Ran Malwarebytes, fixed problems, now computer hangs during startup

[KPierson]

Yesterday I noticed that I was getting Google redirects. I did a full scan using AVG and it found nothing. I then upgraded to the latest version of AVG and performed another scan - still nothing.

Next, I opened Malwarebytes and updated it. I ran a full system scan and it found 30 problems, but hung up between the "scan finished" and "show results" step. No matter what I did I couldn't see the results. I had to end the program and reboot. Upon reboot I had all kinds of pop ups and messages telling me I was infected. I ran Malwarebytes again and found the same 30 infections but this time it did not hang up. I was able to see the results and I clicked on "fix". A box popped up that stated I had to restart to finish deleting and so I did.

However, the computer never restarted. It will post, but it hangs before it makes it to the XP splash screen. I get no blue screens, no error messages, just a blank black screen.

I tried to use the recovery console - both the chkdsk function and the fixboot function, but was hesitant to try anything else. I removed the harddrive from the Dell D510 laptop and installed it in my desktop so I could retrieve the log file:

Malwarebytes' Anti-Malware 1.43

Database version: 3458

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 6.0.2900.2180

1/2/2010 11:51:02 PM

mbam-log-2010-01-02 (23-51-02).txt

Scan type: Full Scan (C:\|)

Objects scanned: 266200

Time elapsed: 50 minute(s), 56 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 7

Registry Values Infected: 2

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uvswmpfk (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon86.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon86.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\winlogon86.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\517be096.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\Winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\dfgdgdfgrgdgfdrdfs.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

I appreciate everyones time - thank you,

Kevin

[sjpritch25]

Sorry for the delay

Do you still need assistance?

[KPierson]

Sorry for the delay

Do you still need assistance?

Yes I do. I've tried a few things including a fixmbr and even tried to do an XP restore from my XP disk - both to no avail - I still have the exact same issue.

[sjpritch25]

Open malwarebytes, update to the latest definitions, run a quick scan. PLease post the log.

Download GMER Antirootkit Here, click on Download EXE and save to your Desktop

• Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
  
• Double-click Gmer.exe to run the program.
  
• When the program opens, click the "Rootkit" Tab
  
• On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  
• Select all drives that are connected to your system to be scanned
  
• Click the Scan button
  
• When the scan is finished, click Copy to save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Save the gmer scan log and post it in your next reply.
  
• Close Gmer
  
• Open a command prompt (Start | run |type cmd and hit Enter)
  • Type or paste the following to unload the gmer driver:
    
  • net stop gmer
    
  • Hit Enter
    
  • Exit the command prompt.
    

  [*]Re-enable all active protection.

[KPierson]

I can't do any of that stuff as I can't get windows XP to load normally or in any of the safe mode options. The only thing I can do is access the C drive through the Recovery Console. Again, the system hangs BEFORE the XP splash screen, but after posting. If I hit F8 I can still access the safe mode boot options. Before "fixing" my found issues with Malwarebytes the computer had no boot issues and was running really well (minus the Google redirct).

In safe mode the system hangs after loading the ISAPNP driver. From my limited research I believe the next driver is a battery driver (it is a laptop) but I can't confirm this 100%.

Open malwarebytes, update to the latest definitions, run a quick scan. PLease post the log.

Download GMER Antirootkit Here, click on Download EXE and save to your Desktop

• Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
  
• Double-click Gmer.exe to run the program.
  
• When the program opens, click the "Rootkit" Tab
  
• On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  
• Select all drives that are connected to your system to be scanned
  
• Click the Scan button
  
• When the scan is finished, click Copy to save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Save the gmer scan log and post it in your next reply.
  
• Close Gmer
  
• Open a command prompt (Start | run |type cmd and hit Enter)
  • Type or paste the following to unload the gmer driver:
    
  • net stop gmer
    
  • Hit Enter
    
  • Exit the command prompt.
    

  [*]Re-enable all active protection.

[sjpritch25]

In the Advanced Options menu, instead of choosing start normally did you try last known good configuration?

[KPierson]

Yes I did - I tried every possible combination of options I could try. When I try boot with logging or last known configuration (or normally) it hangs with no messages and no curser - just a black screen.

When I try any of the safe modes it hangs after the isapnp.sys driver

[sjpritch25]

You could give this a try, but it may or may not work

http://www.microsoft.com/windowsxp/using/h...ips/doug92.mspx

[KPierson]

As mentioned up in post 3 I already tried that - it changed nothing.

