Google Redirects, Can't Download Windows Updates

Slider51Slider51 Michigan USA New
edited December 2009 in Spyware & Virus Removal
Actually two separate issues. The redirect problem started a week ago. I haven't been able to directly download Windows updates for months. Please help - I am stumped on both these problems...

Problem 1: Any time I use Google Search toolbar, the search works but clicking on any of the hit links causes a chain reaction of redirects. The first redirect is usually to a DirectTV ad. Also, occasionally when surfing (IE Explorer) a redirect may occur at any time from a variety of sites. AVG free doesn't catch it, nor does Pareto Anti-spyware. I ran CW Shredder, which found nothing, and RUBotted found nothing. HJT Log is below.

Problem 2: For the last 6-8 months, after a prolonged clean for a bout with rogue spyware, I cannot download Windows Updates through the Auto Update feature. This happens regardless of how I have the Auto Update function configured. When set to full automatic scheduled updates simply nothing happens. When set to Notify but don't download, I will get the "gold shield" icon in the system tray indicating updates are available. If I click on the icon, I get the window listing the updates, all check marked, but when I click on the download button, nothing happens. The only way I can download updates is to write down the update numbers and go to the MS Update site and download them one at a time. Needless to say I am always behind on my updates because of this.

If possible, let's start with the redirect issue, as I use Google to find each update by number rather than having to navigate the MS site.

I have had the feeling that I have been continually infected with something for a good year now, even though it doesn't show up on any AV or spyware programs...almost every time the machine is running, I experience intermittent slowdowns with mouse-clicked commands in virtually any pull-down menu I happen to be working with - click a command, the machine might delay 5 seconds, 15 seconds, 30 seconds before executing. I also often get shutdown hangs when clicking Start, the shutdown or restart window often never appears or if it does will hang when I click shut down. I don't know how this is related with the other stuff above, but as long as I'm here, I wanted to add this problem to the list.

Thanks in advance - I should be able to respond fairly quickly to any requests over the next few days.

Slider51
HJT log---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:25 PM, on 12/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
N3 - Netscape 7: # Mozilla User Preferences
/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/
user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\ADMINISTRATOR\\APPLICATION DATA\\Mozilla\\Profiles\\default\\lxcunvvv.slt");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetmenu.browser.cache", "us-ascii, UTF-8, windows-1252, ISO-8859-1");
user_pref("mail
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Panasonic Device Monitor Wakeup] C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
O4 - HKLM\..\Run: [Panasonic Device Manager for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
O4 - HKLM\..\Run: [Panasonic PCFAX for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\KmPcFax.exe -1
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096722207781
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140016650656
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MANDP.Local
O17 - HKLM\Software\..\Telephony: DomainName = MANDP.Local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MANDP.Local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: JavaQuickStarterService - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Panasonic Local Printer Service - Panasonic Communications Co., Ltd. - C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe
O23 - Service: Panasonic Trap Monitor Service - Panasonic - C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)
--
End of file - 8374 bytes

Comments

  • Slider51Slider51 Michigan USA New
    edited December 2009
    While I was waiting I read some of the other similar threads and noted MBAM being prescribed alot. I had been meaning to try it anyway so I downloaded it and scanned....WOW...this machine was sick! Major infections...MBAM fixed them all, but alas, the redirect problem still remains.

    For whoever is going to help me, here is the MBAM log and a new HJT log following it...

    Malwarebytes' Anti-Malware 1.42
    Database version: 3290
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    12/3/2009 7:17:53 PM
    mbam-log-2009-12-03 (19-17-53).txt
    Scan type: Quick Scan
    Objects scanned: 116334
    Time elapsed: 10 minute(s), 3 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 94
    Registry Values Infected: 3
    Registry Data Items Infected: 8
    Folders Infected: 5
    Files Infected: 26
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.Exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASecurityCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpf.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navstub.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ollydbg.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdAgent.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\12620004 (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\15958594 (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\images (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    Files Infected:
    C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache9825.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\spool\prtprocs\w32x86\94.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\12620004\12620004 (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\15958594\15958594 (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\15958594\pc15958594ins (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\guide.html (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg1.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg10.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg2.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg3.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg4.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg5.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg6.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg7.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg8.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg9.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Desktop\Privacy center.lnk (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\4_pinnew.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\settings.ini (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\PC\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    New HJT Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:08:02 PM, on 12/3/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe
    C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
    C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\Administrator.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    N3 - Netscape 7: # Mozilla User Preferences
    /* Do not edit this file.
    *
    * If you make changes to this file while the browser is running,
    * the changes will be overwritten when the browser exits.
    *
    * To make a manual change to preferences, you can visit the URL about:config
    * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
    */
    user_pref("aim.session.firsttime", false);
    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\ADMINISTRATOR\\APPLICATION DATA\\Mozilla\\Profiles\\default\\lxcunvvv.slt");
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
    user_pref("dom.disable_open_during_load", true);
    user_pref("intl.charsetmenu.browser.cache", "us-ascii, UTF-8, windows-1252, ISO-8859-1");
    user_pref("mail
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Panasonic Device Monitor Wakeup] C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
    O4 - HKLM\..\Run: [Panasonic Device Manager for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
    O4 - HKLM\..\Run: [Panasonic PCFAX for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\KmPcFax.exe -1
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096722207781
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140016650656
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MANDP.Local
    O17 - HKLM\Software\..\Telephony: DomainName = MANDP.Local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MANDP.Local
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: JavaQuickStarterService - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Panasonic Local Printer Service - Panasonic Communications Co., Ltd. - C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe
    O23 - Service: Panasonic Trap Monitor Service - Panasonic - C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
    O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
    O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)
    --
    End of file - 8314 bytes


    Slider
  • edited December 2009
    Hey there. :)

    A few things before we start....
    1. Please Read All Instructions Carefully.
    2. If you don't understand something, stop and ask! Don't keep going on.
    3. Please do not run any other tools or scans whilst I am helping you.
    4. If you have to go away for an extended period of time, let me know.
    5. Please continue to respond until I give you the "All Clear".
    (Just because you can't see a problem doesn't mean it isn't there)


    Let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

    Go here ======> A guide and tutorial on using ComboFix <====== Go here

    Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should get a prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    (2) Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.


