Jump to content

removed malware, but still getting redirects

Recommended Posts

I embarrassed to be back here as I came here for help some time ago and thought I was being very safe since then. Somehow, I don't know how, I got a fake antivirus malware program. I used malware bytes to remove it, but since then I continue to get google search redirects, and My computer sometimes becomes unresponsive for no reason at all. My startup time is now like 10 minutes, whereas before it was only about 1 min. I know I may have irreversibly damaged my computer, but any help here would be greatly appreciated.

I have run complete scans with malware bytes, ad-aware, and Avira, but since the initial issue they turn up nothing.

Link to post
Share on other sites

Hello Packman,

Do me the courtesy of stating your Windows version/edition and (you should know this) doing the perliminaries & reports required by this sub-forum !

Print out, read and follow the directions here, skipping any steps you are unable to complete.

Please Copy & Paste the Gmer.txt log

the DDS logs

and the MBAM scan log

I do not want the Avira nor the Ad-aware reports.

Link to post
Share on other sites

Hello Packman,

Do me the courtesy of stating your Windows version/edition and (you should know this) doing the perliminaries & reports required by this sub-forum !

Print out, read and follow the directions here, skipping any steps you are unable to complete.

Please Copy & Paste the Gmer.txt log

the DDS logs

and the MBAM scan log

I do not want the Avira nor the Ad-aware reports.

Very very sorry. I forgot my protocol. Thank you for taking the time to assist me.

I am using:

Windows XP Professional SP 3

MY defogger log:

defogger_disable by jpshortstuff (

Log created at 11:41 on 12/09/2010 (Kim Lowe)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...


My Mbam Log:

Malwarebytes' Anti-Malware 1.46


Database version: 4438

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/12/2010 10:36:38 AM

mbam-log-2010-09-12 (10-36-38).txt

Scan type: Quick scan

Objects scanned: 157837

Time elapsed: 38 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

My DDS Log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Kim Lowe at 11:44:41.89 on Sun 09/12/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.89 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch






C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe


C:\Program Files\Avira\AntiVir Desktop\sched.exe


C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe


C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe


C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Apoint\Apoint.exe


C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe


C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Documents and Settings\Kim Lowe\Local Settings\Application Data\Google\Update\\GoogleCrashHandler.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Kim Lowe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15438&l=dis

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll


mRun: [PMX Daemon] ICO.EXE

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] c:\progra~1\javasoft\jre\1.4.2_03\bin\jusched.exe

mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\PartyPoker.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159218937906

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab

DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kimlow~1\applic~1\mozilla\firefox\profiles\b58bjj77.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - component: c:\documents and settings\kim lowe\application data\mozilla\firefox\profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\documents and settings\kim lowe\application data\mozilla\plugins\np-mswmp.dll

FF - plugin: c:\documents and settings\kim lowe\local settings\application data\google\update\\npGoogleOneClick8.dll

FF - plugin: c:\progra~1\javasoft\jre\1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\


FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-25 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-25 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-25 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-25 60936]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2010-5-19 38144]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355928]

R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]

S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\dcalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-4-25 644096]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [2010-5-19 185344]

S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2006-8-24 488960]

=============== Created Last 30 ================

2010-09-12 16:41:33 0 ----a-w- c:\documents and settings\kim lowe\defogger_reenable

2010-09-07 05:19:15 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-09-05 07:56:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-09-01 04:48:47 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}

2010-09-01 04:46:15 0 d-----w- c:\program files\Lavasoft

2010-08-17 04:06:14 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-13 21:12:52 0 d-----w- c:\program files\Linksys

2010-08-13 20:00:39 0 d-----w- c:\program files\Pure Networks

2010-08-13 19:59:29 0 d-----w- c:\program files\WebEx

2010-08-13 19:58:15 25392 ----a-w- c:\windows\system32\drivers\pnarp.sys

2010-08-13 19:57:57 26672 ----a-w- c:\windows\system32\drivers\purendis.sys

2010-08-13 19:57:31 0 d-----w- c:\program files\common files\Pure Networks Shared

2010-08-13 19:56:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Pure Networks

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll

2010-06-29 22:39:07 103193 ----a-w- c:\windows\hpoins08.dat

2010-06-24 22:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll

2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll

2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll

2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll

2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll

2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll

2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll

2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll

2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll

2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys

2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys

2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2008-04-27 06:13:09 0 ----a-w- c:\program files\temp01

2008-09-11 04:41:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat

============= FINISH: 11:49:05.40 ===============

And the ARK and Attach logs are zipped and attached


Link to post
Share on other sites

Your MBAM is sadly out of date with definitions. Please do the following in the order listed.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Disable the options "Automatically detect settings" and "Use automatic configuration script."