According to the log, not much was changed - is there any way to "undo" the changes through the recovery console or at least identify the file or key that was modified that is causing the hang? I'm by no means a computer expert - but the research I've done shows that changes to the userinit registry key could cause start up issues.

I really don't want to reformat and reinstall windows - I'm hoping I can figure something out to at least boot in to safe mode to give me some more options here!

I appreciate your help in this matter,

Kevin Pierson

[sjpritch25]

we can try this, but you need to boot into Recovery Console.

type the following commands in the recovery console

cd system32\drivers

ren atapi.sys atapi.old

copy c:\windows\servicepackfiles\i386\atapi.sys c:\windows\system32\drivers

Afterwards, i need you to run fixmbr too.

Afterwards, let me know if you can boot into windows.

Thanks

[KPierson]

As mentioned up in post 3 I already tried that - it changed nothing.

According to the log, not much was changed - is there any way to "undo" the changes through the recovery console or at least identify the file or key that was modified that is causing the hang? I'm by no means a computer expert - but the research I've done shows that changes to the userinit registry key could cause start up issues.

I really don't want to reformat and reinstall windows - I'm hoping I can figure something out to at least boot in to safe mode to give me some more options here!

I appreciate your help in this matter,

Kevin Pierson

I'm not sure if this helps, but I believe it will....

I have spent the past hour or so going back through my ntbtlog.txt file and comparing logs from over a year ago with logs from the past few days.

In past years the driver order is:

isapnp.sys

compbatt.sys

but, recently, the order is:

isapnp.sys

lgsabpg.sys

compbatt.sys

just by the nam, lgsabpg.sys, appears to associated with a virus and appears to be causing the hanging. Is there a way to skip a driver or disable a driver so that I can load windows and have options to fix this correctly?

[sjpritch25]

its hard to say without more information. Since you had google re-directs, you probably have a variant of tdl3. My instructions will work as long as atapi.sys is your ide controller. There are different files, but i'm going with the most prevalent.

[KPierson]

OK, I think I've gotten somewhere.

I found the driver listed above that I thought was the problem (lgsabpg.sys) in my system32/drivers folder. It was created on 1/2/10 - the day the computer crashed and had a file size of 0. I renamed it to lgsabpg.old and restared and windows took off (kinda).

Since I tried the recovery console I have to finish all that junk now, but my fingers are crossed that after that is done I will be back up.

Thank you again for your time - this has been extremely frustrating past few days as I was expecting a "quick fix" to my google redirect problem and ended up figthing this laptop for 2.5 days!

I will let you know if I run in to any issues - thank you again.

One other question I do have is do you have any idea why the driver above was left behind? I see no mention of it in my logs. Maybe Malwarebytes missed an association or something?

Kevin

[KPierson]

OK, computer is back up and running and everything seems cool.

However, I still have the Google redirect (awesome considering I've spent 2 days with a dead computer trying to fix that problem).

Should I follow the advice above and download and run those programs and post logs?

Should I start a new thread?

[sjpritch25]

Go ahead with just this

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

[KPierson]

No more Google redircts after Combofix - here are the logs:

ComboFix 10-01-04.01 - Kevin 01/05/2010 23:32:27.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.759.354 [GMT -5:00]

Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Kevin\Cookies\exolixurij.dl

c:\documents and settings\Kevin\Local Settings\Application Data\kuli.inf

c:\documents and settings\Kevin\Local Settings\Application Data\matakokis.bat

c:\documents and settings\Kevin\Local Settings\Application Data\qewy.inf

c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\bifowewa.ban

c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\suzulolop.lib

C:\LOG.TXT

c:\program files\Shared

C:\s

C:\userinit.ex_

C:\userinit.exe

c:\windows\kb913800.exe

c:\windows\mudyzyf.dll

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\26500.exe

c:\windows\system32\6334.exe

c:\windows\system32\flags.ini

c:\windows\system32\kbdsock.dll

c:\windows\system32\mshlps.dll

c:\windows\system32\tdxlw.dll

c:\windows\system32\uses32.dat

c:\windows\Temp\1325124380.exe

c:\windows\userinit.exe

c:\windows\yquw.vbs

.

((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))

.