    Please include C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.


    Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
  • Slider51Slider51 Michigan USA New
    edited December 2009
    Thank you Chiaz,

    Appreciate your quick response!

    Okay, I downloaded Combofix. I don't have a Windows CD, so I used the ComboFix download method, which worked fine installing the Recovery Manager.

    When running ComboFix, it did detect rootkit activity and re-booted the machine during the scan. The only thing that happened that the tutorial didn't prepare me for was the appearance of a Windows error window twice saying "GenericHost Process has encountered a diffculty and needs to close" and I had to click the "close" button.

    I wanted to turn all my AV and Syware stuff back on before I came back to Icrontic. My Windows firewall shows a red shield with an X in it in the system tray toolbar. Clicking on it sends me to the Security Center, where the Win Firewall is shown as "Off", yet when I go to the configuration screen to turn it back on, it is already checked as "ON"...the indication is that the firewall is turned off, yet the selector says it's on...?

    Ready and waiting for your next instructions...thank you.

    Slider

    Here's the ComboFix Log:
    ComboFix 09-12-03.06 - Administrator 12/04/2009 11:30.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.632 [GMT -5:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\Administrator\Application Data\PC
    c:\program files\CyberDefender
    c:\recycler\NPROTECT
    C:\Thumbs.db
    c:\windows\system32\2647817957.dat
    c:\windows\system32\tmp.reg
    Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
    Restored copy from - Kitty ate it :p
    .
    ((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
    .
    2009-12-04 00:03 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-04 00:03 . 2009-12-04 00:16
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-04 00:03 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-03 22:35 . 2008-03-02 08:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
    2009-12-03 22:27 . 2009-12-03 22:27
    d
    w- c:\documents and settings\Administrator\log
    2009-12-01 02:22 . 2009-12-01 02:22
    d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2009-11-30 19:47 . 2009-11-30 19:47 81920 ----a-w- c:\windows\ALCFDRTM.EXE
    2009-11-30 19:30 . 2008-07-15 20:20 69632 ----a-w- c:\windows\system32\ChCfg.exe
    2009-11-30 19:30 . 2007-11-20 23:15 1826816 ----a-w- c:\windows\SkyTel.exe
    2009-11-30 19:30 . 2009-11-30 19:44
    d
    w- c:\windows\system32\RTCOM
    2009-11-30 19:30 . 2008-09-19 22:48 1200128 ----a-w- c:\windows\RtlUpd.exe
    2009-11-30 19:30 . 2008-12-30 19:58 18082304 ----a-w- c:\windows\RTHDCPL.EXE
    2009-11-30 19:30 . 2008-09-30 21:38 2168320 ----a-w- c:\windows\MicCal.exe
    2009-11-30 19:30 . 2008-08-25 21:17 528384 ----a-w- c:\windows\RtlExUpd.dll
    2009-11-28 05:45 . 2009-11-28 05:45
    d-sh--w- c:\documents and settings\LocalService\IETldCache
    2009-11-28 05:40 . 2009-12-01 02:06
    d
    w- c:\documents and settings\Administrator\Local Settings\Application Data\vubojl
    2009-11-28 05:33 . 2009-11-30 05:33 3519152 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Temp\DriverCure Installer.exe
    2009-11-27 19:07 . 2009-11-27 17:13 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
    2009-11-27 19:07 . 2009-11-27 17:13 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2009-11-27 19:06 . 2009-11-27 17:13 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
    2009-11-27 19:06 . 2009-11-27 17:13 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
    2009-11-27 17:14 . 2009-11-27 17:17
    d
    w- C:\$AVG
    2009-11-27 17:13 . 2009-11-27 17:13
    d
    w- c:\documents and settings\All Users\Application Data\avg9
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-03 22:35 . 2004-10-02 12:47
    d--h--w- c:\program files\InstallShield Installation Information
    2009-12-03 22:35 . 2007-06-19 21:48
    d
    w- c:\program files\Trend Micro
    2009-12-03 22:27 . 2007-06-19 21:48 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2009-12-03 21:57 . 2004-10-02 12:47 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
    2009-12-02 15:52 . 2007-05-21 04:59
    d
    w- c:\program files\Google
    2009-12-01 16:24 . 2006-12-21 15:23
    d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-11-30 19:43 . 2009-06-13 22:20
    d
    w- c:\documents and settings\All Users\Application Data\DriverCure
    2009-11-30 19:30 . 2004-10-02 12:47
    d
    w- c:\program files\Realtek
    2009-11-30 19:30 . 2004-10-02 12:47
    d
    w- c:\program files\Common Files\InstallShield
    2009-11-27 17:14 . 2009-03-28 00:07 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2009-11-27 17:14 . 2009-03-28 00:07 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-11-27 17:14 . 2009-03-28 00:07 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-11-27 17:13 . 2009-03-28 00:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-11-27 17:13 . 2009-03-28 00:06
    d
    w- c:\program files\AVG
    2009-10-27 18:43 . 2007-11-06 14:22
    d
    w- c:\documents and settings\Administrator\Application Data\FinalBurner DATA
    2009-10-24 00:17 . 2009-10-24 00:17
    d
    w- c:\documents and settings\All Users\Application Data\Pure Networks
    2006-06-26 18:24 . 2006-06-26 18:24 60518 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
    2006-06-26 18:24 . 2006-06-26 18:24 49248 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
    2006-06-26 18:24 . 2006-06-26 18:24 165992 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ParetoLogic Anti-Spyware"="c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2009-06-10 2643312]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
    "Panasonic Device Monitor Wakeup"="c:\program files\Panasonic\Device Monitor\dmwakeup.exe" [2006-11-02 303104]
    "Panasonic Device Manager for Multi-Function Station software"="c:\program files\Panasonic\MFStation\PCCMFSDM.exe" [2007-05-21 126976]
    "Panasonic PCFAX for Multi-Function Station software"="c:\program files\Panasonic\MFStation\KmPcFax.exe" [2007-08-28 757760]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-27 2020120]
