Is It Safe?

[rwh56]

Difficulties with computer for third day:

Dell xp sp3

It all started when I had problems updating MBAM and AVG software. I was getting redirected on IE when going to the MBAM and AVG websites, or getting messages that IE cant display web page.

In XP safe mode, after reinstalling MBAM, MBAM would start scan and shut down in half a minute. A second try would get a message that computer couldnt find path or device, or user didnt have permission to access. Went through the different ways to start MBAM that are listed on your FAQ. Each new installation of MBAM would allow scan to start, but would shut down after half a minute, and any further attempt to scan would get the message that computer couldnt find path or device or user didnt have persmission. Couldnt get HJT to run either.

Was able to install Avira and did some piecemeal scanning and quarantined some files. Tried MBAM and was able to complete a quick scan. It only found the renamed versions of MBAM from my earlier attempts to install mbam.

Did the series of scans as directed on the "I'm infected - What do I do now?" page. In safe mode, GMER shut down before completing scan. Listed a HJT report and a DDS report on an earlier post.

Did a complete udpdated Avira scan in XP normal mode which quarantined 29 files. Many files had "Alureon" in filename.

Presently, in XP normal mode, disk makes a repeated grunt noise, like clockwork, 40 grunts per minute. So, I dont think everything is alright, though things have improved.

Some problems that may be unrelated. Cant get Windows Defender to do automatic updates. Installshield has some error I cant fix. Glary Utilities cant install new software because of a registry problem. And I am worried that MBAM has been made ineffective as it hasnt found anything wrong with the computer.

Appreciate in advance any help anyone can offer. Here are the reports from the scans:

------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:28:57 PM, on 10/3/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe

C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\IDriver.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WS1BDQi02QldGTS1UUkxRUi1CUlVIUC1DUDg2Ry1YRUhZ"&"inst=NzctNzUwNTQwMTQyLVhLKzEtRlA5KzYtVEI5KzItRkwrOS1YTzM2KzEtRjlNN0MrNS1GOU0xMEIrMS1YTzkrMS1GOU0yKzEtRERUKzQwMTEtREQ5MEYrMS1TVDkwRkFQUCsxLUY5ME0xMkFOKzItRjkwTTEyQSsxLUY5ME0xMkFCKzEtVTk1KzEtRjkwTTEyQVRCKzEtRjkwTTEyQVUrMS1TVDEyRk9JKzEtU1QxMkZBUFArMS1TVEY5ME0xMkFVRisx"&"prod=90"&"ver=2012.0.1809"&"mid=2038328a69d80dde9ba863449663801d-e8be57e3d397775a8ceac079a00171c9ed059a70

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab

O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148788823875

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NitroPDFReaderDriverCreatorReadSpool (NitroReaderDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe

O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe

--

End of file - 9586 bytes

--------------------------------------------------------------------------------------------------------------------

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by killereyz at 12:00:06 on 2011-10-03

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2095 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe

C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\IDriver.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"

mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WS1BDQi02QldGTS1UUkxRUi1CUlVIUC1DUDg2Ry1YRUhZ"&"inst=NzctNzUwNTQwMTQyLVhLKzEtRlA5KzYtVEI5KzItRkwrOS1YTzM2KzEtRjlNN0MrNS1GOU0xMEIrMS1YTzkrMS1GOU0yKzEtRERUKzQwMTEtREQ5MEYrMS1TVDkwRkFQUCsxLUY5ME0xMkFOKzItRjkwTTEyQSsxLUY5ME0xMkFCKzEtVTk1KzEtRjkwTTEyQVRCKzEtRjkwTTEyQVUrMS1TVDEyRk9JKzEtU1QxMkZBUFArMS1TVEY5ME0xMkFVRisx"&"prod=90"&"ver=2012.0.1809"&"mid=2038328a69d80dde9ba863449663801d-e8be57e3d397775a8ceac079a00171c9ed059a70

mPolicies-explorer: <NO NAME> =

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148788823875

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{C1EFCACA-1EED-47BE-B5FC-BD0FD7CC1393} : DhcpNameServer = 192.168.2.1

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

LSA: Notification Packages = scecli scecli scecli scecli scecli scecli

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-10-2 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-2 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-10-2 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-2 66616]

R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-14 196912]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-25 135664]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S2 ywrgma;ywrgma;\??\c:\windows\system32\drivers\ndkrfawvwa.sys --> c:\windows\system32\drivers\ndkrfawvwa.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-25 135664]

S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]

S4 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]

S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]

.