2010-01-06 02:48 . 2005-09-20 21:31 135168 ----a-w- c:\windows\system32\igfxres.dll

2010-01-06 02:45 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-01-06 02:35 . 2001-08-23 12:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys

2010-01-06 02:35 . 2001-08-23 12:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll

2010-01-06 02:35 . 2004-08-03 23:56 53248 -c--a-w- c:\windows\system32\dllcache\wamreg51.dll

2010-01-06 02:35 . 2001-08-23 12:00 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll

2010-01-06 02:35 . 2004-08-03 23:56 76800 -c--a-w- c:\windows\system32\dllcache\wam51.dll

2010-01-06 02:35 . 2004-08-03 23:56 363520 -c--a-w- c:\windows\system32\dllcache\w3svc.dll

2010-01-06 02:35 . 2001-08-23 12:00 5632 -c--a-w- c:\windows\system32\dllcache\w3svapi.dll

2010-01-06 02:35 . 2001-08-23 12:00 73728 -c--a-w- c:\windows\system32\dllcache\w3ext.dll

2010-01-06 02:35 . 2001-08-23 12:00 4608 -c--a-w- c:\windows\system32\dllcache\w3ctrs51.dll

2010-01-06 02:35 . 2001-08-23 12:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll

2010-01-06 02:33 . 2001-08-23 12:00 101376 -c--a-w- c:\windows\system32\dllcache\srusbusd.dll

2010-01-06 02:32 . 2001-08-18 03:36 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll

2010-01-06 02:31 . 2001-08-23 12:00 131584 -c--a-w- c:\windows\system32\dllcache\pmxviceo.dll

2010-01-06 02:31 . 2001-08-23 12:00 11264 -c--a-w- c:\windows\system32\dllcache\pmxmcro.dll

2010-01-06 02:31 . 2001-08-23 12:00 6144 -c--a-w- c:\windows\system32\dllcache\pmxgl.dll

2010-01-06 02:31 . 2004-08-03 21:31 67584 -c--a-w- c:\windows\system32\dllcache\pmigrate.dll

2010-01-06 02:31 . 2004-08-03 21:31 70144 -c--a-w- c:\windows\system32\dllcache\pintlphr.exe

2010-01-06 02:31 . 2001-08-23 12:00 20992 -c--a-w- c:\windows\system32\dllcache\permchk.dll

2010-01-06 02:31 . 2001-08-23 12:00 31744 -c--a-w- c:\windows\system32\dllcache\pagecnt.dll

2010-01-06 02:31 . 2001-08-18 03:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll

2010-01-06 02:31 . 2004-08-03 23:56 44544 -c--a-w- c:\windows\system32\dllcache\nsepm.dll

2010-01-06 02:31 . 2001-08-23 12:00 53248 -c--a-w- c:\windows\system32\dllcache\nextlink.dll

2010-01-06 02:30 . 2001-08-23 12:00 111104 -c--a-w- c:\windows\system32\dllcache\mtstocom.exe

2010-01-06 02:30 . 2004-08-03 23:56 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe

2010-01-06 02:30 . 2001-08-23 12:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys

2010-01-06 02:30 . 2001-08-23 12:00 92032 -c--a-w- c:\windows\system32\dllcache\mga.dll

2010-01-06 02:30 . 2004-08-03 23:56 85504 -c--a-w- c:\windows\system32\dllcache\metada51.dll

2010-01-06 02:30 . 2001-08-23 12:00 26624 -c--a-w- c:\windows\system32\dllcache\mdsync.dll

2010-01-06 02:30 . 2004-08-03 23:56 37888 -c--a-w- c:\windows\system32\dllcache\md5filt.dll

2010-01-06 02:28 . 2001-08-23 12:00 7168 -c--a-w- c:\windows\system32\dllcache\isapips.dll

2010-01-06 02:27 . 2004-08-03 23:56 32256 -c--a-w- c:\windows\system32\dllcache\gzip.dll

2010-01-06 02:26 . 2004-08-03 23:56 42496 -c--a-w- c:\windows\system32\dllcache\davcdata.exe

2010-01-06 02:26 . 2001-08-23 12:00 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe

2010-01-06 02:26 . 2001-08-23 12:00 20480 -c--a-w- c:\windows\system32\dllcache\counters.dll

2010-01-06 02:26 . 2001-08-23 12:00 56320 -c--a-w- c:\windows\system32\dllcache\convlog.exe

2010-01-06 02:26 . 2001-08-23 12:00 33792 -c--a-w- c:\windows\system32\dllcache\controt.dll