To do this:

1. Open Internet Explorer.

2. Click "Tools," and then click "Internet Options."

3. Click "Connections," and then click "LAN Settings."

4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.

5. Apply changes & OK

Step 4

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Step 5

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner sub-tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 6

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and extract their contents to C:\DCE
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Copy & Paste into next reply contents of the MBAM scan log

and the Sysclean log

and tell me, How is the system now ?

Link to post
Share on other sites

Just finished the sysclean, but the system does seem to be responding better. Again, I can't thank you enough!


Here is my logs:


| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |


2010-09-15, 17:51:39, Auto-clean mode specified.

2010-09-15, 17:52:07, Initialized Rootkit Driver version

2010-09-15, 17:52:07, Running scanner "C:\dce\TSC.BIN"...

2010-09-15, 17:55:06, Scanner "C:\dce\TSC.BIN" has finished running.

2010-09-15, 17:55:06, TSC Log:

Link to post
Share on other sites

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3



* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt

Link to post
Share on other sites

ComboFix 10-09-16.04 - Kim Lowe 09/16/2010 19:15:34.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.252 [GMT -5:00]

Running from: c:\documents and settings\Kim Lowe\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected

Restored copy from - Kitty had a snack :)


((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))


2010-09-15 22:44 . 2010-09-16 03:03 -------- dc----w- C:\dce

2010-09-15 01:28 . 2010-09-15 01:30 -------- d-----w- c:\program files\ERUNT

2010-09-12 05:29 . 2010-09-15 04:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-09-07 05:19 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-09-05 07:56 . 2010-09-05 07:56 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-09-01 12:59 . 2010-09-01 12:59 -------- d-----w- c:\documents and settings\Kim Lowe\Local Settings\Application Data\Sunbelt Software

2010-09-01 04:48 . 2010-09-01 04:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}

2010-09-01 04:46 . 2010-09-04 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-09-01 04:46 . 2010-09-01 04:46 -------- d-----w- c:\program files\Lavasoft

2010-08-29 05:08 . 2010-09-12 05:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-08-22 01:50 . 2010-08-22 01:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2010-08-18 20:32 . 2010-08-18 20:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2010-09-16 00:50 . 2010-08-17 04:06 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-12 13:04 . 2010-04-14 19:09 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\MechCAD

2010-09-12 12:58 . 2010-04-24 13:54 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\BitTorrent

2010-09-12 01:33 . 2010-01-24 02:53 1 ----a-w- c:\documents and settings\Kim Lowe\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-09-10 11:52 . 2010-09-10 11:52 1421 ----a-w- c:\documents and settings\Kim Lowe\Application Data\WinFF\ff100910065223.bat

2010-09-10 11:52 . 2010-05-09 01:54 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\WinFF

2010-09-06 21:42 . 2010-07-04 15:10 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\vlc

2010-09-04 01:49 . 2007-12-19 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell

2010-08-31 16:17 . 2010-08-31 16:17 700 ----a-w- c:\documents and settings\Kim Lowe\Application Data\WinFF\ff100831111711.bat

2010-08-30 19:34 . 2010-09-08 02:55 1496064 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2010-08-30 19:33 . 2010-09-08 02:55 43008 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2010-08-30 19:33 . 2010-09-08 02:55 338944 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2010-08-30 19:33 . 2010-09-08 02:55 346112 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2010-08-24 22:11 . 2010-08-13 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks

2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe

2010-08-17 00:43 . 2010-08-02 02:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-13 23:05 . 2009-08-18 02:44 62776 ----a-w- c:\documents and settings\Kim Lowe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-13 21:28 . 2010-08-13 21:12 -------- d-----w- c:\program files\Linksys

2010-08-13 21:12 . 2010-08-14 12:53 188176 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2010-08-13 20:00 . 2010-08-13 20:00 -------- d-----w- c:\program files\Pure Networks

2010-08-13 19:59 . 2010-08-13 19:59 -------- d-----w- c:\program files\WebEx

2010-08-13 19:59 . 2010-08-13 19:59 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi

2010-08-13 19:57 . 2010-08-13 19:57 -------- d-----w- c:\program files\Common Files\Pure Networks Shared