    "TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
    "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2008-08-19 77824]
    "AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2008-06-19 2808832]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= "c:\program files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2009-06-10 98304]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-11-27 17:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "WinDefend"=2 (0x2)
    "ThreatFire"=3 (0x3)
    "sdCoreService"=2 (0x2)
    "sdAuxService"=2 (0x2)
    "Panasonic Trap Monitor Service"=2 (0x2)
    "Panasonic Local Printer Service"=2 (0x2)
    "ose"=3 (0x3)
    "JavaQuickStarterService"=3 (0x3)
    "gusvc"=3 (0x3)
    "C-DillaCdaC11BA"=2 (0x2)
    "AVGEMS"=2 (0x2)
    "Avg7UpdSvc"=2 (0x2)
    "Avg7Alrt"=2 (0x2)
    "ATI Smart"=2 (0x2)
    "APC UPS Service"=2 (0x2)
    "AcrSch2Svc"=2 (0x2)
    "aawservice"=3 (0x3)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/27/2009 7:07 PM 333192]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/27/2009 7:07 PM 360584]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/27/2009 12:13 PM 285392]
    R2 Panasonic Local Printer Service;Panasonic Local Printer Service;c:\progra~1\PANASO~1\LocalCom\lmsrvnt.exe [8/13/2009 11:01 AM 36864]
    R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [12/3/2009 5:35 PM 582992]
    R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
    R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [12/3/2009 5:35 PM 206608]
    S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
    S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
    S3 CryptSvcFastUserSwitchingCompatibility;CryptSvcFastUserSwitchingCompatibility; [x]
    S3 GAGPDrv;GAGPDrv; [x]
    S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
    S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
    S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [12/3/2009 5:35 PM 206608]
    .
    Contents of the 'Scheduled Tasks' folder
    2009-07-26 c:\windows\Tasks\DriverCure.job
    - c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-04-26 12:44]
    2009-06-17 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
    - c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe [2009-06-10 17:02]
    2009-11-16 c:\windows\Tasks\ParetoLogic Privacy Controls_{2A163F70-5B61-11DE-ACE4-00112F2ACF38}.job
    - c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 15:29]
    2009-12-03 c:\windows\Tasks\ParetoLogic Registration.job
    - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
    2009-11-30 c:\windows\Tasks\ParetoLogic Update Version2.job
    - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
    2009-11-30 c:\windows\Tasks\ParetoLogic Update.job
    - c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2009-06-10 17:39]
    2009-12-04 c:\windows\Tasks\RegCure Program Check.job
    - c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
    2009-12-04 c:\windows\Tasks\RegCure Startup.job
    - c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
    2009-06-13 c:\windows\Tasks\RegCure.job
    - c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
    .
    .
    Supplementary Scan
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uInternet Settings,ProxyOverride = <local>
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\su9gakqb.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/home.html
    FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\su9gakqb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
    FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\su9gakqb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
    FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
    .
    - - - - ORPHANS REMOVED - - - -
    WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-04 11:43
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    LOCKED REGISTRY KEYS
    [HKEY_USERS\S-1-5-21-1614895754-1004336348-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,f1,43,fb,b0,8a,81,49,81,12,d8,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,f1,43,fb,b0,8a,81,49,81,12,d8,\
    [HKEY_USERS\S-1-5-21-1614895754-1004336348-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    DLLs Loaded Under Running Processes
    - - - - - - - > 'winlogon.exe'(744)
    c:\windows\system32\Ati2evxx.dll
    - - - - - - - > 'lsass.exe'(800)
    c:\windows\system32\relog_ap.dll
    - - - - - - - > 'explorer.exe'(2552)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Other Running Processes
    .
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\progra~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2009-12-04 11:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-12-04 16:49
    Pre-Run: 209,738,973,184 bytes free
    Post-Run: 210,601,222,144 bytes free
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    ;timeout=3
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    - - End Of File - - 7389D47BABFB485342DA2C90E4AAC1E9
  • Slider51Slider51 Michigan USA New
    edited December 2009
    OOPS!...

    Sorry, Chiaz...I neglected to update you on how the machine is running since the Combo-Fix scan above. It appears the re-direct issue has been corrected! I did a Google Search and clicked on several of the links without any redirects. Cautiously optomistic here...:)

    And..and..and...hooray! Windows Updates are currently set on "prompt but don't download"..I got the notification window, got the list of updates all checkmarked, clicked on download and it downloaded all 12 updates for me! I began an installation of the updates, then realized that may add some variables we don't want right now, so I cancelled the installation after just 1 of the 12 had been installed. Sorry if I shouldn't have done this, but I did want to check the operation of this for you.

    Next item: The first time I started the computer for this session, I caught what I believe said "MBR Error 3" flash instantaneously right after the BIOS ran and the IDE Scan completed. I restarted the machine to verify what it said but didn't see it the second time through.