2010-01-06 02:26 . 2004-08-03 23:56 24064 -c--a-w- c:\windows\system32\dllcache\compfilt.dll

2010-01-06 02:25 . 2004-08-03 21:31 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe

2010-01-06 02:25 . 2004-08-03 21:31 198656 -c--a-w- c:\windows\system32\dllcache\cintime.dll

2010-01-06 02:25 . 2004-08-03 21:31 173568 -c--a-w- c:\windows\system32\dllcache\chtskf.dll

2010-01-06 02:25 . 2004-08-03 21:31 56320 -c--a-w- c:\windows\system32\dllcache\chtskdic.dll

2010-01-06 02:25 . 2004-08-03 21:31 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll

2010-01-06 02:25 . 2001-08-23 12:00 14336 -c--a-w- c:\windows\system32\dllcache\chgusr.exe

2010-01-06 02:25 . 2001-08-23 12:00 15872 -c--a-w- c:\windows\system32\dllcache\chgport.exe

2010-01-06 02:25 . 2001-08-23 12:00 13312 -c--a-w- c:\windows\system32\dllcache\chglogon.exe

2010-01-06 02:25 . 2001-08-23 12:00 9728 -c--a-w- c:\windows\system32\dllcache\change.exe

2010-01-06 02:25 . 2001-08-23 12:00 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys

2010-01-06 02:25 . 2001-08-23 12:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll

2010-01-06 02:24 . 2001-08-23 12:00 45568 -c--a-w- c:\windows\system32\dllcache\browscap.dll

2010-01-06 02:24 . 2001-08-23 12:00 9216 -c--a-w- c:\windows\system32\dllcache\authfilt.dll

2010-01-06 02:24 . 2001-08-23 12:00 29184 -c--a-w- c:\windows\system32\dllcache\asptxn.dll

2010-01-06 02:24 . 2001-08-23 12:00 10240 -c--a-w- c:\windows\system32\dllcache\aspperf.dll

2010-01-06 02:24 . 2004-08-03 23:56 369664 -c--a-w- c:\windows\system32\dllcache\asp51.dll

2010-01-06 02:24 . 2004-08-03 23:56 331264 -c--a-w- c:\windows\system32\dllcache\aqueue.dll

2010-01-06 02:24 . 2001-08-18 03:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll

2010-01-06 02:24 . 2004-08-03 23:56 108544 -c--a-w- c:\windows\system32\dllcache\appconf.dll

2010-01-06 02:24 . 2001-08-23 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt040d.dll

2010-01-06 02:24 . 2001-08-23 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt0401.dll

2010-01-06 02:22 . 2004-08-03 23:56 829440 -c--a-w- c:\windows\system32\dllcache\inetmgr.dll

2010-01-06 02:14 . 2001-08-23 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2010-01-06 02:04 . 2007-02-18 21:37 347136 ----a-w- c:\windows\system32\hypertrm.dll

2010-01-06 01:15 . 2001-08-23 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2010-01-06 01:15 . 2001-08-23 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll

2010-01-06 01:15 . 2001-08-23 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2010-01-06 01:15 . 2001-08-23 12:00 13312 ----a-w- c:\windows\system32\irclass.dll

2010-01-04 19:01 . 2010-01-04 19:07 -------- d-----w- c:\windows\l2schemas

2010-01-04 19:01 . 2010-01-04 19:06 -------- d-----w- c:\windows\system32\en

2010-01-04 19:01 . 2010-01-04 19:01 -------- d-----w- c:\windows\msapps

2010-01-03 00:14 . 2010-01-03 00:14 -------- d-----w- C:\found.000

2009-12-07 23:20 . 2009-12-07 23:20 -------- d-----w- c:\program files\Photo Viewer

1601-01-01 00:00 . 1601-01-01 00:00 -------- d-----w- c:\windows\LastGood.Tmp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-06 03:22 . 2007-04-18 20:15 70016 ----a-w- c:\windows\system32\drivers\NmSerial.sys

2010-01-06 03:22 . 2006-10-11 15:22 39936 ----a-w- c:\windows\system32\pnpports.dll

2010-01-06 03:22 . 2006-10-11 15:12 76416 ----a-w- c:\windows\system32\drivers\NmPar.sys

2010-01-06 02:42 . 2006-05-05 04:22 -------- d-----w- c:\program files\Common Files\ArchestrA

2010-01-06 02:10 . 2004-08-11 23:12 23428 ----a-w- c:\windows\system32\emptyregdb.dat