=============== Created Last 30 ================

.

2011-10-03 06:27:21 -------- d-----w- c:\documents and settings\killereyz\application data\GlarySoft

2011-10-02 15:54:15 -------- d-----w- c:\program files\Trend Micro

2011-10-02 05:50:24 -------- d-----w- c:\documents and settings\killereyz\application data\Avira

2011-10-02 05:47:59 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-10-02 05:47:58 -------- d-----w- c:\program files\Avira

2011-10-02 05:47:58 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-10-02 05:34:21 -------- d-sh--w- c:\documents and settings\killereyz\PrivacIE

2011-10-02 02:19:36 -------- d-sh--w- C:\found.000

2011-10-02 01:48:35 -------- d-----w- c:\windows\system32\NtmsData

2011-10-02 01:45:33 -------- d-----w- c:\documents and settings\killereyz\local settings\application data\Apple Computer

2011-10-02 01:45:27 -------- d-----w- c:\documents and settings\killereyz\application data\AVG2012

2011-10-02 01:32:46 -------- d-----w- c:\documents and settings\killereyz\local settings\application data\BVRP Software

2011-10-01 23:58:01 -------- d-sh--w- c:\documents and settings\killereyz\IETldCache

2011-10-01 23:36:21 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-01 23:29:29 -------- d-----w- c:\documents and settings\killereyz\application data\Malwarebytes

2011-10-01 23:16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-01 18:47:48 -------- d-----w- c:\documents and settings\all users\application data\AVG2012

2011-10-01 18:38:37 -------- d-----w- c:\documents and settings\all users\application data\MFAData

.

==================== Find3M ====================

.

2011-10-01 18:47:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 12:00:44.76 ===============

ark.zip

attach.zip

[screen317]

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[rwh56]

I am not sure what service they mean.

I get a bubble notice that Automatic Updates is turned off. I click the on button in the Windows Security Center, and a notice reads that Security Center cannot change these settings. I should go to the System in Control Panel. When I go to System in Control Panel, it says Automatic updates are on. I go to the Windows update webpage and clicking "Express" or "Custom" update buttons, it says the website encountered a problem and cannot display the page you are trying to view.

As far as I can tell, everything else seems OK.

I tried sending the F-Secure Online Scanner report, but the your forum said it was too long to post. I will try to post the scanner report separately. Here is the security check report:

Results of screen317's Security Check version 0.99.20

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 20

Out of date Java installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

[rwh56]

Your forum said the pasted text of the F-Secure Online Scanner report is too long, so I am attaching it as a compressed file.

F-Secure Online Scanner Report.zip

[rwh56]

This is frustrating, my first halg of my message got cropped off. Sorry that it doesnt make sense. The main problems are that the hard drive is still grunting, I get a message upon logging on an account that the a service cant start, though it doesnt say what service. A notice warns that automatic windows updating is off. The Windows Security Center wont let me click it on. I go to System in Control Panel and it says its on. I go to Windows Update web page and click either "express" or "custom" updates gets a reply that a problem is preventing the web page from displaying.

[screen317]

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

[rwh56]

Thanks for getting back. After running ComboFix, the hard drive is now quiet, so that must be a good thing. MS Automatic Updates is also working. Seems like there is great progress. Here is the ComboFix log:

ComboFix 11-10-07.04 - killereyz 10/08/2011 0:10.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2151 [GMT -4:00]

Running from: c:\documents and settings\killereyz\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Ann\GoToAssistDownloadHelper.exe