    Last item - the Generic Host Process error window comes up on every restart now - I attached a screen shot with the complete set of eroor windows clicked and expanded so you can see what I'm seeing.

    Waiting patiently for your next instructions....Thank you!

    Slider
  • edited December 2009
    Thanks for the detailed update.

    Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

    It's IMPORTANT to carry out the instructions in the sequence listed below.

    ==============

    Download: CCleaner (freeware)
    http://www.filehippo.com/download_ccleaner/
    Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
    Once installed, close any open windows or browsers. Then run CCleaner, click the Windows [tab]
    The following should be selected by default, if not, please select:
    CCleanerA.png
    Next: click Options click the Settings tab
    Uncheck: "Only delete files older than 48 hrs.", click Ok
    Then click Run Cleaner (bottom right) then Exit

    ===============

    Next,
    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Open *notepad* and copy/paste the text in the quotebox below into it:
    Folder::
    c:\documents and settings\Administrator\Local Settings\Application Data\vubojl
    

    Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


    CFScript.gif

    Refering to the picture above, drag CFScript.txt into ComboFix.exe


    When finished, it shall produce a log for you at C:\ComboFix.txt

    Please copy and paste the ComboFix.txt in your new reply.

    *Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
  • Slider51Slider51 Michigan USA New
    edited December 2009
    OK chiaz,

    Completed all...here are some notes:

    (1) You may wish to change your CCleaner instructions. There has apparently been an update to that prgram, as the "Only delete files older than 48 hours" checkbox now is found under "Advanced" rather than "Settings". I did find it and unchecked it. Additionally, several more checkboxes appear under "System" than are shown in your instructions. I was unsure as to whether to leave them all checked (default) but I did leave them that way.

    (2) I also checked my D:\ drive to be included in the CCleaner process. It is a second 250 gB drive that I use for archiving and a place to store Acronis full backups for both this machine and my wife's identical computer. We also store my backups on her D:\ drive as a redundancy measure.

    (3) After pasting the CFScript.txt and dragging onto the ComboFix Icon, ComboFix indicated an available update. I let it update, it then restarted, but I stopped it as I wasn't sure the script was still present. I then re-dragged the script onto the CF icon and all ran smoothly. TheWindows Firewall "Off" nag popped up during the scan but I just let it sit there.

    (4) After ComboFix was finished I re-booted, and the Generic Host Process error window came back, with different information shown when expanded (see the screen shot attachment).

    (5) There is still a conflict between with the Win Firewall settings and the system tray nag. The nag tells me the firewall is off, the Security Center screen shows it as off, yet the selector shows it checked as "on". (See second screen shot).


    Thank you for everything so far :) ! Patiently waiting for more instructions...

