rwh56 Posted October 3, 2011 ID:481902 Share Posted October 3, 2011 Difficulties with computer for third day:Dell xp sp3It all started when I had problems updating MBAM and AVG software. I was getting redirected on IE when going to the MBAM and AVG websites, or getting messages that IE cant display web page. In XP safe mode, after reinstalling MBAM, MBAM would start scan and shut down in half a minute. A second try would get a message that computer couldnt find path or device, or user didnt have permission to access. Went through the different ways to start MBAM that are listed on your FAQ. Each new installation of MBAM would allow scan to start, but would shut down after half a minute, and any further attempt to scan would get the message that computer couldnt find path or device or user didnt have persmission. Couldnt get HJT to run either.Was able to install Avira and did some piecemeal scanning and quarantined some files. Tried MBAM and was able to complete a quick scan. It only found the renamed versions of MBAM from my earlier attempts to install mbam.Did the series of scans as directed on the "I'm infected - What do I do now?" page. In safe mode, GMER shut down before completing scan. Listed a HJT report and a DDS report on an earlier post.Did a complete udpdated Avira scan in XP normal mode which quarantined 29 files. Many files had "Alureon" in filename.Presently, in XP normal mode, disk makes a repeated grunt noise, like clockwork, 40 grunts per minute. So, I dont think everything is alright, though things have improved.Some problems that may be unrelated. Cant get Windows Defender to do automatic updates. Installshield has some error I cant fix. Glary Utilities cant install new software because of a registry problem. And I am worried that MBAM has been made ineffective as it hasnt found anything wrong with the computer.Appreciate in advance any help anyone can offer. Here are the reports from the scans:------------------------------------------------------------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:28:57 PM, on 10/3/2011Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Avira\AntiVir Desktop\avshadow.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exeC:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\Program Files\Maxtor\OneTouch\utils\Onetouch.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exeC:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\IDriver.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exeO4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logonO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WS1BDQi02QldGTS1UUkxRUi1CUlVIUC1DUDg2Ry1YRUhZ"&"inst=NzctNzUwNTQwMTQyLVhLKzEtRlA5KzYtVEI5KzItRkwrOS1YTzM2KzEtRjlNN0MrNS1GOU0xMEIrMS1YTzkrMS1GOU0yKzEtRERUKzQwMTEtREQ5MEYrMS1TVDkwRkFQUCsxLUY5ME0xMkFOKzItRjkwTTEyQSsxLUY5ME0xMkFCKzEtVTk1KzEtRjkwTTEyQVRCKzEtRjkwTTEyQVUrMS1TVDEyRk9JKzEtU1QxMkZBUFArMS1TVEY5ME0xMkFVRisx"&"prod=90"&"ver=2012.0.1809"&"mid=2038328a69d80dde9ba863449663801d-e8be57e3d397775a8ceac079a00171c9ed059a70O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cabO16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148788823875O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: NitroPDFReaderDriverCreatorReadSpool (NitroReaderDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exeO23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeO23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe--End of file - 9586 bytes--------------------------------------------------------------------------------------------------------------------.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702Run by killereyz at 12:00:06 on 2011-10-03Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2095 [GMT -4:00].AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}.============== Running Processes ===============.C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exesvchost.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Avira\AntiVir Desktop\avshadow.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exeC:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\Program Files\Maxtor\OneTouch\utils\Onetouch.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exeC:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\IDriver.exe.