c:\documents and settings\Rob\Application Data\5F7A.C05

c:\documents and settings\Rob\WINDOWS

c:\program files\google\common\google updater\googleupdaterservice.exe

c:\program files\messenger\msmsgsin.exe

c:\windows\$NtUninstallKB51459$

c:\windows\$NtUninstallKB51459$\2208602451

c:\windows\$NtUninstallKB51459$\3570852394\@

c:\windows\$NtUninstallKB51459$\3570852394\bckfg.tmp

c:\windows\$NtUninstallKB51459$\3570852394\cfg.ini

c:\windows\$NtUninstallKB51459$\3570852394\Desktop.ini

c:\windows\$NtUninstallKB51459$\3570852394\keywords

c:\windows\$NtUninstallKB51459$\3570852394\kwrd.dll

c:\windows\$NtUninstallKB51459$\3570852394\L\rngtsoxs

c:\windows\$NtUninstallKB51459$\3570852394\U\00000001.@

c:\windows\$NtUninstallKB51459$\3570852394\U\00000002.@

c:\windows\$NtUninstallKB51459$\3570852394\U\80000000.@

c:\windows\$NtUninstallKB51459$\3570852394\U\80000032.@

c:\windows\iun6002.exe

c:\windows\system32\_004026_.tmp.dll

c:\windows\system32\_004027_.tmp.dll

c:\windows\system32\_004028_.tmp.dll

c:\windows\system32\_004029_.tmp.dll

c:\windows\system32\_004036_.tmp.dll

c:\windows\system32\_004037_.tmp.dll

c:\windows\system32\_004038_.tmp.dll

c:\windows\system32\_004039_.tmp.dll

c:\windows\system32\_004040_.tmp.dll

c:\windows\system32\_004041_.tmp.dll

c:\windows\system32\_004042_.tmp.dll

c:\windows\system32\_004043_.tmp.dll

c:\windows\system32\_004044_.tmp.dll

c:\windows\system32\_004045_.tmp.dll

c:\windows\system32\_004046_.tmp.dll

c:\windows\system32\_004047_.tmp.dll

c:\windows\system32\_004048_.tmp.dll

c:\windows\system32\_004049_.tmp.dll

c:\windows\system32\_004050_.tmp.dll

c:\windows\system32\_004052_.tmp.dll

c:\windows\system32\_004055_.tmp.dll

c:\windows\system32\_004056_.tmp.dll

c:\windows\system32\_004060_.tmp.dll

c:\windows\system32\_004061_.tmp.dll

c:\windows\system32\_004062_.tmp.dll

c:\windows\system32\_004063_.tmp.dll

c:\windows\system32\_004064_.tmp.dll

c:\windows\system32\_004065_.tmp.dll

c:\windows\system32\_004066_.tmp.dll

c:\windows\system32\_004068_.tmp.dll

c:\windows\system32\_004069_.tmp.dll

c:\windows\system32\_004070_.tmp.dll

c:\windows\system32\_004071_.tmp.dll

c:\windows\system32\_004072_.tmp.dll

c:\windows\system32\_004073_.tmp.dll

c:\windows\system32\_004074_.tmp.dll

c:\windows\system32\_004076_.tmp.dll

c:\windows\system32\_004077_.tmp.dll

c:\windows\system32\_004078_.tmp.dll

c:\windows\system32\_004079_.tmp.dll

c:\windows\system32\_004080_.tmp.dll

c:\windows\system32\_004082_.tmp.dll

c:\windows\system32\_004083_.tmp.dll

c:\windows\system32\_004085_.tmp.dll

c:\windows\system32\_004086_.tmp.dll

c:\windows\system32\_004087_.tmp.dll

c:\windows\system32\_004088_.tmp.dll

c:\windows\system32\_004089_.tmp.dll

c:\windows\system32\_004090_.tmp.dll

c:\windows\system32\_004091_.tmp.dll

c:\windows\system32\_004092_.tmp.dll

c:\windows\system32\_004093_.tmp.dll

c:\windows\system32\_004094_.tmp.dll

c:\windows\system32\_004095_.tmp.dll

c:\windows\system32\_004096_.tmp.dll

c:\windows\system32\_004097_.tmp.dll

c:\windows\system32\_004100_.tmp.dll

c:\windows\system32\_004101_.tmp.dll

c:\windows\system32\_004103_.tmp.dll

c:\windows\system32\_004104_.tmp.dll

c:\windows\system32\_004106_.tmp.dll

c:\windows\system32\_004107_.tmp.dll

c:\windows\system32\_004108_.tmp.dll

c:\windows\system32\_004109_.tmp.dll

c:\windows\system32\_004110_.tmp.dll

c:\windows\system32\_004111_.tmp.dll

c:\windows\system32\_004112_.tmp.dll

c:\windows\system32\_004113_.tmp.dll

c:\windows\system32\_004114_.tmp.dll

c:\windows\system32\_004115_.tmp.dll

c:\windows\system32\_004116_.tmp.dll

c:\windows\system32\_004117_.tmp.dll

c:\windows\system32\_004118_.tmp.dll

c:\windows\system32\_004119_.tmp.dll

c:\windows\system32\_004121_.tmp.dll