    Slider

    Here is the ComboFix log:
    ComboFix 09-12-04.05 - Administrator 12/05/2009 12:14.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.617 [GMT -5:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\Administrator\Local Settings\Application Data\vubojl
    .
    ((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
    .
    2009-12-05 16:55 . 2009-12-05 16:55
    d
    w- c:\program files\CCleaner
    2009-12-04 00:03 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-04 00:03 . 2009-12-04 00:16
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-04 00:03 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-03 22:35 . 2008-03-02 08:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
    2009-12-03 22:27 . 2009-12-03 22:27
    d
    w- c:\documents and settings\Administrator\log
    2009-12-01 02:22 . 2009-12-01 02:22
    d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2009-11-30 19:47 . 2009-11-30 19:47 81920 ----a-w- c:\windows\ALCFDRTM.EXE
    2009-11-30 19:30 . 2008-07-15 20:20 69632 ----a-w- c:\windows\system32\ChCfg.exe
    2009-11-30 19:30 . 2007-11-20 23:15 1826816 ----a-w- c:\windows\SkyTel.exe
    2009-11-30 19:30 . 2009-11-30 19:44
    d
    w- c:\windows\system32\RTCOM
    2009-11-30 19:30 . 2008-09-19 22:48 1200128 ----a-w- c:\windows\RtlUpd.exe
    2009-11-30 19:30 . 2008-12-30 19:58 18082304 ----a-w- c:\windows\RTHDCPL.EXE
    2009-11-30 19:30 . 2008-09-30 21:38 2168320 ----a-w- c:\windows\MicCal.exe
    2009-11-30 19:30 . 2008-08-25 21:17 528384 ----a-w- c:\windows\RtlExUpd.dll
    2009-11-28 05:45 . 2009-11-28 05:45
    d-sh--w- c:\documents and settings\LocalService\IETldCache
    2009-11-28 05:33 . 2009-11-30 05:33 3519152 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Temp\DriverCure Installer.exe
    2009-11-27 17:14 . 2009-11-27 17:17
    d
    w- C:\$AVG
    2009-11-27 17:13 . 2009-11-27 17:13
    d
    w- c:\documents and settings\All Users\Application Data\avg9
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-05 17:02 . 2006-04-10 00:21
    d
    w- c:\program files\ewido anti-malware
    2009-12-03 22:35 . 2004-10-02 12:47
    d--h--w- c:\program files\InstallShield Installation Information
    2009-12-03 22:35 . 2007-06-19 21:48
    d
    w- c:\program files\Trend Micro
    2009-12-03 22:27 . 2007-06-19 21:48 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2009-12-03 21:57 . 2004-10-02 12:47 96512
    w- c:\windows\system32\drivers\atapi.sys
    2009-12-02 15:52 . 2007-05-21 04:59
    d
    w- c:\program files\Google
    2009-12-01 16:24 . 2006-12-21 15:23
    d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-11-30 19:43 . 2009-06-13 22:20
    d
    w- c:\documents and settings\All Users\Application Data\DriverCure
    2009-11-30 19:30 . 2004-10-02 12:47
    d
    w- c:\program files\Realtek
    2009-11-30 19:30 . 2004-10-02 12:47
    d
    w- c:\program files\Common Files\InstallShield
    2009-11-27 17:14 . 2009-03-28 00:07 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2009-11-27 17:14 . 2009-03-28 00:07 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-11-27 17:14 . 2009-03-28 00:07 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-11-27 17:13 . 2009-03-28 00:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-11-27 17:13 . 2009-03-28 00:06
    d
    w- c:\program files\AVG
    2009-10-27 18:43 . 2007-11-06 14:22
    d
    w- c:\documents and settings\Administrator\Application Data\FinalBurner DATA
    2009-10-24 00:17 . 2009-10-24 00:17
    d
    w- c:\documents and settings\All Users\Application Data\Pure Networks
    2006-06-26 18:24 . 2006-06-26 18:24 60518 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
    2006-06-26 18:24 . 2006-06-26 18:24 49248 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
    2006-06-26 18:24 . 2006-06-26 18:24 165992 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2009-12-04_16.43.24 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-12-05 16:44 . 2009-12-05 16:44 16384 c:\windows\temp\Perflib_Perfdata_15c.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ParetoLogic Anti-Spyware"="c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2009-06-10 2643312]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
    "Panasonic Device Monitor Wakeup"="c:\program files\Panasonic\Device Monitor\dmwakeup.exe" [2006-11-02 303104]
    "Panasonic Device Manager for Multi-Function Station software"="c:\program files\Panasonic\MFStation\PCCMFSDM.exe" [2007-05-21 126976]
    "Panasonic PCFAX for Multi-Function Station software"="c:\program files\Panasonic\MFStation\KmPcFax.exe" [2007-08-28 757760]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-27 2020120]
    "TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
    "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2008-08-19 77824]
    "AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2008-06-19 2808832]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= "c:\program files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2009-06-10 98304]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-11-27 17:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "WinDefend"=2 (0x2)
    "ThreatFire"=3 (0x3)
    "sdCoreService"=2 (0x2)
    "sdAuxService"=2 (0x2)
    "Panasonic Trap Monitor Service"=2 (0x2)
    "Panasonic Local Printer Service"=2 (0x2)
    "ose"=3 (0x3)
    "JavaQuickStarterService"=3 (0x3)
    "gusvc"=3 (0x3)
    "C-DillaCdaC11BA"=2 (0x2)
    "AVGEMS"=2 (0x2)
    "Avg7UpdSvc"=2 (0x2)
    "Avg7Alrt"=2 (0x2)
    "ATI Smart"=2 (0x2)
    "APC UPS Service"=2 (0x2)
    "AcrSch2Svc"=2 (0x2)
    "aawservice"=3 (0x3)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/27/2009 7:07 PM 333192]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/27/2009 7:07 PM 360584]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/27/2009 12:13 PM 285392]
    R2 Panasonic Local Printer Service;Panasonic Local Printer Service;c:\progra~1\PANASO~1\LocalCom\lmsrvnt.exe [8/13/2009 11:01 AM 36864]
    R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
    R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [12/3/2009 5:35 PM 206608]
    S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
    S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
    S2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [12/3/2009 5:35 PM 582992]
    S3 CryptSvcFastUserSwitchingCompatibility;CryptSvcFastUserSwitchingCompatibility; [x]
    S3 GAGPDrv;GAGPDrv; [x]
    S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
    S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
    S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [12/3/2009 5:35 PM 206608]
    .
    Contents of the 'Scheduled Tasks' folder
    2009-07-26 c:\windows\Tasks\DriverCure.job
    - c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-04-26 12:44]
    2009-06-17 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
    - c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe [2009-06-10 17:02]
    2009-11-16 c:\windows\Tasks\ParetoLogic Privacy Controls_{2A163F70-5B61-11DE-ACE4-00112F2ACF38}.job
    - c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 15:29]
    2009-12-03 c:\windows\Tasks\ParetoLogic Registration.job
    - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
    2009-11-30 c:\windows\Tasks\ParetoLogic Update Version2.job
    - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
    2009-11-30 c:\windows\Tasks\ParetoLogic Update.job
    - c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2009-06-10 17:39]
    2009-12-05 c:\windows\Tasks\RegCure Program Check.job
    - c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
    2009-12-05 c:\windows\Tasks\RegCure Startup.job
    - c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
    2009-06-13 c:\windows\Tasks\RegCure.job
    - c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
    .
    .
    Supplementary Scan
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uStart Page = hxxp://www.comcast.net/
    uInternet Settings,ProxyOverride = <local>
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\su9gakqb.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/home.html
    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-05 12:21
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    LOCKED REGISTRY KEYS
    [HKEY_USERS\S-1-5-21-1614895754-1004336348-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,f1,43,fb,b0,8a,81,49,81,12,d8,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,f1,43,fb,b0,8a,81,49,81,12,d8,\
    [HKEY_USERS\S-1-5-21-1614895754-1004336348-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    DLLs Loaded Under Running Processes
    - - - - - - - > 'winlogon.exe'(740)
    c:\windows\system32\Ati2evxx.dll
    - - - - - - - > 'lsass.exe'(796)
    c:\windows\system32\relog_ap.dll
    - - - - - - - > 'explorer.exe'(1352)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2009-12-05 12:24
    ComboFix-quarantined-files.txt 2009-12-05 17:24
    ComboFix2.txt 2009-12-04 16:49
    Pre-Run: 210,788,823,040 bytes free
    Post-Run: 210,746,888,192 bytes free
    - - End Of File - - EDC889AF3E014D0B4BE17196B371A1EB
  • edited December 2009
    Go to Start/Run and type services.msc and hit enter. Scroll down to Windows Firewall service/ Right click it and choose Properties. Set the Startup type to Automatic and Start the service.

