\windows\system32\atmfd.dll
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\Driver Cache\i386\http.sys
+ 2004-08-04 12:00 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll
+ 2004-08-04 12:00 . 2010-07-16 12:05 1288192 c:\windows\system32\ole32.dll
- 2004-08-04 12:00 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2004-08-04 12:00 . 2010-06-14 07:41 1172480 c:\windows\system32\msxml3.dll
+ 2011-09-02 19:59 . 2011-02-02 07:58 2067456 c:\windows\system32\mstscax.dll
+ 2010-05-02 05:22 . 2011-09-06 13:20 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2008-06-17 19:02 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2010-07-16 12:05 . 2010-07-16 12:05 1288192 c:\windows\system32\dllcache\ole32.dll
- 2004-08-04 12:00 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2004-08-04 12:00 . 2010-06-14 07:41 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2011-02-02 07:58 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-03-28 16:22 176936 ------w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 525824]
.
c:\documents and settings\Christy\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ------w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
.
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: microsoft.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Saleshp530\Application Data\Mozilla\Firefox\Profiles\h5b72xtp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Security Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-16 19:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(608)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-11-16 19:59:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-17 00:58
ComboFix2.txt 2011-11-13 04:12
.
Pre-Run: 30,311,706,624 bytes free
Post-Run: 30,524,882,944 bytes free
.
- - End Of File - - 4F9C2AA646160A7AA90FCFCC4CBB1E33


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log and let me know how things are with the computer now.


----------



## Actuarial (Nov 10, 2011)

everything is running much faster... no system freezes in the last several days. cpu usage stays mostly less than 10%, and commit charge generally stays in the 300-800M range depending on how much i'm doing at once. i do have a few other questions if you don't mind.

in the last 24 hrs, i've had 5-6 threat alerts from AVG regarding some sort of backdoor trojan, and i vaulted all of them... not sure if that's normal or something to be concerned about. also regarding AVG (i think), it tries to read from the floppy drive every start-up and then any time i open AVG. i assume it's just checking it to see if there's a disk in there with threats, but figured i'd run that by you.

down in the notification area of the taskbar, there's always an icon for "local area connection 2" with an "x" over it, saying "a network cable is unplugged." this doesn't seem to be causing a problem, so i'm not too concerned, but should i do anything to eliminate the icon or something else?

now, for continued protection, what's the best set of security options to use? i'm currently just using AVG 2012 free and windows firewall. i still have everything from this process sitting on my desktop: hijackthis, gmer, dds, tdsskiller, combofix (ie, puppy), mbam, aswmbr, mbr, ots... and also all the files those programs set up in the C:\ drive. not sure if i should just drag everything to the recycle bin or use a more thorough method for deletion... or keep/use some of it.

anyway, you were probably going to touch on some of this stuff, but i figured i'd mention everything i was wondering, just in case. here's the hijackthis log. thanks again.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:42:58 PM, on 11/17/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 4499 bytes


----------



## Cookiegal (Aug 27, 2003)

Please post the log from AVG so I can see what it's detecting.

Also, please post a screen shot of the icon you're asking about.

We will uninstall the programs we used when we're finished. Most are just drag and drop in the recycle bin but ComboFix has its own specific method of uninstallation.


----------



## Actuarial (Nov 10, 2011)

took awhile to get the screenshots into a file that was small enough to attach, but here's what's attached:

1) screenshots of "notification area" & properties of the "network connection" shown
2) AVG Event History Log
3) AVG Virus Vault

thanks


----------



## Cookiegal (Aug 27, 2003)

Can you show me a screenshot (please just upload them here so I don't have to download them) of the other Local Area Connection please?

The most recent things found by AVG are only in System restore so they are not a threat as long as you don't perform a system restore. We will be flushing the restore points out when we're done which will take care of that. The others are prior to our fixes.


----------



## Actuarial (Nov 10, 2011)

i was trying to paste the screenshots here last time, but couldn't figure out how (that's why i attached the file). how is that done? thanks.