c:\windows\system32\_004122_.tmp.dll

c:\windows\system32\_004123_.tmp.dll

c:\windows\system32\_004124_.tmp.dll

c:\windows\system32\_004126_.tmp.dll

c:\windows\system32\_004127_.tmp.dll

c:\windows\system32\_004128_.tmp.dll

c:\windows\system32\_004129_.tmp.dll

c:\windows\system32\_004130_.tmp.dll

c:\windows\system32\_004132_.tmp.dll

c:\windows\system32\_004133_.tmp.dll

c:\windows\system32\_004135_.tmp.dll

c:\windows\system32\_004137_.tmp.dll

c:\windows\system32\_004138_.tmp.dll

c:\windows\system32\_004139_.tmp.dll

c:\windows\system32\_004140_.tmp.dll

c:\windows\system32\_004142_.tmp.dll

c:\windows\system32\_004143_.tmp.dll

c:\windows\system32\_004144_.tmp.dll

c:\windows\system32\_004146_.tmp.dll

c:\windows\system32\_004148_.tmp.dll

c:\windows\system32\_004149_.tmp.dll

c:\windows\system32\_004150_.tmp.dll

c:\windows\system32\_004152_.tmp.dll

c:\windows\system32\_004153_.tmp.dll

c:\windows\system32\_004154_.tmp.dll

c:\windows\system32\_004155_.tmp.dll

c:\windows\system32\_004156_.tmp.dll

c:\windows\system32\_004157_.tmp.dll

c:\windows\system32\_004158_.tmp.dll

c:\windows\system32\_004159_.tmp.dll

c:\windows\system32\_004160_.tmp.dll

c:\windows\system32\_004161_.tmp.dll

c:\windows\system32\_004162_.tmp.dll

c:\windows\system32\_004164_.tmp.dll

c:\windows\system32\_004165_.tmp.dll

c:\windows\system32\_004167_.tmp.dll

c:\windows\system32\_004169_.tmp.dll

c:\windows\system32\_004170_.tmp.dll

c:\windows\system32\_004171_.tmp.dll

c:\windows\system32\_004172_.tmp.dll

c:\windows\system32\_004173_.tmp.dll

c:\windows\system32\_004174_.tmp.dll

c:\windows\system32\_004177_.tmp.dll

c:\windows\system32\_004178_.tmp.dll

c:\windows\system32\_004179_.tmp.dll

c:\windows\system32\_004182_.tmp.dll

c:\windows\system32\_004183_.tmp.dll

c:\windows\system32\_004186_.tmp.dll

c:\windows\system32\_004187_.tmp.dll

c:\windows\system32\_004188_.tmp.dll

c:\windows\system32\_004189_.tmp.dll

c:\windows\system32\_004192_.tmp.dll

c:\windows\system32\_004193_.tmp.dll

c:\windows\system32\_004194_.tmp.dll

c:\windows\system32\_004195_.tmp.dll

c:\windows\system32\_004198_.tmp.dll

c:\windows\system32\_004200_.tmp.dll

c:\windows\system32\_004201_.tmp.dll

c:\windows\system32\_004202_.tmp.dll

c:\windows\system32\_004205_.tmp.dll

c:\windows\system32\_004210_.tmp.dll

c:\windows\system32\_004211_.tmp.dll

c:\windows\system32\_004215_.tmp.dll

c:\windows\system32\_004216_.tmp.dll

c:\windows\system32\_004217_.tmp.dll

c:\windows\system32\_004218_.tmp.dll

c:\windows\system32\_004223_.tmp.dll

c:\windows\system32\_004225_.tmp.dll

c:\windows\system32\comct332.ocx

c:\windows\system32\d3d9caps.dat

c:\windows\system32\drivers\fad.sys

F:\setup.exe

H:\autorun.inf

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_d4d6e22a

.

.

((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))

.

.

2011-10-06 01:35 . 2011-10-06 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2011-10-02 15:54 . 2011-10-02 15:54 -------- d-----w- c:\program files\Trend Micro

2011-10-02 05:47 . 2011-10-03 03:32 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-10-02 05:47 . 2011-10-03 03:32 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-10-02 05:47 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-10-02 05:47 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-10-02 05:47 . 2011-10-02 05:47 -------- d-----w- c:\program files\Avira

2011-10-02 05:47 . 2011-10-02 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-10-02 02:19 . 2011-10-02 02:19 -------- d-----w- C:\found.000

2011-10-02 01:48 . 2011-10-06 01:46 -------- d-----w- c:\windows\system32\NtmsData

2011-10-01 23:36 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-01 23:27 . 2011-10-03 15:59 -------- d-----w- c:\documents and settings\killereyz