    =======================

    Then close all other windows, and navigate to the following folder:
    C:\documents and settings\adminstrator\local settings\temp\WERab5b.dir00

    Delete everything within this folder. After you're done, restart your computer.

    ================

    Finally, go HERE to run Panda ActiveScan 2.0
    • Click the big green Scan now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • Once the scan is completed, please hit the notepad icon next to the text Export to:
    • Save it to a convenient location such as your Desktop
    • Post the contents of the ActiveScan.txt in your next reply.
  • Slider51Slider51 Michigan USA New
    edited December 2009
    All complete...

    (1) I ran services.msc and selected Windows Firewall...the startup type was already set at automatic.

    (2) C:\documents and settings\administrator\local settings\temp does not contain a folder named WERab5b.dir00, instead was a folder named WPDNSE, but it contained nothing.

    (3) Some problems running ActiveScan, I hope the scan below is OK, if not I will re-run it if you want. When I clicked on the scan button, it did want to install an ActiveX component, but it was a Firefox plug-in. Although I do also have Firefox on my machine, my default browser is IE8. Trying to run the downloaded .exe just put me into a loop where the program kept flashing the "need to download the ActiveX component", I would, try to run it, then back to the "need to download" window. Maybe the fact I have an older version of Firefox also on the machine prompted the plug-in requirement? Anyway I couldn't get out of the loop with IE8, so I exited, launched Firefox, downloaded the plug-in, and started the scan.

    45 minutes into the scan, I realized I hadn't disabled any AV or spyware software when an AVG infected file window popped up, having caught some malware. I told it to move the files to the Virus Vault, then disabled AVG and everything else.

    A while later the scan was interrupted by Firefox asking to download an update, which I did not let happen. By this time ActiveScan had detected infections also, so I let it finish. There are some trojans and worms indicated as latent in old Restore Points, as the log below shows. I have also included a screen shot of the AVG Virus Vault showing what was caught. It looks like those were part of a System Restore Point also.
    Kind of a messy scan, I know but having invested nearly 90 minutes into it (it scanned over 1 million files!) I thought I would post it. I'll be happy to run it again if necessary though.

    Question...is it alright to catch up on the Windows updates now that that function is operational again, or should I wait to avoid adding more variables into the mix? I am quite a ways behind (12-14 updates) but I'll do exactly as you say to do...

    Here's the ActiveScan Log, the attached screen shot is of the AVG Virus Vault.

    Slider

    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2009-12-06 16:20:30
    PROTECTIONS: 1
    MALWARE: 12
    SUSPECTS: 1
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    AVG Anti-Virus Free 9.0 Yes Yes
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\administrator@doubleclick[3].txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\administrator@doubleclick[1].txt
    00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\administrator@atdmt[2].txt
    00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\administrator@atdmt[1].txt
    00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\administrator@mediaplex[2].txt
    00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\administrator@ad.yieldmanager[1].txt
    00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\administrator@apmebf[1].txt
    00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\administrator@go[1].txt
    02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{b393ec5f-dd6b-4bf4-900e-5239fddab7a4}\rp480\a0127665.sys
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{b393ec5f-dd6b-4bf4-900e-5239fddab7a4}\rp471\a0120696.exe
    04568961 Adware/TotalSecurity2009 Adware No 0 Yes No c:\system volume information\_restore{b393ec5f-dd6b-4bf4-900e-5239fddab7a4}\rp471\a0120694.exe
    05630480 Trj/Hmir.F Virus/Trojan No 0 Yes No c:\system volume information\_restore{b393ec5f-dd6b-4bf4-900e-5239fddab7a4}\rp477\a0125001.exe
    05692338 W32/Spamta.QO.worm Virus/Worm No 0 Yes No c:\system volume information\_restore{b393ec5f-dd6b-4bf4-900e-5239fddab7a4}\rp471\a0120695.exe
    05706056 Trj/Zlob.KH Virus/Trojan No 1 Yes No c:\system volume information\_restore{b393ec5f-dd6b-4bf4-900e-5239fddab7a4}\rp472\a0124764.exe
    05706056 Trj/Zlob.KH Virus/Trojan No 1 Yes No c:\system volume information\_restore{b393ec5f-dd6b-4bf4-900e-5239fddab7a4}\rp472\a0124765.exe
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location
    ;===================================================================================================================================================================================
    No c:\program files\answersthatwork\troubleshooter\tut_updater.exe
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description
    ;===================================================================================================================================================================================
    215048 HIGH MS09-065
    214076 HIGH MS09-059
    971486 HIGH MS09-058
    214074 HIGH MS09-057
    214073 HIGH MS09-056
    ;===================================================================================================================================================================================
  • edited December 2009
    Go to to Start > Run
    Type in box

    combofix /uninstall

    Note: the space between the X and the /uninstall

    Press Enter.

    This command will:

    Delete the following:
    ComboFix and its associated files and folders.
    VundoFix backups, if present
    The C:\Deckard folder, if present
    The C:_OtMoveIt folder, if present

    Reset the clock settings.
    Hide file extensions, if required.
    Hide System/Hidden files, if required.
    Reset System Restore.



    Let me know if you are still experiencing:
    (1) The firewall problem
    (2) Generic Host Process error window
    (3) Any other problems
  • Slider51Slider51 Michigan USA New
    edited December 2009
    ComboFix uninstall is done. The firewall issue is fixed, sort of...as long as I have the "Don not allow exceptions" box checked, everything acts right. If I uncehck this box, however, I immediately get the "Firewall is off" warning in the system tray, the Security Center shows the firewall as off, even though the selector is set to "ON". There are no exceptions listed on the exception screen, either. It seems to me there were at one time, although I never entered any.