2010-01-06 02:09 . 2007-11-19 02:32 -------- d-----w- c:\program files\Windows Media Connect 2

2010-01-03 04:51 . 2010-01-03 01:09 0 ----a-w- c:\windows\system32\drivers\lgsabpg.old

2010-01-03 04:51 . 2010-01-03 01:09 0 ----a-w- c:\windows\system32\drivers\lgsabpg.ol2

2010-01-03 00:23 . 2009-08-11 11:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-02 20:23 . 2009-11-25 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2009-12-30 19:55 . 2009-08-11 11:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-30 19:54 . 2009-08-11 11:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-25 13:11 . 2009-08-21 15:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2009-11-25 13:11 . 2009-08-21 15:37 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-11-25 13:11 . 2009-08-21 15:37 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-11-25 13:11 . 2009-08-21 15:37 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-11-25 13:11 . 2009-08-21 15:35 -------- d-----w- c:\program files\AVG

2009-11-10 04:27 . 2006-11-19 14:05 120 ----a-w- C:\drmHeader.bin

2009-08-11 01:55 . 2009-08-11 01:55 18917 ----a-w- c:\program files\Common Files\pexinidoqa.com

2002-03-12 18:44 . 2002-03-12 18:44 90 ----a-w- c:\program files\Common Files\InstalledProducts.xml

2002-03-12 18:44 . 2002-03-12 18:44 817 ----a-w- c:\program files\Common Files\InstalledProducts.xsl

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]

"HostManager"="c:\program files\Common Files\AOL\1140138302\ee\AOLSoftware.exe" [2005-11-03 50792]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-16 271672]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-02 2033432]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-08-09 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-10 24576]

hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-9 323646]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

NextMove PCI (2) Auto Initialization.lnk - c:\program files\Mint Machine Center\PCIWizard.exe [2006-12-19 40960]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-11-25 13:11 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2001-11-02 15:50 24636 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1523734621-1453793783-526660263-1766\Scripts\Logon\0\0]

"Script"=\\Jordan.int\sysvol\Jordan.int\scripts\printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1523734621-1453793783-526660263-500\Scripts\Logon\0\0]

"Script"=\\Jordan.int\sysvol\Jordan.int\scripts\printer.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1140138302\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1140138302\\ee\\aim6.exe"=

"c:\\Program Files\\Kinko's\\FPFK\\FPKMain.exe"=

"c:\\Program Files\\Kinko's\\FPFK\\Kinkos.Jupiter.GUI.Queue.exe"=

"c:\\WINDOWS\\system32\\OpcEnum.exe"=

"c:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"=

"c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

"c:\\Program Files\\Common Files\\ArchestrA\\aaLogger.exe"=

"c:\\Program Files\\Common Files\\ArchestrA\\slssvc.exe"=

"c:\\Program Files\\Wonderware\\InTouch\\wm.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Common Files\\ArchestrA\\DASAgent.exe"=

"c:\\WINDOWS\\system32\\dllhost.exe"=

"c:\\Program Files\\ArchestrA\\Framework\\Bin\\aaIDE.exe"=

"c:\\Program Files\\ArchestrA\\Framework\\Bin\\aaPim.exe"=

"c:\\Program Files\\ArchestrA\\Framework\\Bin\\aaBootstrap.exe"=

"c:\\Program Files\\ArchestrA\\Framework\\Bin\\aaDCOMTransport.exe"=

"c:\\Program Files\\ArchestrA\\Framework\\Bin\\aaGR.exe"=

"c:\\Program Files\\Microsoft SQL Server\\MSSQL\\Binn\\sqlservr.exe"=

"c:\\Program Files\\Common Files\\ArchestrA\\wwlogsvc.exe"=

"c:\\Program Files\\Wonderware\\DAServer\\DASABCIP\\Bin\\DASABCIP.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:Port 135 TCP