----------



## Cookiegal (Aug 27, 2003)

To take the screenshot press the Print Screen (or Prt Scrn) key on your keyboard and then open us MS Paint and right-click the white space and select "paste" and then save the image. 

Open up a reply and click on Manage Attachments then click on "Browse" to locate the file on your computer and then on "Open" and then click on "Upload" and finally submit the reply.


----------



## Actuarial (Nov 10, 2011)

that's what i did with the 3 files in the prior post, but with a Word document for the screenshots because the paint files i was creating were too big to upload here. maybe i'm missing something. i just tried the same thing with paint for the current screenshot, and the file is way above the size limit... so i created another Word file with the screenshots and attached it. sorry if this isn't the best way to post the images. i can't figure out how to do it the other way.


----------



## Cookiegal (Aug 27, 2003)

You can make it smaller in Paint before saving it.

But regardless, you forgot to attach it.


----------



## Actuarial (Nov 10, 2011)

sorry about that. i just tried cropping/shrinking the screenshots in a paint file again, but the only way i could get the filesize small enough was by zipping it, so that's attached. i've also attached the word file just in case the zipped file doesn't work. thanks.


----------



## Actuarial (Nov 10, 2011)

forgot to attach the word file again. here it is.


----------



## Cookiegal (Aug 27, 2003)

On the Local Area Connection 2 properties screen, uncheck the box at the bottom that says "Notify me when this connection has little or not connectivity" then click OK. Let me know if that icon goes away after that please.


----------



## Actuarial (Nov 10, 2011)

i'm out of town this week, so i'll do that step when i get home and let you know what happens. in the mean time, i have another question that you might be able to help with. at the same time that I got the computer currently being fixed, I also got a couple more of my company's old computers to give as gifts to family. is there a website (or thread) that outlines the optimal way to set up the computer from scratch? i mean, i pretty much outlined in my original post what i did from the start to set up security and some other stuff... which i basically determined based on reviews & recommendations of free software. so is that a good way to go about it, or is there a better way? thanks.


----------



## Cookiegal (Aug 27, 2003)

If you're talking from a security program standoint, a lot of that will be subjective. For sure you need to have a good anti-virus program, software or hardware firewall/router, anti-malware programs like MalwareBytes and SuperAntiSpyware and keep all programs up to date such as the operating system, MS Office, Adobe Flash/Acrobat/Reader, Sun Java, etc. and be careful what you click on.


----------



## Actuarial (Nov 10, 2011)

sorry for the delay in responding. the monitor i was using previously was part of what went to family as a gift, and the monitor that i purchased on ebay 2 weeks ago was supposed to arrive by last monday. well, the seller was much slower than promised, so it just arrived today.

i unchecked that "notify me..." box, but the icon didn't go away. however, if i just "disable" the connection, it goes away (i thought i tried that previously & didn't work, but maybe not). that would solve the problem unless there's a reason that it shouldn't be disabled.


----------



## Cookiegal (Aug 27, 2003)

No, just leave it disabled. You're not using that connection. Something was changed along the way. It's best just to leave it disabled rather than uninstalling it.


----------



## Actuarial (Nov 10, 2011)

ok, great. now i guess it's time for clean-up and making sure the protection set-up is good. also, i wanted to make sure that it's not a problem that AVG seems to be trying to read the floppy drive on occasion.

since getting the monitor set up monday evening, the computer hasn't been connected to the internet. i set it up in the basement, and the router is on the next floor up because my wife's 6 yo mac needs to either be plugged into the router or within a few feet in order to get a good signal. the point is that i'm not 100% sure everything is running smoothly because it hasn't really be tested with the internet in the past couple weeks.

however, related to that, we're not sure if we're going to do anything to make the internet situation more convenient (such as by getting powerline network adapters, running an ethernet cable between floors, signal boosters or antenna, etc)... we might just deal with having to move the router to wherever it's needed at the moment until we get a new laptop, but do you know whether any of the options are significantly better/worse than the rest?

thanks again for your help.