============== Pseudo HJT Report ===============.uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.htmluSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.commURLSearchHooks: H - No FileBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No FileBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dllTB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No FileEB: {32683183-48a0-441b-a342-7c2a440a9478} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hidemRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /rmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exemRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logonmRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startupmRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -startmRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /minmRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WS1BDQi02QldGTS1UUkxRUi1CUlVIUC1DUDg2Ry1YRUhZ"&"inst=NzctNzUwNTQwMTQyLVhLKzEtRlA5KzYtVEI5KzItRkwrOS1YTzM2KzEtRjlNN0MrNS1GOU0xMEIrMS1YTzkrMS1GOU0yKzEtRERUKzQwMTEtREQ5MEYrMS1TVDkwRkFQUCsxLUY5ME0xMkFOKzItRjkwTTEyQSsxLUY5ME0xMkFCKzEtVTk1KzEtRjkwTTEyQVRCKzEtRjkwTTEyQVUrMS1TVDEyRk9JKzEtU1QxMkZBUFArMS1TVEY5ME0xMkFVRisx"&"prod=90"&"ver=2012.0.1809"&"mid=2038328a69d80dde9ba863449663801d-e8be57e3d397775a8ceac079a00171c9ed059a70mPolicies-explorer: <NO NAME> = IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLLSP: mswsock.dllDPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cabDPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cabDPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cabDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cabDPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cabDPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148788823875DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 192.168.2.1TCP: Interfaces\{C1EFCACA-1EED-47BE-B5FC-BD0FD7CC1393} : DhcpNameServer = 192.168.2.1SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dllLSA: Notification Packages = scecli scecli scecli scecli scecli scecli.============= SERVICES / DRIVERS ===============.R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-10-2 11608]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-2 136360]R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-10-2 269480]R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-2 66616]R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-14 196912]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-25 135664]S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]S2 ywrgma;ywrgma;\??\c:\windows\system32\drivers\ndkrfawvwa.sys --> c:\windows\system32\drivers\ndkrfawvwa.sys [?]S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-25 135664]S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]S4 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784].=============== Created Last 30 ================.2011-10-03 06:27:21 -------- d-----w- c:\documents and settings\killereyz\application data\GlarySoft2011-10-02 15:54:15 -------- d-----w- c:\program files\Trend Micro2011-10-02 05:50:24 -------- d-----w- c:\documents and settings\killereyz\application data\Avira2011-10-02 05:47:59 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys2011-10-02 05:47:58 -------- d-----w- c:\program files\Avira2011-10-02 05:47:58 -------- d-----w- c:\documents and settings\all users\application data\Avira2011-10-02 05:34:21 -------- d-sh--w- c:\documents and settings\killereyz\PrivacIE2011-10-02 02:19:36 -------- d-sh--w- C:\found.0002011-10-02 01:48:35 -------- d-----w- c:\windows\system32\NtmsData2011-10-02 01:45:33 -------- d-----w- c:\documents and settings\killereyz\local settings\application data\Apple Computer2011-10-02 01:45:27 -------- d-----w- c:\documents and settings\killereyz\application data\AVG20122011-10-02 01:32:46 -------- d-----w- c:\documents and settings\killereyz\local settings\application data\BVRP Software2011-10-01 23:58:01 -------- d-sh--w- c:\documents and settings\killereyz\IETldCache2011-10-01 23:36:21 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-10-01 23:29:29 -------- d-----w- c:\documents and settings\killereyz\application data\Malwarebytes2011-10-01 23:16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-10-01 18:47:48 -------- d-----w- c:\documents and settings\all users\application data\AVG20122011-10-01 18:38:37 -------- d-----w- c:\documents and settings\all users\application data\MFAData.==================== Find3M ====================.2011-10-01 18:47:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl.============= FINISH: 12:00:44.76 ===============ark.zipattach.zip Link to post Share on other sites More sharing options...