"102:TCP"= 102:TCP:DAS SI 102

"502:TCP"= 502:TCP:Modicon 502

"1434:UDP"= 1434:UDP:SQL Server Browser 1434

"1433:TCP"= 1433:TCP:SQL TCP 1433

"2221:TCP"= 2221:TCP:DAS ABTCP 2221

"2222:TCP"= 2222:TCP:DAS ABTCP 2222

"2223:TCP"= 2223:TCP:DAS ABTCP 2223

"5413:TCP"= 5413:TCP:Port 5413

"443:TCP"= 443:TCP:SuiteVoyager 443

"9001:TCP"= 9001:TCP:vista 9001

"9002:TCP"= 9002:TCP:EnvMngr 9002

"9003:TCP"= 9003:TCP:MsgMngr 9003

"9004:TCP"= 9004:TCP:SecMngr 9004

"9006:TCP"= 9006:TCP:RedMngr 9006

"9007:TCP"= 9007:TCP:UnilinkMngr 9007

"9008:TCP"= 9008:TCP:BatchMngr 9008

"9011:TCP"= 9011:TCP:LogMngr 9011

"9012:TCP"= 9012:TCP:InfoMngr 9012

"9013:UDP"= 9013:UDP:RedMngrX 9013

"9014:UDP"= 9014:UDP:RedMngrX2 9014

"9015:TCP"= 9015:TCP:HistQMngrvista 9015

"9016:TCP"= 9016:TCP:HistQReader 9016

"44818:TCP"= 44818:TCP:Logix 44818

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/21/2009 10:37 AM 333192]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/21/2009 10:37 AM 360584]

R2 aaBootstrap;ArchestrA Bootstrap;c:\program files\ArchestrA\Framework\Bin\aaBootstrap.exe [9/15/2004 8:57 PM 1060960]

R2 aaGR;ArchestrA GalaxyRepository;c:\program files\ArchestrA\Framework\Bin\aaGR.exe [9/15/2004 8:45 PM 94298]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/25/2009 8:11 AM 285392]

R2 FxControlRuntime;FxControl Runtime;c:\program files\GE Fanuc\Proficy Machine Edition\fxControl\Runtime\NT\FxControl.exe [9/22/2005 9:14 AM 618496]

R2 TrapiServer;Trapi File Server;c:\program files\GE Fanuc\Proficy Machine Edition\Common\Components\NT\TrapiServer.exe [9/17/2005 5:17 AM 102400]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 11:24 PM 24652]

R2 WWLOGSVC;Wonderware Logger;c:\program files\Common Files\ArchestrA\wwlogsvc.exe [6/1/2006 9:16 AM 61514]

R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [4/18/2007 3:15 PM 70016]

S0 lgsabpg;lgsabpg; [x]

S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [6/3/2004 4:08 AM 113600]

S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]

S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [6/3/2004 4:08 AM 71448]

S3 apusbsnt;AirPrime USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [2/20/2006 8:29 AM 40064]

S3 DASABCIP;DASABCIP;c:\progra~1\WONDER~1\DAServer\DASABCIP\Bin\DASABCIP.exe -service --> c:\progra~1\WONDER~1\DAServer\DASABCIP\Bin\DASABCIP.exe -service [?]

S3 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.SYS [6/29/2000 3:24 PM 3584]

S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [11/20/2006 7:56 PM 34639]

S3 QSerBus;Quatech PCI/PCMCIA/ISA Multiport Serial Device Enumerator;c:\windows\system32\drivers\qserbus.sys [4/7/2005 2:08 PM 28160]

S3 QTSerial;Quatech Multiport Serial Driver;c:\windows\system32\drivers\qtserial.sys [4/13/2005 9:44 AM 92160]

S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [6/3/2004 4:08 AM 142592]

S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [6/3/2004 4:08 AM 30166]

S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [6/3/2004 4:08 AM 155440]

S3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [6/23/2006 9:09 PM 17408]

S3 WwRpcSvr;WwRpcSvr;c:\windows\system32\WWInstSvc.Exe [6/1/2006 9:04 AM 69702]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.hotmail.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: ww - {D85C367B-99A7-474A-8003-8C9D48BC4F2E} - c:\program files\Common Files\ArchestrA\Browser Extensions\wwprotocol.dll

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

AddRemove-AIM_6 - c:\program files\AIM6\uninst.exe

AddRemove-SLABCOMM - c:\windows\system32\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-05 23:53

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\WinDNet32\Drivers]

@DACL=(02 0000)

"Allen-Bradley 1770-KFD"="c:\\Program Files\\Rockwell Software\\RSLinx\\KFD32DVR.DLL"

"Allen-Bradley 1771-SDNPT"="c:\\Program Files\\Rockwell Software\\RSLinx\\SDNPTDRV.DLL"