    The Generic Host Process error window still comes up on every boot.

    The computer runs very crisply again and I know of no other problems. Over the last couple of years, I have accumulated several scan and repair software packages and other tools. Some are freeware and shareware, some I have purchased. I know it's not good to have multiple AV and/or anti-spyware programs running. When we're all finished with the items above, I'd really like to have you go over the list of what I have and recommend which to get rid of and which to keep. I know alot of it is user preference, but it seems there is a huge difference in effectiveness. I was amazed at MBAM finding a ton of infections that were passed over literally dozens of times by some other big name software. I am really due for an expert look at my overall security solution and how good or bad it is for my typical web usage.

    Thank you again, Chiaz...waiting for further instructions.

    Slider
  • edited December 2009
    If you do a Google search for Generic Host Process for Win32 Error, you will find this error is a common complaint by many users with no single solution. What works for one person may not work for another.
    That error message can be due to a variety of reasons, and I would say in this case it is not malware-related.
    You may want to post about it here for more techs to put in their input:
    http://icrontic.com/forum/forumdisplay.php?f=32

    I have no problem with giving you a few recommendations on your security set-up. :)
  • Slider51Slider51 Michigan USA New
    edited December 2009
    OK, I'll post over there and see what comes up. Question though...am I likely to run into any issues leaving the "No Exceptions" box checked on the firewall? Is that the optimum way to run? Seems to me somewhere down the line I'm going to run into a problem with legitimate processes being blocked. As I said, it seems that when this computer was new, there were a few exceptions listed and the No Exceptions box was unchecked.

    Thank you so very much for all your help. Like the vast majority of computer users today, there is simply no way I can keep up with the technical side of maintaining just the two PCs we have here. Without true professionals as yourself, and your amazing knowledge, the lowlife scum that write the malware would eventually take our computers over and relegate them to useless boxes of headaches.

    I hope that all who have been following this thread realize that Chiaz and all the techs on this site are volunteering their time and effort for our benefit and deserve all the praise and respect we can give them... This kind of expertise is only available one other way, and that is to pay an IT tech hundreds of dollars an hour.

    This forum is invaluable, and I've been to many other forums with no value. Icrontic rules!!

    I'm running short of time right now but tonight I will post a list of what programs I have/run to have you help me trim things down to a good level.

    Thank you once again Chiaz, you rock!!

    Slider
  • edited December 2009
    Hi Slider51,

    Thanks for the kind comments.

    Windows Security Center is known to be inaccurate sometimes, so I won't really worry about whatever it detects (and not detects). If this is bugging you, you can disable the Security Center as it merely serves a monitoring function.

    What I'm really interested to know is whether Windows Firewall is functioning OK. So go to Command Prompt, and type: netsh firewall
    Then type: Netsh firewall show state
    Let me know what this comes up with.

    When you select the Don't allow exceptions check box, Windows Firewall blocks all unsolicited requests to connect to your computer, including requests to programs or services selected on the Exceptions tab. When you select Don't allow exceptions, you can still send and receive e-mail, use an instant messaging program, and view most Web pages. The most common exceptions that people 'tick' are P2P programs, games, that sort of thing.

    I hope that answers your questions so far...let me know if you need more clarification or help. Also let's see what that command turns up OK.
  • Slider51Slider51 Michigan USA New
    edited December 2009
    OK Chiaz,

    Check the two attachments for the firewall info. One is "Firewall State" and the other is "Firewall Config".

    This reminds me of a question I have had for a long time. I get my ISP by high speed cable through a cable modem, then through a DLink EBR-2310 Router. We have 2 PCs that are not networked, the router just serves as a splitter for the cable service. The question is, if both PCs are behind a firewall router, do I even need to run the Windows firewall? For just over 3 years, I ran with the Win firewall turned off, behind a LinkSys firewall router. A couple months back the LinkSys died, so I bought the DLink. I seem to get different answers from different people on this question. If I have the Win firewall on, isn't that just a redundancy and couldn't running both firewalls together cause a conflict?

    Okay on to the software I have had and what I have now:

    Stuff I have tried:

    NAV - huge resource hog, costly, no support without paying and paying and paying. I uninstalled the whole deal a couple years ago.

    SpyBot S & D - Didn't seem to catch everything, quirky when running. Uninstalled.

    Spyware Doctor - Way too much running in the background. Quirky slow startup, caused alot of hangs. Detected almost everything, but often could not repair what it caught. Uninstalled.

    What I have now and how I run it:

    AVG Free (latest version) - I run this as my only AV protection. Resident Shield, Anti-Virus, Anti-Spyware, Link Scanner, E-mail scanner, and License components are all active. I disable the auto-update, I update and scan every other day or so. Question: Are all these components that I am running really necessary? Which ones are hype and which ones are true protection?

    ParetoLogic - A suite I bought that includes Anti-Spyware, a Data Recovery tool, DriverCure, and Privacy Manager. The anti-spyware seems to catch a bit more than the average AS package. Always running as my primary Spyware solution.. DriverCure is a sweet tool that identifies all out of date drivers on the entire system and enables downloading and installing new drivers right from the console. I love this. I haven't had occasion to use Data Recovery, and the Privacy Manager basically just repackages the Windows Privacy settings in a Pareto console. I really like this package as the individual tools can be started and stopped independently, and, the Anti-Spyware is barely noticeable from a performance standpoint.

    RegCure - the third registry cleaner/maintenance tool I have bought, and the best. Quick scans, and every time I use it the machine runs like brand new again. Never had any problems from using it (that I know of).

    RUBotted - Just downloaded this a week ago ... Is it worth keeping and running occasionally?