Staff screen317 Posted October 5, 2011 Staff ID:482689 Share Posted October 5, 2011 Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.Click Start Scanning.You should get a notification bar (on top) to install the ActiveX control. Click on it and select to install the ActiveX.Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.In case you are having problems with installing the ActiveX/starting the scan, please read here.Click the Full System Scan button.It will start to download scanner components and databases. This can take a while.The main scan will start.Once the scan has finished scanning, click the Automatic cleaning (recommended) buttonIt could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.The cleaning can take a while, so please be patient.Then click the Show report button and Copy/Paste what is present under results in your next reply.Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
rwh56 Posted October 6, 2011 Author ID:482771 Share Posted October 6, 2011 I am not sure what service they mean. I get a bubble notice that Automatic Updates is turned off. I click the on button in the Windows Security Center, and a notice reads that Security Center cannot change these settings. I should go to the System in Control Panel. When I go to System in Control Panel, it says Automatic updates are on. I go to the Windows update webpage and clicking "Express" or "Custom" update buttons, it says the website encountered a problem and cannot display the page you are trying to view.As far as I can tell, everything else seems OK.I tried sending the F-Secure Online Scanner report, but the your forum said it was too long to post. I will try to post the scanner report separately. Here is the security check report: Results of screen317's Security Check version 0.99.20 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! Avira AntiVir Personal - Free Antivirus Avira successfully updated! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware HijackThis 2.0.2 Java 6 Update 20 Out of date Java installed! ```````````````````````````````` Process Check: objlist.exe by Laurent Avira Antivir avgnt.exe Avira Antivir avguard.exe ``````````End of Log```````````` Link to post Share on other sites More sharing options...
rwh56 Posted October 6, 2011 Author ID:482773 Share Posted October 6, 2011 Your forum said the pasted text of the F-Secure Online Scanner report is too long, so I am attaching it as a compressed file.F-Secure Online Scanner Report.zip Link to post Share on other sites More sharing options...
rwh56 Posted October 6, 2011 Author ID:482774 Share Posted October 6, 2011 This is frustrating, my first halg of my message got cropped off. Sorry that it doesnt make sense. The main problems are that the hard drive is still grunting, I get a message upon logging on an account that the a service cant start, though it doesnt say what service. A notice warns that automatic windows updating is off. The Windows Security Center wont let me click it on. I go to System in Control Panel and it says its on. I go to Windows Update web page and click either "express" or "custom" updates gets a reply that a problem is preventing the web page from displaying. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 8, 2011 Staff ID:483203 Share Posted October 8, 2011 Hi,Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
rwh56 Posted October 8, 2011 Author ID:483249 Share Posted October 8, 2011 Thanks for getting back. After running ComboFix, the hard drive is now quiet, so that must be a good thing. MS Automatic Updates is also working. Seems like there is great progress. Here is the ComboFix log:ComboFix 11-10-07.04 - killereyz 10/08/2011 0:10.1.