2010-08-12 13:11 . 2010-05-09 13:38 -------- d-----w- c:\program files\iTunes

2010-08-12 13:07 . 2005-08-30 21:56 -------- d-----w- c:\program files\iPod

2010-08-12 13:07 . 2010-05-09 01:14 -------- d-----w- c:\program files\Common Files\Apple

2010-08-12 13:00 . 2010-05-12 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-08-12 13:00 . 2010-05-13 12:53 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-08-12 12:48 . 2010-08-12 12:48 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-08-12 12:48 . 2010-05-12 22:16 -------- d-----w- c:\program files\DivX

2010-08-12 12:48 . 2010-08-12 12:48 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe

2010-08-12 12:45 . 2010-08-12 12:45 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe

2010-08-12 12:43 . 2010-08-12 12:43 -------- d-----w- c:\program files\Bonjour

2010-08-12 12:38 . 2010-05-13 12:53 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-08-12 12:16 . 2010-09-01 04:48 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe

2010-08-12 11:49 . 2010-08-12 11:49 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes\SetupAdmin.exe

2010-07-09 14:26 . 2010-09-01 02:38 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe

2010-07-07 18:30 . 2010-05-13 12:53 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-07-03 13:24 . 2010-07-03 13:24 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe

2010-07-03 13:24 . 2010-07-03 13:24 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-07-03 13:23 . 2010-07-03 13:23 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe

2010-07-03 13:23 . 2010-07-03 13:23 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe

2010-07-03 13:22 . 2010-07-03 13:22 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

2010-07-02 14:25 . 2010-09-01 02:38 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll

2010-07-02 14:25 . 2010-09-01 02:38 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll

2010-06-30 12:31 . 2004-08-11 22:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-29 22:39 . 2010-06-29 22:31 103193 ----a-w- c:\windows\hpoins08.dat

2010-06-24 12:30 . 2010-06-24 12:30 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll

2010-06-24 12:29 . 2010-06-24 12:29 2812928 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191916-191106.dll

2010-06-24 12:28 . 2010-06-24 12:28 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll

2010-06-24 12:28 . 2010-06-24 12:28 2844160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191714-19188.dll

2010-06-24 12:28 . 2010-06-24 12:28 243032 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE

2010-06-24 12:28 . 2010-06-24 12:28 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll

2010-06-24 12:27 . 2010-06-24 12:27 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll

2010-06-24 12:27 . 2010-06-24 12:27 5487616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19188-191916.dll

2010-06-24 12:26 . 2010-06-24 12:26 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll

2010-06-24 12:25 . 2010-06-24 12:25 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll

2010-06-24 12:25 . 2010-06-24 12:25 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd

2010-06-24 12:22 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 11:56 . 2010-06-24 11:56 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys

2010-06-24 11:56 . 2010-06-24 11:56 441760 -c--a-w- c:\windows\system32\drivers\timntr.sys

2010-06-24 11:56 . 2010-06-24 11:56 132224 -c--a-w- c:\windows\system32\drivers\snapman.sys

2010-06-24 11:56 . 2010-06-24 11:56 368480 -c--a-w- c:\windows\system32\drivers\tdrpman.sys

2010-06-23 13:44 . 2004-08-11 22:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2005-08-22 22:46 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2008-04-27 06:13 . 2008-04-27 06:13 0 ----a-w- c:\program files\temp01


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown



"PMX Daemon"="ICO.EXE" [2006-06-09 47104]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-13 344064]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\progra~1\JavaSoft\JRE\1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-16 904840]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-22 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk

backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REALTEK USB Wireless LAN Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\REALTEK USB Wireless LAN Utility.lnk

backup=c:\windows\pss\REALTEK USB Wireless LAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kim Lowe^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]

path=c:\documents and settings\Kim Lowe\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DACSMiniApp]

2008-03-13 18:05 128256 ----a-w- c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]

2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]

2009-10-16 23:37 1325936 ----a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]

2009-10-28 03:40 257440 ----a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-01-09 02:27 135664 ----atw- c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]

2009-10-16 23:39 136544 ----a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe


"DisableNotifications"= 1 (0x1)



"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1132732177\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1132732177\\ee\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=


"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/25/2010 7:04 AM 135336]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [5/19/2010 5:28 PM 38144]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928]

R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 6:39 PM 431456]

S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\DCalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 7:15 AM 15008]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [5/19/2010 4:39 PM 185344]