    CWShredder - Same as RUBotted - just downloaded it - worth keeping and running once in a while?

    MBAM - I amamazed at the power of this package to ferret malware out that other software never saw. I am considering buying the full version. Should I replace Pareto with this? Can I count on it as my only malware solution? Or should I keep both this and Pareto and only let one run in the background with the other as a second scan? I know this is a highly repected package amongst tekkies, and it probably is heads above the likes of Pareto, SpyBot, SD, etc., but can I afford to put all my eggs in one basket?

    TUT (The Ultimate Troubleshooter) - I bought this 18 months ago to try to get a handle on exactly what was running in the background all the time and what is neccessary and what isn't. I have to say I like the package as it gives you lots of layman-level info on each application that is running, what it does, and recommendations as to whther to let something run, disable it, change startup modes to auto, or manual, etc. I have used it to identify viruses in the past. It's no longer current, I need to buy the next year if I want to continue.

    CCleaner, ERUNT, RSIT... leftovers from your efforts and those of Katana earlier this year who helped me rid my machine of Rogue Cyber-Defender software and the tyrojans they gave me to sell me the product. I confess I don't know what any of these do. Are they something I can learn and use myself for virus and malware attacks, or are these better left to you guys like ComboFix is?

    Various ISP Stuff - ISP is Comcast - they are forever adding/offering e-mail scanners, McAfee stuff, and other security programs. So far, I have stayed away from any of their stuff because I don't like someone else controlling my protection solutions. Wouldn't activating anything they have just case conflicts with whatever else I'm already running?
    Most of these programs are on my machine as a result of previous virus/malware attacks, where working by myself I would identify what malware I had, then start Googling for software to fix it.

    The goal in this exercise is to have you help me put together a streamlined but solid protection package out of these programs (or others you recommend) and get rid of anything else that is either just hype or has little value. One thing - I have no sentimental attachment to any of these programs, even if I paid for them. No need to hold back on any comments to spare my feelings. I just want to run what the smart guys run and make sure I have no conflicts between any of the packages.

    I am very fortunate to have found Icrontic earlier this year. You guys are all the greatest...

    Slider
  • edited December 2009
    Hi Slider51,

    Looks like Windows Firewall is running fine, so I won't worry about it.


    First for your firewall question.
    Windows Firewall is a software firewall.
    Your router is a hardware firewall.
    It is true that running multiple software firewalls simultaneously can cause conflicts, but it is perfectly fine to run a software firewall and hardware firewall together, after all they run on different levels.
    In fact, this will increase your protection and it is highly recommended that you run this way.

    I wrote a Firewalls FAQ a few years back, hopefully there's some good information you can peruse here:
    http://www.pchelpforum.com/firewalls/21874-firewalls-faq.html

    =========================
    AV
    AVG is a decent free AV, so I'd keep that. But you could disable the email scanner component, provided you do not use an offline email client such as MS Outlook, Eudora, etc.

    =========================
    AS
    Never used ParetoLogic before, but if it works for you, go for it.

    MBAM actually offers very powerful features already for a freeware version. Activating the full version unlocks realtime protection, scheduled scanning, and scheduled updating. Do you need this? If you don't, maybe you don't need to purchase it. You can simply have it on your computer and run a regular scan with it as you see fit.

    The CWS (CoolWebSearch) infection family that CWShredder gets rid of is horribly outdated.
    As for RUBotted, MBAM is pretty effective at getting rid of bots.
    Hence I would say there's no need to keep CWShredder and RuBotted.

    =========================
    Misc
    Just a note about registry programs which I'm sure you already know about - remember to make a backup before doing any fixing! I've got users who have to resort to a format after the program decided to remove something essential.

    Erunt is basically a Registry Backup Tool, but it runs small so I would keep it if I were you.

    CCleaner basically gets rid of temporary files that you don't require, so it's good for running once in a while. This could make your PC/browser run faster by a little too.

    As for ISP stuff, if they are free grab it (provided you have enough space on your pc)! You could simply disable their real-time protection and use them as on-demand scanners. This will prevent conflicts.

    Not familiar with The Ultimate Troubleshooter, but noticed quite a few good reviews on the Internet about it.

    =========================


    Finally one thing I would recommend to you:
    http://www.sandboxie.com/

    This works on a totally different basis from your regular protection programs: It creates an isolated virtual environment. Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded once you're done with everything.

    I use it personally for my malware research, but I'm sure you can adapt it to your own uses. :)
  • Slider51Slider51 Michigan USA New
    edited December 2009
    Chiaz,

    After a few days, I can say that I believe you have completely solved my problem...thank you...all that is left is the GHP error, and kryyst is helping me with that over on the OS forum.

    My machine runs very crisply again, comparable to when it was new. I'm going to take all your recommendations on my software. Going to keep using AVG and Pareto for spyware running real-time, with MBAM as a back-up scanner. When my Pareto subscription lapses, I'm going to buy the full version of MBAM, which will allow it to run in the background. After seeing how well it performs, I doubt I'll need anything else.

    I appreciate the caution in using Registry cleaners, most techs have related the same cautions, so I always back up the registry before usinf RegCure. BTW, just for your reference I am absolutely sold on RegCure - it meets or exceeds all its claims, I have found it very easy to use and it always makes a huge difference in speed after a scan.

    And of course after reading up on SandBoxie, I will be buying that this weekend and doing all my sensitive browsing in the sandbox from now on.

    I can't express how much I appreciate your efforts, this has been the most successful experience I have ever had on a tech forum. Everyone here is so helpful and you all know your stuff!

    At least for me, this thread is "resolved". Thanks...

    Slider
  • edited December 2009
    You're welcome Slider. Glad I was able to be of help.

    Moving this to the Resolved section now.
Sign In or Register to comment.