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2151 [GMT -4:00]Running from: c:\documents and settings\killereyz\Desktop\ComboFix.exeAV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\Ann\GoToAssistDownloadHelper.exec:\documents and settings\Rob\Application Data\5F7A.C05c:\documents and settings\Rob\WINDOWSc:\program files\google\common\google updater\googleupdaterservice.exec:\program files\messenger\msmsgsin.exec:\windows\$NtUninstallKB51459$c:\windows\$NtUninstallKB51459$\2208602451c:\windows\$NtUninstallKB51459$\3570852394\@c:\windows\$NtUninstallKB51459$\3570852394\bckfg.tmpc:\windows\$NtUninstallKB51459$\3570852394\cfg.inic:\windows\$NtUninstallKB51459$\3570852394\Desktop.inic:\windows\$NtUninstallKB51459$\3570852394\keywordsc:\windows\$NtUninstallKB51459$\3570852394\kwrd.dllc:\windows\$NtUninstallKB51459$\3570852394\L\rngtsoxsc:\windows\$NtUninstallKB51459$\3570852394\U\00000001.@c:\windows\$NtUninstallKB51459$\3570852394\U\00000002.@c:\windows\$NtUninstallKB51459$\3570852394\U\80000000.@c:\windows\$NtUninstallKB51459$\3570852394\U\80000032.@c:\windows\iun6002.exec:\windows\system32\_004026_.tmp.dllc:\windows\system32\_004027_.tmp.dllc:\windows\system32\_004028_.tmp.dllc:\windows\system32\_004029_.tmp.dllc:\windows\system32\_004036_.tmp.dllc:\windows\system32\_004037_.tmp.dllc:\windows\system32\_004038_.tmp.dllc:\windows\system32\_004039_.tmp.dllc:\windows\system32\_004040_.tmp.dllc:\windows\system32\_004041_.tmp.dllc:\windows\system32\_004042_.tmp.dllc:\windows\system32\_004043_.tmp.dllc:\windows\system32\_004044_.tmp.dllc:\windows\system32\_004045_.tmp.dllc:\windows\system32\_004046_.tmp.dllc:\windows\system32\_004047_.tmp.dllc:\windows\system32\_004048_.tmp.dllc:\windows\system32\_004049_.tmp.dllc:\windows\system32\_004050_.tmp.dllc:\windows\system32\_004052_.tmp.dllc:\windows\system32\_004055_.tmp.dllc:\windows\system32\_004056_.tmp.dllc:\windows\system32\_004060_.tmp.dllc:\windows\system32\_004061_.tmp.dllc:\windows\system32\_004062_.tmp.dllc:\windows\system32\_004063_.tmp.dllc:\windows\system32\_004064_.tmp.dllc:\windows\system32\_004065_.tmp.dllc:\windows\system32\_004066_.tmp.dllc:\windows\system32\_004068_.tmp.dllc:\windows\system32\_004069_.tmp.dllc:\windows\system32\_004070_.tmp.dllc:\windows\system32\_004071_.tmp.dllc:\windows\system32\_004072_.tmp.dllc:\windows\system32\_004073_.tmp.dllc:\windows\system32\_004074_.tmp.dllc:\windows\system32\_004076_.tmp.dllc:\windows\system32\_004077_.tmp.dllc:\windows\system32\_004078_.tmp.dllc:\windows\system32\_004079_.tmp.dllc:\windows\system32\_004080_.tmp.dllc:\windows\system32\_004082_.tmp.dllc:\windows\system32\_004083_.tmp.dllc:\windows\system32\_004085_.tmp.dllc:\windows\system32\_004086_.tmp.dllc:\windows\system32\_004087_.tmp.dllc:\windows\system32\_004088_.tmp.dllc:\windows\system32\_004089_.tmp.dllc:\windows\system32\_004090_.tmp.dllc:\windows\system32\_004091_.tmp.dllc:\windows\system32\_004092_.tmp.dllc:\windows\system32\_004093_.tmp.dllc:\windows\system32\_004094_.tmp.dllc:\windows\system32\_004095_.tmp.dllc:\windows\system32\_004096_.tmp.dllc:\windows\system32\_004097_.tmp.dllc:\windows\system32\_004100_.tmp.dllc:\windows\system32\_004101_.tmp.dllc:\windows\system32\_004103_.tmp.dllc:\windows\system32\_004104_.tmp.dllc:\windows\system32\_004106_.tmp.dllc:\windows\system32\_004107_.tmp.dllc:\windows\system32\_004108_.tmp.dllc:\windows\system32\_004109_.tmp.dllc:\windows\system32\_004110_.tmp.dllc:\windows\system32\_004111_.tmp.dllc:\windows\system32\_004112_.tmp.dllc:\windows\system32\_004113_.tmp.dllc:\windows\system32\_004114_.tmp.dllc:\windows\system32\_004115_.tmp.dllc:\windows\system32\_004116_.tmp.dllc:\windows\system32\_004117_.tmp.dllc:\windows\system32\_004118_.tmp.dllc:\windows\system32\_004119_.tmp.dllc:\windows\system32\_004121_.tmp.dllc:\windows\system32\_004122_.tmp.dllc:\windows\system32\_004123_.tmp.dllc:\windows\system32\_004124_.tmp.dllc:\windows\system32\_004126_.tmp.dllc:\windows\system32\_004127_.tmp.dllc:\windows\system32\_004128_.tmp.dllc:\windows\system32\_004129_.tmp.dllc:\windows\system32\_004130_.tmp.dllc:\windows\system32\_004132_.tmp.dllc:\windows\system32\_004133_.tmp.dllc:\windows\system32\_004135_.tmp.dllc:\windows\system32\_004137_.tmp.dllc:\windows\system32\_004138_.tmp.dllc:\windows\system32\_004139_.tmp.dllc:\windows\system32\_004140_.tmp.dllc:\windows\system32\_004142_.tmp.dllc:\windows\system