S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [8/24/2006 6:44 AM 488960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12


Contents of the 'Scheduled Tasks' folder

2010-09-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 07:56]

2010-09-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-219612428-2456359044-841806917-1006Core.job

- c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-09 02:27]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-219612428-2456359044-841806917-1006UA.job

- c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-09 02:27]



------- Supplementary Scan -------


uStart Page = about:blank

mStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=

DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab

FF - ProfilePath - c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - component: c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\documents and settings\Kim Lowe\Application Data\Mozilla\plugins\np-mswmp.dll

FF - plugin: c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\\npGoogleOneClick8.dll

FF - plugin: c:\progra~1\JavaSoft\JRE\1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\


FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-16 19:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0



--------------------- LOCKED REGISTRY KEYS ---------------------


@Denied: (A 2) (Everyone)










@Denied: (A 2) (Everyone)








--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)


- - - - - - - > 'lsass.exe'(836)



Completion time: 2010-09-16 19:46:43

ComboFix-quarantined-files.txt 2010-09-17 00:46

ComboFix2.txt 2010-02-28 22:02

Pre-Run: 1,023,864,832 bytes free

Post-Run: 1,084,788,736 bytes free

- - End Of File - - C2A23A71C90B3D4FE67AE747FF2946B2

Link to post
Share on other sites

Packman Jones :):):)

When you see something you do not understand, or something not clear, always STOP and ask first.

Always stop & ask first.

You've run across a very verbose log from Microsoft Windows Updates.

It is neither wanted or asked for.

If I do not direct you to place a report, then don't do it on your own. Ask me first.

NO, it is not harmful nor is it the result of something we had done before.

Please stay out of those folders. Thank you in advance. Do await my next reply, after I have had an opportunity to review the real report I wanted --- the one from Combofix.

P.S. I have deleted the 2 posts with the aboved mentioned log.

Edited by Maurice Naggar
Link to post
Share on other sites

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.


Close any of your open programs while you run these tools.

Your logs showed some peer-to-peer filesharing apps. I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

De-install BitTorrent and confirm this for me. Otherwise, you risk re-infecting this system while we are trying to clean it.

Step 2

1. Open Internet Explorer.

2. Click "Tools," and then click "Internet Options."

3. Click "Connections," and then click "LAN Settings."

4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.

5. Apply changes & OK

Step 3


Your Java runtime is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Windows 7/XP/Vista/2000/2003/2008 Offline (it is the 2nd one listed under Windows and save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, select Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-s.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) javaicon.gif
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

If you want to also un-check the "Check for updates automatically" you may:

Click the Update tab. un-check the line if it is checked.

Press Apply then OK. Close the applet when done.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: Java 6 Update 21 from Sun Microsystems Inc.

Step 4

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here


    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

Step 5

Now, Re-enable your antivirus program {Avira}.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Reply with copy of contents of the ESET scan log

and Checkup.txt

and tell me, How is your system now ?

Link to post
Share on other sites

bitorrent was uninstalled previously. here are my logs:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=

# api_version=3.0.2

# EOSSerial=f591d5ab5e084f4b9a1998294a824dbe

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-09-19 12:39:26

# local_time=2010-09-18 07:39:26 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 16775141 100 93 84457 42997934 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=98889

# found=2

# cleaned=2

# scan_time=5123

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pci.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1560\A0387321.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C

Results of screen317's Security Check version 0.99.5

Windows XP Service Pack 3


Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

Antivirus up to date!


Anti-malware/Other Utilities Check:


Malwarebytes' Anti-Malware


Duplicate Cleaner 1.4.5

Java 6 Update 21

Adobe Flash Player

Adobe Reader 9.3

Mozilla Firefox (3.6.9)


Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

Avira Antivir avgnt.exe

Avira Antivir avguard.exe


DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

system seems to be running about 100% better now. Thanks again! :)

Link to post
Share on other sites

:) YW. Well done. Let me know after you have finished these cleanups, so that I can close this topic.

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used.


Go to Control Panel and Add-or-Remove programs.

De-install ESET Online scanner if present in list

Look for it and click the line for it. Select Change/Remove to de-install it.

OK & Exit out of Control Panel

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix icon_exclaim.gif), put that name in the RUN box stated just below.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the text box that opens, type or copy/paste Combo-Fix /uninstall and then click OK.

If the Combofix uninstall does not work, do not panic; just proceed forward with following steps in any event.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

We are finished here. Best regards.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.