----------



## Cookiegal (Aug 27, 2003)

I'm not really that knowledgeable about setting up networked computers. Perhaps you should start a new thread in the Networking forum for help with that.

Please post a new HijackThis log so I can see if anything needs to be addressed there.


----------



## Actuarial (Nov 10, 2011)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:54:13 PM, on 12/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil11c_Plugin.exe -update plugin
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4634 bytes


----------



## Cookiegal (Aug 27, 2003)

That looks good. 

Here are some final instructions for you.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /uninstall* in the runbox and click *OK*. Note the *space* between the *X* and the */uninstall*, it needs to be there (the screenshot is just for illustration purposes but the actual command uses the entire word "uninstall" and not just the "u" as shown in the picture).










Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.


----------



## Actuarial (Nov 10, 2011)

ok, thanks. ComboFix has been uninstalled, and a new restore point created. i've attached a zipped image of the desktop icons... should i just drag most of those fix-related files to the recycle bin? maybe i should hang onto malwarebytes and run it on occasion as a secondary layer of protection behind AVG and Windows Firewall (or should i reinstall Zone Alarm)? thanks again.


----------



## Cookiegal (Aug 27, 2003)

Please just upload the screenshot. There's no need to zip the file and I can't open 7zip files.


----------



## Actuarial (Nov 10, 2011)

i wasn't able to post the paint files unzipped previously because they were about 15 times bigger than the max size allowed by this site. however, i just figured out a way to get the file size down low enough, so the smaller unzipped file is attached... hopefully the icons are still big enough for you to figure out what they represent.


----------



## Cookiegal (Aug 27, 2003)

These you can drag to the Recycle Bin:

HijackThis
GMER
aswMBR
DDS
TDSSKiller

For OTS, please open the program and click on "CleanUp" and follow the prompts and it will uninstall itself.

I do recommend keeping MalwareBytes and updating and running scans regularly.


----------



## Actuarial (Nov 10, 2011)

all of that is done. I will keep MalwareBytes & try to run weekly. thanks for the advice. would you recommend I reinstall ZoneAlarm (or something else) or just use Windows Firewall? any other info i should know? thanks again.


----------



## Cookiegal (Aug 27, 2003)

Even though you're behind a router, since you're running XP, it's advisable to run a third party firewall that will protect you for both incoming (less important with the router) and outgoing (which XP and the router don't do). Zone Alarm may bog down the system but you could give it a shot, especially if you're more familiar with it. I'm not sure if they give you the option to not install the Ask toolbar but, if you can, opt out of it and if not uninstall it afterwards. Or you could try Comodo Personal Firewall.


----------



## Actuarial (Nov 10, 2011)

great, i'll figure out the firewall situation when i get home tonight.

Your comment about it possibly bogging down the system reminded me of another thing I've been wondering. Although the system overall has been running fairly smoothly, it occasionally slows down significantly, but hasn't frozen up... & most of the cpu usage at those moments is allocated to iexplorer.exe (often around 50%). if i remember correctly, it only has 1.1GB of RAM. do you think a memory upgrade would make a significant difference? I'm not sure of the system's current breakdown of memory sticks, but I'm assuming I could get it up to 2 GB for somewhere in the $25-30 range. just not sure it'd be worth it. thanks.


----------



## Cookiegal (Aug 27, 2003)

That would be iexplore.exe (not iexplorere.exe) which is the IE browser. There could be a program updating in the background or something like that going on if it gets intensive.

1GB of memory should be sufficent unless you have an excessive amount of programs and applications. It never hurts to add more if the system specs can support it. You'd have to check with the manufacturer's web site to see how much your system can handle, or you could start a new thread in our Hardware forum and those who know more about those things will be able to advise you.

You should also uninstall any old programs that you may no longer need or use. Let's see what you have installed:

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.

Also, do you clear out the temp files and temp Internet files and defragment the hard drive regularly?