32\_004143_.tmp.dllc:\windows\system32\_004144_.tmp.dllc:\windows\system32\_004146_.tmp.dllc:\windows\system32\_004148_.tmp.dllc:\windows\system32\_004149_.tmp.dllc:\windows\system32\_004150_.tmp.dllc:\windows\system32\_004152_.tmp.dllc:\windows\system32\_004153_.tmp.dllc:\windows\system32\_004154_.tmp.dllc:\windows\system32\_004155_.tmp.dllc:\windows\system32\_004156_.tmp.dllc:\windows\system32\_004157_.tmp.dllc:\windows\system32\_004158_.tmp.dllc:\windows\system32\_004159_.tmp.dllc:\windows\system32\_004160_.tmp.dllc:\windows\system32\_004161_.tmp.dllc:\windows\system32\_004162_.tmp.dllc:\windows\system32\_004164_.tmp.dllc:\windows\system32\_004165_.tmp.dllc:\windows\system32\_004167_.tmp.dllc:\windows\system32\_004169_.tmp.dllc:\windows\system32\_004170_.tmp.dllc:\windows\system32\_004171_.tmp.dllc:\windows\system32\_004172_.tmp.dllc:\windows\system32\_004173_.tmp.dllc:\windows\system32\_004174_.tmp.dllc:\windows\system32\_004177_.tmp.dllc:\windows\system32\_004178_.tmp.dllc:\windows\system32\_004179_.tmp.dllc:\windows\system32\_004182_.tmp.dllc:\windows\system32\_004183_.tmp.dllc:\windows\system32\_004186_.tmp.dllc:\windows\system32\_004187_.tmp.dllc:\windows\system32\_004188_.tmp.dllc:\windows\system32\_004189_.tmp.dllc:\windows\system32\_004192_.tmp.dllc:\windows\system32\_004193_.tmp.dllc:\windows\system32\_004194_.tmp.dllc:\windows\system32\_004195_.tmp.dllc:\windows\system32\_004198_.tmp.dllc:\windows\system32\_004200_.tmp.dllc:\windows\system32\_004201_.tmp.dllc:\windows\system32\_004202_.tmp.dllc:\windows\system32\_004205_.tmp.dllc:\windows\system32\_004210_.tmp.dllc:\windows\system32\_004211_.tmp.dllc:\windows\system32\_004215_.tmp.dllc:\windows\system32\_004216_.tmp.dllc:\windows\system32\_004217_.tmp.dllc:\windows\system32\_004218_.tmp.dllc:\windows\system32\_004223_.tmp.dllc:\windows\system32\_004225_.tmp.dllc:\windows\system32\comct332.ocxc:\windows\system32\d3d9caps.datc:\windows\system32\drivers\fad.sysF:\setup.exeH:\autorun.inf..((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))..-------\Service_d4d6e22a..((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))..2011-10-06 01:35 . 2011-10-06 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure2011-10-02 15:54 . 2011-10-02 15:54 -------- d-----w- c:\program files\Trend Micro2011-10-02 05:47 . 2011-10-03 03:32 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys2011-10-02 05:47 . 2011-10-03 03:32 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys2011-10-02 05:47 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2011-10-02 05:47 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2011-10-02 05:47 . 2011-10-02 05:47 -------- d-----w- c:\program files\Avira2011-10-02 05:47 . 2011-10-02 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2011-10-02 02:19 . 2011-10-02 02:19 -------- d-----w- C:\found.0002011-10-02 01:48 . 2011-10-06 01:46 -------- d-----w- c:\windows\system32\NtmsData2011-10-01 23:36 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-10-01 23:27 . 2011-10-03 15:59 -------- d-----w- c:\documents and settings\killereyz2011-10-01 23:16 . 2011-10-02 05:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-10-01 21:00 . 2011-10-01 21:00 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\Apple2011-10-01 21:00 . 2011-10-01 21:00 -------- d-----w- c:\documents and settings\Rob\Application Data\AVG20122011-10-01 18:47 . 2011-10-02 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG20122011-10-01 18:38 . 2011-10-02 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData2011-10-01 18:35 . 2011-10-01 18:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache2011-09-17 18:03 . 2011-09-17 18:03 -------- d-----w- c:\documents and settings\Sam\Application Data\GlarySoft2011-09-17 16:48 . 2011-09-17 17:59 -------- d-----w- c:\documents and settings\Rob\Application Data\GlarySoft2011-09-14 04:04 . 2011-09-14 04:04 -------- d-----w- c:\documents and settings\Rob\.limewire...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-10-01 18:47 . 