2011-10-01 23:16 . 2011-10-02 05:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-01 21:00 . 2011-10-01 21:00 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\Apple

2011-10-01 21:00 . 2011-10-01 21:00 -------- d-----w- c:\documents and settings\Rob\Application Data\AVG2012

2011-10-01 18:47 . 2011-10-02 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012

2011-10-01 18:38 . 2011-10-02 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2011-10-01 18:35 . 2011-10-01 18:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-09-17 18:03 . 2011-09-17 18:03 -------- d-----w- c:\documents and settings\Sam\Application Data\GlarySoft

2011-09-17 16:48 . 2011-09-17 17:59 -------- d-----w- c:\documents and settings\Rob\Application Data\GlarySoft

2011-09-14 04:04 . 2011-09-14 04:04 -------- d-----w- c:\documents and settings\Rob\.limewire

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-01 18:47 . 2011-08-18 12:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-07-28 49152]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]

"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 712704]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WS1BDQi02QldGTS1UUkxRUi1CUlVIUC1DUDg2Ry1YRUhZ&inst=NzctNzUwNTQwMTQyLVhLKzEtRlA5KzYtVEI5KzItRkwrOS1YTzM2KzEtRjlNN0MrNS1GOU0xMEIrMS1YTzkrMS1GOU0yKzEtRERUKzQwMTEtREQ5MEYrMS1TVDkwRkFQUCsxLUY5ME0xMkFOKzItRjkwTTEyQSsxLUY5ME0xMkFCKzEtVTk1KzEtRjkwTTEyQVRCKzEtRjkwTTEyQVUrMS1TVDEyRk9JKzEtU1QxMkZBUFArMS1TVEY5ME0xMkFVRisx∏=90&ver=2012.0.1809&mid=2038328a69d80dde9ba863449663801d-e8be57e3d397775a8ceac079a00171c9ed059a70" [?]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Ann^Start Menu^Programs^Startup^SpywareGuard.lnk]

backup=c:\windows\pss\SpywareGuard.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\akepgexz

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\akxe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bboqxzyqob

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ceabll

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cquvwgjo

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctplimu

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eimnoasikeni

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\evcqrlnjhww

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezlvdwa

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ggzeyhbdn

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gh

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gtb

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kgqnsiiaiwtm

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kof

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kqk

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ksbmxje

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nlhuxqtnkf

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oftzck

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qazn

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rcifzwyp

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rrzlziqriqa

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rurk

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sniqcaylbqyd

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swzc

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uxzhzg

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusHeat 4.3

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusRanger

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vizulzzvpy

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wtjxambeobm

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wzmkwcaira

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\x

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]

2008-11-06 11:42 50472 ----a-w- c:\program files\AOL 9.1\aol.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]

2002-04-03 05:01 135264 ----a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2003-08-06 05:04 114741 ----a-w- c:\windows\system32\dla\tfswctrl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]

2006-06-11 15:36 487424 ----a-w- c:\program files\Eraser\eraser.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1172427637\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 09:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2003-07-28 19:19 323584 ----a-w- c:\windows\system32\nwiz.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=3 (0x3)

"ZuneBusEnum"=2 (0x2)

"ZuneWlanCfgSvc"=3 (0x3)

"ZuneNetworkSvc"=3 (0x3)

"AOL_SPYBt"=2 (0x2)

"iPod Service"=3 (0x3)

"avg8wd"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"AdobeActiveFileMonitor"=2 (0x2)

"PhotoshopElementsDeviceConnect"=2 (0x2)

"AOL ACS"=2 (0x2)

"RDSessMgr"=3 (0x3)

"RasMan"=2 (0x2)

"RasAuto"=2 (0x2)

"gupdate"=2 (0x2)

"Bonjour Service"=2 (0x2)

"Themes"=2 (0x2)

"TapiSrv"=2 (0x2)

"McComponentHostService"=3 (0x3)

"gupdatem"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"

"UpdReg"=c:\windows\UpdReg.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Windows Defender\\MSASCui.exe"=

"c:\\Program Files\\Adobe\\Photoshop Elements 3.0\\Photoshop Elements 3.0.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/2/2011 1:48 AM 136360]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 5:35 PM 135664]

S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [1/14/2011 1:35 PM 196912]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

S2 ywrgma;ywrgma;\??\c:\windows\system32\drivers\ndkrfawvwa.sys --> c:\windows\system32\drivers\ndkrfawvwa.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 5:35 PM 135664]

S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]

S4 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]

S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 21:34]

.