----------



## Actuarial (Nov 10, 2011)

in the past, i've generally cleaned up temp files and done disk defragmentation whenever i thought about it, or if a problem arose with the system. i'll try to schedule those tasks on my calendar so they'll be done more often. here's the "uninstall_list":

7-Zip 9.20
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.1)
AVG 2012
AVG 2012
AVG 2012
Broadcom Management Programs
Broadcom NetXtreme Ethernet Controller
ESET Online Scanner v3
HiJackThis
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
HP Deskjet 3840
HP SetRefresh
HP Software Update
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Connections 12.1.12.0
Java(TM) 6 Update 22
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 8.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
OpenOffice.org 3.3
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SoundMAX
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Windows XP Service Pack 3


----------



## Cookiegal (Aug 27, 2003)

That looks pretty trim to me. You also have the latest version of Adobe Flash and Reader, which is good, as older versions of these programs have vulnerabilities that can be exploited so it's important that they be kept up to date (which means that known vulnerabilities have been patched). The only thing you need to update is your Sun Java.

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 29*.
Select the option to download the *Windows 7, XP Offline* version 
Save the executable file to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with * Java Runtime Environment, JRE, J2SE or Java(TM)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download and follow the prompts to install the newest version.

This is the older version that you need to uninstall:

Java(TM) 6 Update 22

Then do this as well to clear out the Temp files:

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

Please perform a defragmentation.

After doing all of the above reboot the machine and let me know how things are running after that.


----------



## Actuarial (Nov 10, 2011)

i've done the Java upgrade, and I did a defragmentation a couple days ago after you mentioned it. However, the link for the ATF-cleaner download brings up a white page that just says "This ID doesn't exist!"


----------



## Cookiegal (Aug 27, 2003)

Actuarial said:


> i've done the Java upgrade, and I did a defragmentation a couple days ago after you mentioned it. However, the link for the ATF-cleaner download brings up a white page that just says "This ID doesn't exist!"


I get the same thing. I don't know what's up with that but you can download it from the following link:

http://majorgeeks.com/download.php?det=4949


----------



## Actuarial (Nov 10, 2011)

ok, all of that is done. i'm assuming it'd be a good idea to hang onto ATF and use it for my regular cleaning rather than doing everything manually (running %temp% & deleting everything, using the IE Tools - Options for internet files, etc)? also, since i defragmented a couple days ago, i just let it do an analysis... it said it didn't need to be done again, so i skipped it for now.

Just to make sure I have the full list of maintenance items to do regularly, would this be a good list to work from:

Delete Temp Files (regular and internet) (ATF-cleaner?)
Defragment
AVG scans & updates
MalwareBytes scans & updates
Windows updates
Adobe Flash & Reader updates
Java updates/upgrades
Restore points (only necessary with major changes?)
Data Backup (external HD)


----------



## Cookiegal (Aug 27, 2003)

Yes, that's a good list. 

It's easier to use ATF for that purpose but of course you can do it manually if you prefer.

Restore points get created regularly but you should create one just before making any major changes.

Is IE still using a lot of resources at times?


----------



## Actuarial (Nov 10, 2011)

i've been using Firefox the last couple days, but i'll use IE later tonight and tomorrow and see if it slows down. thanks again.


----------



## Cookiegal (Aug 27, 2003)

OK, please let me know.


----------



## Actuarial (Nov 10, 2011)

it's been running ok the last few days. some periods of hesitation here and there, along with an infrequent AVG message telling me that IE is taking taking up lots of memory and that i should restart it... but that's usually when i have at least 5-6 tabs open at once. i guess i'd need more memory in order to avoid that though.


----------



## Cookiegal (Aug 27, 2003)

That would probably be a good idea.

Here are some final instructions for you.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /uninstall* in the runbox and click *OK*. Note the *space* between the *X* and the */uninstall*, it needs to be there (the screenshot is just for illustration purposes but the actual command uses the entire word "uninstall" and not just the "u" as shown in the picture).










Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.


----------