2011-08-18 12:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-07-28 49152]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 712704]"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WS1BDQi02QldGTS1UUkxRUi1CUlVIUC1DUDg2Ry1YRUhZ&inst=NzctNzUwNTQwMTQyLVhLKzEtRlA5KzYtVEI5KzItRkwrOS1YTzM2KzEtRjlNN0MrNS1GOU0xMEIrMS1YTzkrMS1GOU0yKzEtRERUKzQwMTEtREQ5MEYrMS1TVDkwRkFQUCsxLUY5ME0xMkFOKzItRjkwTTEyQSsxLUY5ME0xMkFCKzEtVTk1KzEtRjkwTTEyQVRCKzEtRjkwTTEyQVUrMS1TVDEyRk9JKzEtU1QxMkZBUFArMS1TVEY5ME0xMkFVRisx∏=90&ver=2012.0.1809&mid=2038328a69d80dde9ba863449663801d-e8be57e3d397775a8ceac079a00171c9ed059a70" [?].[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]@="Service".[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^Ann^Start Menu^Programs^Startup^SpywareGuard.lnk]backup=c:\windows\pss\SpywareGuard.lnkStartupHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-WatchHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\akepgexzHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\akxeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bboqxzyqobHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ceabllHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cquvwgjoHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctplimuHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eimnoasikeniHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\evcqrlnjhwwHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezlvdwaHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ggzeyhbdnHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ghHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gtbHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kgqnsiiaiwtmHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kofHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kqkHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ksbmxjeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope MonitorHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIMHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email PluginHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nlhuxqtnkfHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oftzckHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qaznHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rcifzwypHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayerHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rrzlziqriqaHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rurkHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sniqcaylbqydHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SteamHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swgHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swzcHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uxzhzgHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusHeat 4.3HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusRangerHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vizulzzvpyHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wtjxambeobmHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wzmkwcairaHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSAHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]2008-11-06 11:42 50472 ----a-w- c:\program files\AOL 9.1\aol.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]2002-04-03 05:01 135264 ----a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]2003-08-06 05:04 114741 ----a-w- c:\windows\system32\dla\tfswctrl.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]2006-06-11 15:36 487424 ----a-w- c:\program files\Eraser\eraser.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1172427637\ee\aolsoftware.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]2008-04-14 09:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]2003-07-28 19:19 323584 ----a-w- c:\windows\system32\nwiz.