2011-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 21:34]

.

2011-10-08 c:\windows\Tasks\User_Feed_Synchronization-{A4193498-2301-4D3D-A5E2-F8602606F271}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

TCP: DhcpNameServer = 192.168.2.1

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Toolbar-Locked - (no file)

SafeBoot-MCODS

MSConfigStartUp-Google Update - c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

MSConfigStartUp-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe

MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

AddRemove-BlueVoda_Website_Builder_1.0 - c:\windows\iun6002.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-08 00:25

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3068)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\IME\SPGRMR.DLL

c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\AOL\ACS\AOLacsd.exe

c:\windows\System32\CTsvcCDA.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\windows\System32\snmp.exe

c:\windows\wanmpsvc.exe

c:\windows\System32\MsPMSPSv.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-10-08 00:29:27 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-08 04:29

.

Pre-Run: 77,540,012,032 bytes free

Post-Run: 80,355,680,256 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 02BE14EC0D85C87B699ABB74F37829E1

[rwh56]

MS updates were installed and then rebooted. Upon rebooting, the hard drive now regularly grunts again. That's disappointing. Also the update for Windows Defender failed to install. Automatic updates is still on, so I guess that's a plus.

Please advise.

Rob

[screen317]

Hi,

I notice that you are using more than one antivirus program (AVG and Antivir). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Reboot.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[rwh56]

After doing the scans, I dont notice any change. Hard drive is still grunting.

Though I used AVG, since loading Avira, I have uninstalled AVG. There are some AVG related files and shortcuts that seem to remain, but there is no second virus scanning program running along with Avira. Here are the short scan reports:

The Eset scan:

C:\Documents and Settings\Ann's New Account\Application Data\B78ED6E8B4C6F8A369601C5F9E8C21C3\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined

C:\Documents and Settings\Ann's New Account\Application Data\B78ED6E8B4C6F8A369601C5F9E8C21C3\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined

C:\System Volume Information\_restore{D65C4F27-9D59-48EC-9122-6D63A8B6E196}\RP754\A0114073.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined

The Security Check Scan:

Results of screen317's Security Check version 0.99.23

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 20

Out of date Java installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

Pleas advise on what to do next.

Rob

[rwh56]

The grunting noise seems to be coming from the floppy drive, which sits right above the hard drive. Since nothing is in the floppy drive, I never considered that to be the source, but putting my ear close to the hard drive and then to the floppy, its clear it is the floppy. Bizarre since I never used a floppy anymore for the last five years.

Rob

[screen317]

Hi Rob,

Use AVG's removal tool:

http://download.avg.com/filedir/util/avgrem/avg_remover_stf_x86_2012_1796.exe

Reboot.

Delete this folder:

C:\Documents and Settings\Ann's New Account\Application Data\B78ED6E8B4C6F8A369601C5F9E8C21C3

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

HijackThis 2.0.2

Java™ 6 Update 20

Restart your computer.

Get the latest version of Java.

I suggest just removing the floppy drive entirely. It is likely to be not functioning correctly and as you said, you haven't used it in years.

Let me know what issues remain.

-screen317

[rwh56]

Thanks for the AVG removal tool. AVG is gone, but the floppy drive still grunts like its trying to read a disk that is not there to read. I disabled the disk, so at least I dont have to listen to it. I still would like to know what is causing this behavior. But I can live without it.

I removed all the programs listed.

I could not find the file you want me to delete. I cant even find the directory that supposedly contains this file. There is no "application data" folder within "Ann's New Account". The only application data folders I can find do not contain this file. I dont know if it is a hidden file that requires me to do something special to find it.

While trying to search for this file, I discovered that the file seach does not work under some accounts. I created the "Killereyz" account to do the malware removal. That account has a working file search. But if I go to the older accounts and try to access Search, from the "Start" menu or right clicking "My Computer" or opening "Windows Explorer" all I get is the double paned window, the cute dog scratching itself, but no entry spaces or option buttons to conduct a search. I don't know why one account can access search, yet the others do not.

I would like your advice on how to regain the file search function on all the accounts.

I appreciate all the help you have provided. The computer is very functional otherwise.

Rob

[screen317]

Hi Rob,

How odd.

I think the simplest course of action would be to backup your documents/photos/etc., and transfer them to the new profile. Afterward, delete the old profile. Looks like malware may have corrupted the other profile(s).

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!