"Allen-Bradley 1747-SDNPT"="c:\\Program Files\\Rockwell Software\\RSLinx\\SDN47PT.DLL"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)

c:\windows\system32\awgina.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1836)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\windows\system32\WgaTray.exe

c:\program files\Common Files\ArchestrA\aaLogger.exe

c:\program files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\GE Fanuc\Proficy Common\Proficy Common Licensing\CCFLIC0.exe

c:\program files\Common Files\ArchestrA\NTServApp.exe

c:\program files\Dell\OpenManage\Client\Iap.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Common Files\ArchestrA\slssvc.exe

c:\program files\RealVNC\VNC4\WinVNC4.exe

c:\program files\Apoint\Apntex.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-01-06 00:05:05 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-06 05:04

ComboFix2.txt 2009-03-23 14:22

Pre-Run: 15,215,529,984 bytes free

Post-Run: 17,015,033,856 bytes free

- - End Of File - - 8EF41AF51BE81333C866C8B4F4DC4488

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:25:06 AM, on 1/6/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\WgaTray.exe

C:\Program Files\ArchestrA\Framework\Bin\aaGR.exe

C:\Program Files\Common Files\ArchestrA\aaLogger.exe

C:\Program Files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\GE Fanuc\Proficy Common\Proficy Common Licensing\CCFLIC0.exe

C:\Program Files\Common Files\ArchestrA\NTServApp.exe

C:\Program Files\GE Fanuc\Proficy Machine Edition\fxControl\Runtime\NT\FxControl.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\ArchestrA\slssvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\GE Fanuc\Proficy Machine Edition\Common\Components\NT\trapiserver.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\Common Files\ArchestrA\wwlogsvc.exe

C:\Program Files\ArchestrA\Framework\Bin\aaBootstrap.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\AOL\1140138302\ee\AOLSoftware.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140138302\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NextMove PCI (2) Auto Initialization.lnk = C:\Program Files\Mint Machine Center\PCIWizard.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM2\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O18 - Protocol: ww - {D85C367B-99A7-474A-8003-8C9D48BC4F2E} - C:\Program Files\Common Files\ArchestrA\Browser Extensions\wwprotocol.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: ArchestrA Bootstrap (aaBootstrap) - Invensys Systems, Inc. - C:\Program Files\ArchestrA\Framework\Bin\aaBootstrap.exe

O23 - Service: ArchestrA GalaxyRepository (aaGR) - Invensys Systems, Inc. - C:\Program Files\ArchestrA\Framework\Bin\aaGR.exe

O23 - Service: ArchestrA Logger (aaLogger) - Invensys Systems, Inc. - C:\Program Files\Common Files\ArchestrA\aaLogger.exe

O23 - Service: AEClientHostService - GE Fanuc Automation Americas - C:\Program Files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Proficy Licensing (CCFLIC0) - GE Fanuc Automation Americas - C:\Program Files\GE Fanuc\Proficy Common\Proficy Common Licensing\CCFLIC0.exe

O23 - Service: DASABCIP - Invensys Systems, Inc. - C:\PROGRA~1\WONDER~1\DAServer\DASABCIP\Bin\DASABCIP.exe

O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FS Service Control - Wonderware Corporation - C:\Program Files\Common Files\ArchestrA\NTServApp.exe

O23 - Service: FxControl Runtime (FxControlRuntime) - Total Control Products (Canada) Inc. - C:\Program Files\GE Fanuc\Proficy Machine Edition\fxControl\Runtime\NT\FxControl.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Harmony - Rockwell Software Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE

O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: RSLinx Classic (RSLinx) - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Wonderware SuiteLink (slssvc) - Invensys Systems, Inc. - C:\Program Files\Common Files\ArchestrA\slssvc.exe

O23 - Service: Trapi File Server (TrapiServer) - Unknown owner - C:\Program Files\GE Fanuc\Proficy Machine Edition\Common\Components\NT\trapiserver.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

O23 - Service: WLANKEEPER - Intel

[sjpritch25]

Looks good. How is everything running??

[KPierson]

Looks good. How is everything running??

Well. like I said, no Google redirects and everything else seems fine.

It's a Dell laptop and I used a non Dell XP disk to do the restore and for some reason got "counterfit" warnings. I am currently reinstalling with the genuine Dell XP disk to hopefully get rid of that. It's seriously been one thing after another but I think I can see the light at the end of the tunnel!

Thank you again for your time and help,

Kevin

[sjpritch25]

Not surprised there.

Please go to Start --> Run ---> Type ComboFix /uninstall and press Enter.