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"gusvc"=3 (0x3)"ZuneBusEnum"=2 (0x2)"ZuneWlanCfgSvc"=3 (0x3)"ZuneNetworkSvc"=3 (0x3)"AOL_SPYBt"=2 (0x2)"iPod Service"=3 (0x3)"avg8wd"=2 (0x2)"Apple Mobile Device"=2 (0x2)"AdobeActiveFileMonitor"=2 (0x2)"PhotoshopElementsDeviceConnect"=2 (0x2)"AOL ACS"=2 (0x2)"RDSessMgr"=3 (0x3)"RasMan"=2 (0x2)"RasAuto"=2 (0x2)"gupdate"=2 (0x2)"Bonjour Service"=2 (0x2)"Themes"=2 (0x2)"TapiSrv"=2 (0x2)"McComponentHostService"=3 (0x3)"gupdatem"=3 (0x3).[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe""UpdReg"=c:\windows\UpdReg.EXE.[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)"DisableNotifications"= 1 (0x1).[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\WINDOWS\\system32\\dpvsetup.exe"="c:\\WINDOWS\\system32\\fxsclnt.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\AOL 9.1\\waol.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\America Online 9.0\\waol.exe"="c:\\Program Files\\Windows Defender\\MSASCui.exe"="c:\\Program Files\\Adobe\\Photoshop Elements 3.0\\Photoshop Elements 3.0.exe"=.R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/2/2011 1:48 AM 136360]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 5:35 PM 135664]S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [1/14/2011 1:35 PM 196912]S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]S2 ywrgma;ywrgma;\??\c:\windows\system32\drivers\ndkrfawvwa.sys --> c:\windows\system32\drivers\ndkrfawvwa.sys [?]S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 5:35 PM 135664]S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]S4 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784].Contents of the 'Scheduled Tasks' folder.2011-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50].2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 21:34].2011-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 21:34].2011-10-08 c:\windows\Tasks\User_Feed_Synchronization-{A4193498-2301-4D3D-A5E2-F8602606F271}.job- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]..------- Supplementary Scan -------.IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200TCP: DhcpNameServer = 192.168.2.1DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab.- - - - ORPHANS REMOVED - - - -.Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)Toolbar-Locked - (no file)SafeBoot-MCODSMSConfigStartUp-Google Update - c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exeMSConfigStartUp-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exeMSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exeMSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exeAddRemove-BlueVoda_Website_Builder_1.0 - c:\windows\iun6002.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-10-08 00:25Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'explorer.exe'(3068)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\IME\SPGRMR.DLLc:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLLc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\AOL\ACS\AOLacsd.exec:\windows\System32\CTsvcCDA.exec:\program files\Avira\AntiVir Desktop\avshadow.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\Maxtor\OneTouch\Utils\SyncServices.exec:\windows\system32\nvsvc32.exec:\windows\system32\PnkBstrA.exec:\windows\system32\PnkBstrB.exec:\windows\System32\snmp.exec:\windows\wanmpsvc.exec:\windows\System32\MsPMSPSv.exec:\windows\system32\RUNDLL32.EXEc:\program files\iPod\bin\iPodService.exec:\windows\system32\wscntfy.exe.**************************************************************************.Completion time: 2011-10-08 00:29:27 - machine was rebootedComboFix-quarantined-files.txt 2011-10-08 04:29.Pre-Run: 77,540,012,032 bytes freePost-Run: 80,355,680,256 bytes free.WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn.- - End Of File - - 02BE14EC0D85C87B699ABB74F37829E1 Link to post Share on other sites More sharing options...
rwh56 Posted October 8, 2011 Author ID:483260 Share Posted October 8, 2011 MS updates were installed and then rebooted. Upon rebooting, the hard drive now regularly grunts again. That's disappointing. Also the update for Windows Defender failed to install. Automatic updates is still on, so I guess that's a plus.Please advise.Rob Link to post Share on other sites More sharing options...
Staff screen317 Posted October 8, 2011 Staff ID:483276 Share Posted October 8, 2011 Hi,I notice that you are using more than one antivirus program (AVG and Antivir). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.Reboot.Next, please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick ScanWait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topicNext, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
rwh56 Posted October 10, 2011 Author ID:484222 Share Posted October 10, 2011 After doing the scans, I dont notice any change. Hard drive is still grunting. Though I used AVG, since loading Avira, I have uninstalled AVG. There are some AVG related files and shortcuts that seem to remain, but there is no second virus scanning program running along with Avira. Here are the short scan reports:The Eset scan:C:\Documents and Settings\Ann's New Account\Application Data\B78ED6E8B4C6F8A369601C5F9E8C21C3\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantinedC:\Documents and Settings\Ann's New Account\Application Data\B78ED6E8B4C6F8A369601C5F9E8C21C3\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantinedC:\System Volume Information\_restore{D65C4F27-9D59-48EC-9122-6D63A8B6E196}\RP754\A0114073.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantinedThe Security Check Scan: Results of screen317's Security Check version 0.99.23 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! Avira AntiVir Personal - Free Antivirus ESET Online Scanner v3 Avira successfully updated! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware HijackThis 2.0.2 Java 6 Update 20 Out of date Java installed! ```````````````````````````````` Process Check: objlist.exe by Laurent Avira Antivir avgnt.exe Avira Antivir avguard.exe ``````````End of Log```````````` Pleas advise on what to do next.Rob Link to post Share on other sites More sharing options...
rwh56 Posted October 10, 2011 Author ID:484246 Share Posted October 10, 2011 The grunting noise seems to be coming from the floppy drive, which sits right above the hard drive. Since nothing is in the floppy drive, I never considered that to be the source, but putting my ear close to the hard drive and then to the floppy, its clear it is the floppy. Bizarre since I never used a floppy anymore for the last five years.Rob Link to post Share on other sites More sharing options...
Staff screen317 Posted October 12, 2011 Staff ID:485091 Share Posted October 12, 2011 Hi Rob,Use AVG's removal tool:http://download.avg.com/filedir/util/avgrem/avg_remover_stf_x86_2012_1796.exeReboot.Delete this folder:C:\Documents and Settings\Ann's New Account\Application Data\B78ED6E8B4C6F8A369601C5F9E8C21C3Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstallThis uninstalls all of ComboFix's components.Delete SecurityCheck.After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):ESET Online Scanner v3HijackThis 2.0.2Java™ 6 Update 20 Restart your computer.Get the latest version of Java.I suggest just removing the floppy drive entirely. It is likely to be not functioning correctly and as you said, you haven't used it in years.Let me know what issues remain.-screen317 Link to post Share on other sites More sharing options...
rwh56 Posted October 13, 2011 Author ID:485307 Share Posted October 13, 2011 Thanks for the AVG removal tool. AVG is gone, but the floppy drive still grunts like its trying to read a disk that is not there to read. I disabled the disk, so at least I dont have to listen to it. I still would like to know what is causing this behavior. But I can live without it.I removed all the programs listed.I could not find the file you want me to delete. I cant even find the directory that supposedly contains this file. There is no "application data" folder within "Ann's New Account". The only application data folders I can find do not contain this file. I dont know if it is a hidden file that requires me to do something special to find it.While trying to search for this file, I discovered that the file seach does not work under some accounts. I created the "Killereyz" account to do the malware removal. That account has a working file search. But if I go to the older accounts and try to access Search, from the "Start" menu or right clicking "My Computer" or opening "Windows Explorer" all I get is the double paned window, the cute dog scratching itself, but no entry spaces or option buttons to conduct a search. I don't know why one account can access search, yet the others do not. I would like your advice on how to regain the file search function on all the accounts.I appreciate all the help you have provided. The computer is very functional otherwise.Rob Link to post Share on other sites More sharing options...
Staff screen317 Posted October 17, 2011 Staff ID:486409 Share Posted October 17, 2011 Hi Rob,How odd.I think the simplest course of action would be to backup your documents/photos/etc., and transfer them to the new profile. Afterward, delete the old profile. Looks like malware may have corrupted the other profile(s). Link to post Share on other sites More sharing options...
Staff screen317 Posted October 31, 2011 Staff ID:490553 Share Posted October 31, 2011 Are you still with us? This topic will be closed in a few days if we do not hear back from you. Link to post Share on other sites More sharing options...
Staff screen317 Posted November 5, 2011 Staff ID:492063 Share Posted November 5, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts