Anti Virus System Pro removal help

Hello,

Per your instructions I have started this thread here for help in removing this off of my computer. As I have stated I purchased a flash drive and downloaded the malware program on it and tried to install it on this infected computer. Each time I go thru the process of installing it actually installs the program. But after installed i double click on the icon it created and nothing happens. I would appreciate any and all help in removint this off of my system.

My laptop is rendered completely usless at this point. I cant use it to download anything or even connect to the internet.

Sorry for the double post!

Thanks,

Rchjr

Hello Rchjr,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

• If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  
• If you have any cracked/pirated software in your computer delete them or we will not help you.
  
• Only follow advise from Geek Police Staff and not a regular member.
  
• Do NOT run any tool without Geek Police supervision as it could hinder your system useless.
  

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

I had to download hijack this onto a flash drive. Then I put it on the infected computer. When I try to install it on the infected computer I never get the agreement that I am supposed to see. It does leave an icon on my desk top. I click on it and nothing happens! I never see an installation progess bar or anything. What a am I doing wrong?

Thank for you helop,

Rchjr

See if it works downloading it from here:

http://www.sendspace.com/pro/dl/932rpd

That worked here is the file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:41 PM, on 8/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sectra\IDS5web\bin\viewer_service.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\McAfee\MWL\MwlGui.exe
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
I:\winlogon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CMVideoPlugin - {0D23EE44-2319-4B6C-93D2-A572E0F5B0E0} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: BHO - {F64619FF-E19F-4016-BF9C-147CFF821B46} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Ptipbmf] "rundll32.exe" ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [system tool] C:\Program Files\iiuoww\tlxrsysguard.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SpyHunter] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MWLExe] "C:\PROGRA~1\McAfee\MWL\MwlGui.exe" /Start
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [CNN.Pipeline.Alerter] "C:\Program Files\CNN Pipeline\CNN.VideoNet.App.exe" /cnndriver:startapp alerter
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lsp.dll' missing
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.42/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156489089015
O16 - DPF: {7C705EA9-3C3B-4F3A-B1AA-2184CDFAE4D0} (Viewer Class) - http://www.offsiteimagemanagement.com/IDS5web/install/Setup.exe
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://D:\CDVIEWER\CdViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95AF6E28-54A4-4810-B520-8B17B411C6C6}: NameServer = 85.255.112.143,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFB47ADC-3A7B-40C0-B972-EE9E4C7B1155}: NameServer = 85.255.112.143,85.255.112.203
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.143,85.255.112.203
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.143,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.143,85.255.112.203
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Wireless Security Service (MwlSvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MWL\MwlSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SECTRA Viewer Update Service (viewer_service) - Unknown owner - C:\Program Files\Sectra\IDS5web\bin\viewer_service.exe
O24 - Desktop Component 0: (no name) - http://www.offsiteimagemanagement.com/ids5web/start/gui/title_stripe_bg.gif

--

Hello Rchjr,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

• If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  
• If you have any cracked/pirated software in your computer delete them or we will not help you.
  
• Only follow advise from Geek Police Staff and not a regular member.
  
• Do NOT run any tool without Geek Police supervision as it could hinder your system useless.
  

• Open HijackThis.
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
  O4 - HKLM\..\Run: [system tool] C:\Program Files\iiuoww\tlxrsysguard.exe
  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

I have a question: Once I download malware, you say to up date it. If I download this program on the uninfected computer and there is an update and it updates itself. How do I then get the updated program onto a flash drive so it will install on the infected computer. Am I able to download an updated version of malware onto a flash drive.

I have allready completed the previous step and fixed those problems.

Thanks for your help,

Rchjr

You can do that but you can however download the latest database offline from here and install it in the infected computer when Malwarebytes is already installed:

http://malwarebytes.gt500.org/database.jsp

There appears to be a problem with the second link you provided. It has been stuck at 21% for quite sometime and the time needed to complete the download jumps from 21 seconds to 18 minutes. I have tried this several times and it still is taking for ever, is this normal?

Rchjr

Well I had to update it on the uninfected computer The link you provided was not working. I then saved it to my flash drive. I then installed it onto the infected computer, tried to install it, Looked like it did but will not run! Why is this program not running?

Rchjr

Hello.
Before we can get the big tools out, a lot more has to go first.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Ok here is the list it provided:

3DMark05
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.8
Adobe Shockwave Player
Advanced JPEG Compressor 4.8
AGEIA PhysX v7.07.09
ah Screen Saver
AlienAutopsy
AlienGUIse
Aliens vs. Predator 2
Apple Mobile Device Support
Apple Software Update
ARC996PRO for Uniden BCD996T
ArcSoft VideoImpression 1.6FP
Atheros Client Installation Program
Ballistic Explorer Ver. 6.2.0
BC_VUP
BCD996T_UASD
BisonCam, USB2.0
Bonjour
Brother MFL-Pro Suite
Command & Conquer 3
Command & Conquer Generals
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Crysis(R)
DivX Content Uploader
DivX Web Player
Doks Satellite 6.0
Doom 3
Error Messages for Windows
ESET NOD32 Antivirus
Eudora
Ex2Em-V4-en
FinePixViewer Ver.3.0
FSX Flight Weather Report
FSX_Screensaver
FTDI USB Serial Converter Drivers
FUJIFILM USB Driver
getPlus(R) for Adobe
Ghost Recon Advanced Warfighter
GL Excess v1.2v
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HTvid
IDS5web
ImageMixer for HDD Camcorder
InCD
iolo technologies' System Mechanic
iolo technologies' System Mechanic 6
iTunes
Java(TM) 6 Update 7
LimeWire PRO 4.18.8
Logitech Gaming Software
Malwarebytes' Anti-Malware
McAfee Uninstall Wizard
Medal of Honor Airborne
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2007 Home & Business
Microsoft Money Shared Libraries
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 2.0 SP3 Runtime
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Nero Digital
Nero OEM
NeroVision Express Content
Notebook Hardware Control 2.0 Pre-Release-04
NovaGPS
PaperPort
ParetoLogic Privacy Controls
PC Wizard 2006.1.691
PowerDVD
ProScan 1.8.2
PunkBuster Services
QuickTime
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Realtek High Definition Audio Driver
SAMSUNG CDMA Modem Driver Set
Satellite PC
ScanControl
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Skype 4.0
Smart Link 56K Voice Modem
SpeedFan (remove only)
Sprint PCS Connection Manager
SpyHunter
Spyware Doctor 6.1
Star Trek Legacy
Star Wars Empire at War
Star Wars Empire at War Forces of Corruption
Synaptics Pointing Device Driver
System Requirements Lab
Theme Manager
Tom Clancy's Ghost Recon Advanced Warfighter 2
TOPO!
TrunkStar Elite Pro
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Windows Live Safety Scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3

Thanks again for your help,
Rchjr

Hello.

You are running two antivirus', I see from the uninstall list you have NOD32 installed, along with AVG. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove AVG to avoid conflict and other future problems.

Completely Uninstall AVG software

Download and run avgremover.exe

For 32-Bit, Download: avgremover.exe

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Java(TM) 6 Update 7
LimeWire PRO 4.18.8
McAfee Uninstall Wizard

Next,
Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Well I was able to remove the avg software as you said. I then downloaded combofix to the flash drive and tried to install it on the infected computer and it would not install. What next?

Rchjr

Did you download as renamed to Combo-Fix?

Yes that was the problem, I feel so stupid. Below is the log combo-fix created:
It says the message was to big so I am ddoing this in parts!


ComboFix 09-08-04.03 - C. Harris 08/05/2009 12:14.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1668 [GMT -7:00]
Running from: I:\Combo-Fix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\CMVideoPlugin
c:\program files\perfect codec
c:\windows\7673d9ac.ocx
c:\windows\80f54c17.ocx
c:\windows\85a58256.ocx
c:\windows\c4e7b72c.ocx
c:\windows\Installer\111349c.msp
c:\windows\Installer\11b08e8.msp
c:\windows\Installer\11ba651.msp
c:\windows\Installer\11fbf73.msp
c:\windows\Installer\1308a76.msp
c:\windows\Installer\1383ba.msp
c:\windows\Installer\13e189.msp
c:\windows\Installer\13ea472.msp
c:\windows\Installer\148797c.msp
c:\windows\Installer\15e1ce.msp
c:\windows\Installer\1980cf.msp
c:\windows\Installer\1af30c.msp
c:\windows\Installer\1b221b.msp
c:\windows\Installer\1b272df.msp
c:\windows\Installer\1ea0d.msp
c:\windows\Installer\1f826.msp
c:\windows\Installer\2070b.msp
c:\windows\Installer\20cb8.msp
c:\windows\Installer\20cd7.msp
c:\windows\Installer\20f96.msp
c:\windows\Installer\21274.msp
c:\windows\Installer\21543.msp
c:\windows\Installer\21572.msp
c:\windows\Installer\2168b.msp
c:\windows\Installer\21737.msp
c:\windows\Installer\218fc.msp
c:\windows\Installer\21999.msp
c:\windows\Installer\219b8.msp
c:\windows\Installer\21a73.msp
c:\windows\Installer\21ad1.msp
c:\windows\Installer\21c58.msp
c:\windows\Installer\21d71.msp
c:\windows\Installer\21ec9.msp
c:\windows\Installer\21ef8.msp
c:\windows\Installer\21f17.msp
c:\windows\Installer\21f26.msp
c:\windows\Installer\21f84.msp
c:\windows\Installer\21f85.msp
c:\windows\Installer\22011.msp
c:\windows\Installer\22040.msp
c:\windows\Installer\220ec.msp
c:\windows\Installer\222a1.msp
c:\windows\Installer\222c0.msp
c:\windows\Installer\222e0.msp
c:\windows\Installer\222ef.msp
c:\windows\Installer\2238b.msp
c:\windows\Installer\22408.msp
c:\windows\Installer\22409.msp
c:\windows\Installer\224d4.msp
c:\windows\Installer\22594.msp
c:\windows\Installer\225fc.msp
c:\windows\Installer\226f6.msp
c:\windows\Installer\227d1.msp
c:\windows\Installer\227f0.msp
c:\windows\Installer\2283f.msp
c:\windows\Installer\229c5.msp
c:\windows\Installer\22a23.msp
c:\windows\Installer\22a90.msp
c:\windows\Installer\22b6b.msp
c:\windows\Installer\22baa.msp
c:\windows\Installer\22fe0.msp
c:\windows\Installer\234ffa.msp
c:\windows\Installer\23510.msp
c:\windows\Installer\2360a.msp
c:\windows\Installer\239c3.msp
c:\windows\Installer\23bb7.msp
c:\windows\Installer\23bb8.msp
c:\windows\Installer\23d0f.msp
c:\windows\Installer\2403b.msp
c:\windows\Installer\24106.msp
c:\windows\Installer\24116.msp
c:\windows\Installer\24154.msp
c:\windows\Installer\24220.msp
c:\windows\Installer\242cb.msp
c:\windows\Installer\24397.msp
c:\windows\Installer\2459a.msp
c:\windows\Installer\24b47.msp
c:\windows\Installer\24c61.msp
c:\windows\Installer\24d99.msp
c:\windows\Installer\2545f.msp
c:\windows\Installer\2550b.msp
c:\windows\Installer\25615.msp
c:\windows\Installer\2573e.msp
c:\windows\Installer\257da.msp
c:\windows\Installer\257f9.msp
c:\windows\Installer\25903.msp
c:\windows\Installer\25a7a.msp
c:\windows\Installer\25a8a.msp
c:\windows\Installer\25b55.msp
c:\windows\Installer\25cdb.msp
c:\windows\Installer\25e62.msp
c:\windows\Installer\25e91.msp
c:\windows\Installer\25eef.msp
c:\windows\Installer\26140.msp
c:\windows\Installer\261ae.msp
c:\windows\Installer\261cd.msp
c:\windows\Installer\26298.msp
c:\windows\Installer\26305.msp
c:\windows\Installer\2648c.msp
c:\windows\Installer\264ea.msp
c:\windows\Installer\265a5.msp
c:\windows\Installer\266827.msp
c:\windows\Installer\26690.msp
c:\windows\Installer\266be0.msp
c:\windows\Installer\2674b.msp
c:\windows\Installer\2678a.msp
c:\windows\Installer\26855.msp
c:\windows\Installer\26910.msp
c:\windows\Installer\2694f.msp
c:\windows\Installer\269bc.msp
c:\windows\Installer\26ac6.msp
c:\windows\Installer\26bcf.msp
c:\windows\Installer\26c9b.msp
c:\windows\Installer\26d08.msp
c:\windows\Installer\26e9e.msp
c:\windows\Installer\26f1b.msp
c:\windows\Installer\26f4a.msp
c:\windows\Installer\270d1.msp
c:\windows\Installer\2718c.msp
c:\windows\Installer\27296.msp
c:\windows\Installer\27351.msp
c:\windows\Installer\27371.msp
c:\windows\Installer\273bf.msp
c:\windows\Installer\2763f.msp
c:\windows\Installer\27759.msp
c:\windows\Installer\2792d.msp
c:\windows\Installer\27a75.msp
c:\windows\Installer\27b21.msp
c:\windows\Installer\27b6f.msp
c:\windows\Installer\27bae.msp
c:\windows\Installer\27d54.msp
c:\windows\Installer\27e5d.msp
c:\windows\Installer\27ecb.msp
c:\windows\Installer\27fc5.msp
c:\windows\Installer\28051.msp
c:\windows\Installer\2814b.msp
c:\windows\Installer\28217.msp
c:\windows\Installer\2865c.msp
c:\windows\Installer\28708.msp
c:\windows\Installer\28870.msp
c:\windows\Installer\2890c.msp
c:\windows\Installer\289e7.msp
c:\windows\Installer\28a64.msp
c:\windows\Installer\29001.msp
c:\windows\Installer\290eb.msp
c:\windows\Installer\29262.msp
c:\windows\Installer\294e3.msp
c:\windows\Installer\2957f.msp
c:\windows\Installer\29699.msp
c:\windows\Installer\296b8.msp
c:\windows\Installer\299a44.msp
c:\windows\Installer\299b5.msp
c:\windows\Installer\299d5.msp
c:\windows\Installer\29aa0.msp
c:\windows\Installer\29ade.msp
c:\windows\Installer\29b61.msp
c:\windows\Installer\2a00e.msp
c:\windows\Installer\2a06e9.msp
c:\windows\Installer\2a2444.msp
c:\windows\Installer\2a30c.msp
c:\windows\Installer\2a406.msp
c:\windows\Installer\2a83c.msp
c:\windows\Installer\2acc0.msp
c:\windows\Installer\2adab.msp
c:\windows\Installer\2b01a4.msp
c:\windows\Installer\2b0f7.msp
c:\windows\Installer\2b1a2.msp
c:\windows\Installer\2b297f.msp
c:\windows\Installer\2b6ba9.msp
c:\windows\Installer\2bdb8.msp
c:\windows\Installer\2bdf7.msp
c:\windows\Installer\2c876.msp
c:\windows\Installer\2c903.msp
c:\windows\Installer\2cccc.msp
c:\windows\Installer\2cf9a.msp
c:\windows\Installer\2d0d3.msp
c:\windows\Installer\2d1fc.msp
c:\windows\Installer\2dd75.msp
c:\windows\Installer\2ddc3.msp
c:\windows\Installer\2e332.msp
c:\windows\Installer\2e5c2.msp
c:\windows\Installer\2e6ad.msp
c:\windows\Installer\2e70a.msp
c:\windows\Installer\2e8fe.msp
c:\windows\Installer\2eb02.msp
c:\windows\Installer\2ec2b.msp
c:\windows\Installer\2ee1f.msp
c:\windows\Installer\2ee3e.msp
c:\windows\Installer\2ef28.msp
c:\windows\Installer\2f35f.msp
c:\windows\Installer\2f5df.msp
c:\windows\Installer\2f61e.msp
c:\windows\Installer\2f6ca.msp
c:\windows\Installer\2f850.msp
c:\windows\Installer\2f860.msp
c:\windows\Installer\2f9a8.msp
c:\windows\Installer\2fd03.msp
c:\windows\Installer\2ff94.msp
c:\windows\Installer\30139.msp
c:\windows\Installer\30783.msp
c:\windows\Installer\30948.msp
c:\windows\Installer\30b4c.msp
c:\windows\Installer\30f43.msp
c:\windows\Installer\3106c.msp
c:\windows\Installer\31195.msp
c:\windows\Installer\3136a.msp
c:\windows\Installer\313d7.msp
c:\windows\Installer\31425.msp
c:\windows\Installer\31acc.msp
c:\windows\Installer\31d7c.msp
c:\windows\Installer\32154.msp
c:\windows\Installer\321a2.msp
c:\windows\Installer\324bf.msp
c:\windows\Installer\324ee.msp
c:\windows\Installer\3258a.msp
c:\windows\Installer\326b3.msp
c:\windows\Installer\327ad.msp
c:\windows\Installer\328a7.msp
c:\windows\Installer\32b57.msp
c:\windows\Installer\32e16.msp
c:\windows\Installer\33154.msp
c:\windows\Installer\3325c.msp
c:\windows\Installer\333a4.msp
c:\windows\Installer\33615.msp
c:\windows\Installer\33ae7.msp
c:\windows\Installer\33b83.msp
c:\windows\Installer\33c10.msp
c:\windows\Installer\34075.msp
c:\windows\Installer\340c3.msp
c:\windows\Installer\340d3.msp
c:\windows\Installer\34150.msp
c:\windows\Installer\34509.msp
c:\windows\Installer\3468f.msp
c:\windows\Installer\34d08.msp
c:\windows\Installer\35276.msp
c:\windows\Installer\35313.msp
c:\windows\Installer\35370.msp
c:\windows\Installer\3546a.msp
c:\windows\Installer\35891.msp
c:\windows\Installer\3590e.msp
c:\windows\Installer\35ac3.msp
c:\windows\Installer\35b11.msp
c:\windows\Installer\35bfc.msp
c:\windows\Installer\35c79.msp
c:\windows\Installer\35eda.msp
c:\windows\Installer\360de.msp
c:\windows\Installer\361f7.msp
c:\windows\Installer\363bc.msp
c:\windows\Installer\364c6.msp
c:\windows\Installer\36746.msp
c:\windows\Installer\36795.msp
c:\windows\Installer\36d80.msp
c:\windows\Installer\36e0d.msp
c:\windows\Installer\36f36.msp
c:\windows\Installer\36f93.msp
c:\windows\Installer\3709d.msp
c:\windows\Installer\3735c.msp
c:\windows\Installer\37418.msp
c:\windows\Installer\3781f.msp
c:\windows\Installer\3789c.msp
c:\windows\Installer\37c36.msp
c:\windows\Installer\37e0b.msp
c:\windows\Installer\3806c.msp
c:\windows\Installer\38b0b.msp
c:\windows\Installer\38e76.msp
c:\windows\Installer\38f12.msp
c:\windows\Installer\3905a.msp
c:\windows\Installer\3927d.msp
c:\windows\Installer\39694.msp
c:\windows\Installer\39c02.msp
c:\windows\Installer\3a29a.msp
c:\windows\Installer\3a99f.msp
c:\windows\Installer\3aa0c.msp
c:\windows\Installer\3accb.msp
c:\windows\Installer\3b094.msp
c:\windows\Installer\3b22a.msp
c:\windows\Installer\3b557.msp
c:\windows\Installer\3b94e.msp
c:\windows\Installer\3bad5.msp
c:\windows\Installer\3bcf8.msp
c:\windows\Installer\3bd75.msp
c:\windows\Installer\3bdf2.msp
c:\windows\Installer\3be50.msp
c:\windows\Installer\3c082.msp
c:\windows\Installer\3c545.msp
c:\windows\Installer\3c546.msp
c:\windows\Installer\3d0007.msp
c:\windows\Installer\3d0be.msp
c:\windows\Installer\3e2cf.msp
c:\windows\Installer\3e5cd.msp
c:\windows\Installer\3e734.msp
c:\windows\Installer\40079.msp
c:\windows\Installer\4019d9.msp
c:\windows\Installer\42305.msp
c:\windows\Installer\42fc7.msp
c:\windows\Installer\441e7.msp
c:\windows\Installer\44274.msp
c:\windows\Installer\44821.msp
c:\windows\Installer\4559e.msp
c:\windows\Installer\47d79a.msp
c:\windows\Installer\49d75.msp
c:\windows\Installer\4abbd.msp
c:\windows\Installer\4d392a.msp
c:\windows\Installer\4e7dfe.msp
c:\windows\Installer\4edb8.msp
c:\windows\Installer\51979b8.msp
c:\windows\Installer\52ded.msp
c:\windows\Installer\5627a.msp
c:\windows\Installer\585b2.msp
c:\windows\Installer\58fa5.msp
c:\windows\Installer\59e6a.msp
c:\windows\Installer\5ac16.msp
c:\windows\Installer\5b2fc.msp
c:\windows\Installer\5c25d.msp
c:\windows\Installer\5c952.msp
c:\windows\Installer\5cf0f.msp
c:\windows\Installer\5d72d.msp
c:\windows\Installer\5e595.msp
c:\windows\Installer\5ecc8.msp
c:\windows\Installer\5fcd6.msp
c:\windows\Installer\611d5.msp
c:\windows\Installer\62010c.msp
c:\windows\Installer\6290d9.msp
c:\windows\Installer\6498e.msp
c:\windows\Installer\65d882.msp
c:\windows\Installer\66ef9.msp
c:\windows\Installer\69da05.msp
c:\windows\Installer\6fec19.msp
c:\windows\Installer\78ba7e.msp
c:\windows\Installer\7ca155.msp
c:\windows\Installer\839405.msp
c:\windows\Installer\8c0c6a.msp
c:\windows\Installer\8f4d4d.msp
c:\windows\Installer\8f7288.msp
c:\windows\Installer\951ae.msp
c:\windows\Installer\95d879.msp
c:\windows\Installer\9c17d6.msp
c:\windows\Installer\9d7db0.msp
c:\windows\Installer\9d7dd6.msp
c:\windows\Installer\9d7de7.msp
c:\windows\Installer\a3fff87.msp
c:\windows\Installer\aea5f6.msp
c:\windows\Installer\b02a34.msp
c:\windows\Installer\b0e41e.msp
c:\windows\Installer\b1612.msp
c:\windows\Installer\cf517c.msp
c:\windows\Installer\ddc224.msp
c:\windows\Installer\eeee42.msp
c:\windows\Installer\f66d15.msp
c:\windows\ios.dat
c:\windows\syssvc.exe
c:\windows\system32\7158fcfb.ocx
c:\windows\system32\92cb8819.ocx
c:\windows\system32\drivers\ESQULmneoaxvukyxjcxdkjbotoqvpxctpejnl.sys
c:\windows\system32\ef841279.ocx
c:\windows\system32\ESQULmpqdxuqpqegxvmokitdcdwtphytarmfv.dll
c:\windows\system32\ESQULoptnvafxiibersivibhysetewigdfbui.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\iehelper.dll
c:\windows\system32\mfc45.dll

Here is the another part

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-07-05 to 2009-08-05 )))))))))))))))))))))))))))))))
.

2009-08-02 20:22 . 2009-08-02 20:22 -------- d-----w- c:\program files\Trend Micro
2009-08-02 02:03 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-02 02:03 . 2009-08-04 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 02:03 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 21:17 . 2009-07-31 21:17 -------- d-----w- c:\program files\iiuoww
2009-07-31 17:53 . 2009-07-31 17:53 -------- d-----w- c:\program files\HTvid
2009-07-28 21:23 . 2009-07-30 21:32 -------- d-----w- c:\documents and settings\C. Harris\Application Data\Apple Computer
2009-07-28 21:22 . 2009-03-19 23:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-28 21:22 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\program files\iPod
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\program files\iTunes
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\program files\Bonjour
2009-07-28 21:21 . 2009-07-28 21:22 -------- d-----w- c:\program files\QuickTime
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\documents and settings\C. Harris\Local Settings\Application Data\Apple
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\program files\Apple Software Update
2009-07-28 21:20 . 2009-07-28 21:20 -------- d-----w- c:\program files\Common Files\Apple
2009-07-28 21:20 . 2009-07-28 21:20 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-07-28 21:20 . 2009-07-28 21:23 -------- d-----w- c:\documents and settings\C. Harris\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 01:22 . 2006-08-19 07:33 -------- d-----w- c:\documents and settings\C. Harris\Application Data\Petroglyph
2009-08-05 01:22 . 2005-06-23 16:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 01:22 . 2006-08-19 07:22 -------- d-----w- c:\program files\LucasArts
2009-08-05 01:06 . 2007-05-12 16:20 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-05 00:28 . 2009-05-26 22:38 -------- d-----w- c:\documents and settings\C. Harris\Application Data\Skype
2009-08-05 00:21 . 2008-11-24 01:48 -------- d-----w- c:\documents and settings\C. Harris\Application Data\skypePM
2009-07-22 20:10 . 2008-09-22 04:15 -------- d-----w- c:\documents and settings\C. Harris\Application Data\LimeWire
2009-07-12 07:33 . 2006-08-12 06:35 24032 ----a-w- c:\documents and settings\C. Harris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 04:21 . 2008-07-17 05:10 -------- d-----w- c:\program files\Common Files\Real
2009-07-06 04:20 . 2009-07-06 04:20 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-06 04:20 . 2009-07-06 04:20 -------- d-----w- c:\program files\Real
2009-07-06 04:20 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-06 04:20 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-05 22:47 . 2007-02-22 22:19 -------- d-----w- c:\program files\SpeedFan
2009-06-30 23:39 . 2006-10-23 03:18 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-06-30 23:39 . 2006-10-23 03:18 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-06-30 23:39 . 2006-10-23 03:18 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-06-26 16:50 . 2004-08-04 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 03:50 . 2009-06-02 03:50 612 ----a-w- c:\windows\eReg.dat
2008-10-29 03:42 . 2008-10-29 03:42 109 --sha-w- c:\windows\system32\2351735403.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-19 39408]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [2006-12-20 557056]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2005-02-17 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-05-06 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-06 708698]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-09 7561216]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-06 198160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SystemGuardAlerter"="c:\program files\iolo\System Mechanic 6\SystemGuardAlerter.exe" [2006-12-20 386048]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ACU"="c:\program files\Atheros\ACU.exe" [2006-03-26 335961]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2005-05-05 118784]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-13 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-03-09 1519616]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-02-17 14848]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-05-06 2748928]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-05-06 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^C. Harris^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
path=c:\documents and settings\C. Harris\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter.LNK
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ioloDelayModule
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Sprint PCS v3 Utility Service"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"ProductivITService"=2 (0x2)
"PnkBstrA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\MWL\\MWLSvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/13/2008 4:52 PM 33800]
R1 TeksKernel;TeksKernel;c:\windows\system32\drivers\TeksKernel.sys [7/8/2004 2:14 PM 9060]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 PM 472320]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/14/2008 9:31 PM 596336]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/14/2008 9:31 PM 596336]
R2 viewer_service;SECTRA Viewer Update Service;c:\program files\Sectra\IDS5web\bin\viewer_service.exe [11/12/2007 7:05 PM 24628]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\SLDRV\slazldrv.sys [5/5/2005 6:33 PM 230448]
S3 1012NDS5;1012NDS5 NDIS Protocol Driver;c:\windows\system32\1012NDS5.sys [3/11/2003 3:33 PM 15872]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [1/13/2009 9:19 PM 33752]
S4 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [7/8/2004 2:22 PM 77824]

Here is the last part:

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
- - - - ORPHANS REMOVED - - - -

BHO-{F64619FF-E19F-4016-BF9C-147CFF821B46} - c:\windows\system32\iehelper.dll
HKCU-Run-CNN.Pipeline.Alerter - c:\program files\CNN Pipeline\CNN.VideoNet.App.exe
HKLM-Run-SpyHunter - c:\progra~1\Grisoft\AVG7\avgcc.exe
HKLM-Run-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
SharedTaskScheduler-IPC Configuration Utility - (no file)


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.cnn.com/
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.cnn.com/
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel
IE: Open using &Advanced JPEG Compressor - c:\program files\Advanced JPEG Compressor\ajcieex.htm
DPF: {7C705EA9-3C3B-4F3A-B1AA-2184CDFAE4D0} - hxxp://www.offsiteimagemanagement.com/IDS5web/install/Setup.exe
DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file://d:\cdviewer\CdViewer.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-05 12:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\documents and settings\C. Harris\Desktop\GetThermal_for_SAGER
[1].CLEVO.KAPOK\winio.sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WINIO]
"ImagePath"="\??\c:\documents and settings\C. Harris\Desktop\GetThermal_for_SAGER
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3740775528-3358379298-2972928916-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-3740775528-3358379298-2972928916-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a6,11,e5,54,e3,56,1f,51,48,57,d6,ec,34,d2,aa,b5,14,f2,ca,83,7e,a0,80,
f5,90,52,ad,c9,0a,10,31,32,12,51,91,19,77,ca,a9,25,98,12,b4,c4,4e,6c,f2,14,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\program files\AlienGUIse\fastload.dll
c:\program files\iolo\Common\Lib\sguard.dll

- - - - - - - > 'lsass.exe'(1052)
c:\program files\iolo\Common\Lib\sguard.dll

- - - - - - - > 'explorer.exe'(3480)
c:\program files\iolo\Common\Lib\sguard.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(972)
c:\program files\iolo\Common\Lib\sguard.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\iolo\System Mechanic 6\IoloSGCtrl.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\McAfee\MWL\MWLSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\slserv.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-08-05 12:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-05 19:39

Pre-Run: 56,548,380,672 bytes free
Post-Run: 56,473,346,048 bytes free

616 --- E O F --- 2009-08-05 19:36

Thanks for your help. I will make a donation when done.

Rchjr

Hello.

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\program files\iiuoww
c:\documents and settings\C. Harris\Application Data\LimeWire

File::
c:\windows\system32\2351735403.dat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
"AntiVirusOverride"=-
"FirewallOverride"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Here is the second combi-fix log:

ComboFix 09-08-04.03 - C. Harris 08/06/2009 12:37.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1555 [GMT -7:00]
Running from: I:\Combo-Fix.exe
Command switches used :: c:\documents and settings\C. Harris\Desktop\CFScript.txt.lnk
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\2765f.msp
c:\windows\Installer\4a247.msp

.
((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-02 20:22 . 2009-08-02 20:22 -------- d-----w- c:\program files\Trend Micro
2009-08-02 02:03 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-02 02:03 . 2009-08-04 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 02:03 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 21:17 . 2009-07-31 21:17 -------- d-----w- c:\program files\iiuoww
2009-07-31 17:53 . 2009-07-31 17:53 -------- d-----w- c:\program files\HTvid
2009-07-28 21:23 . 2009-07-30 21:32 -------- d-----w- c:\documents and settings\C. Harris\Application Data\Apple Computer
2009-07-28 21:22 . 2009-03-19 23:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-28 21:22 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\program files\iPod
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\program files\iTunes
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\program files\Bonjour
2009-07-28 21:21 . 2009-07-28 21:22 -------- d-----w- c:\program files\QuickTime
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\documents and settings\C. Harris\Local Settings\Application Data\Apple
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\program files\Apple Software Update
2009-07-28 21:20 . 2009-07-28 21:20 -------- d-----w- c:\program files\Common Files\Apple
2009-07-28 21:20 . 2009-07-28 21:20 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-07-28 21:20 . 2009-07-28 21:23 -------- d-----w- c:\documents and settings\C. Harris\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 01:22 . 2006-08-19 07:33 -------- d-----w- c:\documents and settings\C. Harris\Application Data\Petroglyph
2009-08-05 01:22 . 2005-06-23 16:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 01:22 . 2006-08-19 07:22 -------- d-----w- c:\program files\LucasArts
2009-08-05 01:06 . 2007-05-12 16:20 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-05 00:28 . 2009-05-26 22:38 -------- d-----w- c:\documents and settings\C. Harris\Application Data\Skype
2009-08-05 00:21 . 2008-11-24 01:48 -------- d-----w- c:\documents and settings\C. Harris\Application Data\skypePM
2009-07-22 20:10 . 2008-09-22 04:15 -------- d-----w- c:\documents and settings\C. Harris\Application Data\LimeWire
2009-07-12 07:33 . 2006-08-12 06:35 24032 ----a-w- c:\documents and settings\C. Harris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 04:21 . 2008-07-17 05:10 -------- d-----w- c:\program files\Common Files\Real
2009-07-06 04:20 . 2009-07-06 04:20 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-06 04:20 . 2009-07-06 04:20 -------- d-----w- c:\program files\Real
2009-07-06 04:20 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-06 04:20 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-05 22:47 . 2007-02-22 22:19 -------- d-----w- c:\program files\SpeedFan
2009-06-30 23:39 . 2006-10-23 03:18 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-06-30 23:39 . 2006-10-23 03:18 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-06-30 23:39 . 2006-10-23 03:18 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-06-26 16:50 . 2004-08-04 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 03:50 . 2009-06-02 03:50 612 ----a-w- c:\windows\eReg.dat
2008-10-29 03:42 . 2008-10-29 03:42 109 --sha-w- c:\windows\system32\2351735403.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-08-05_19.33.04 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-19 39408]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [2006-12-20 557056]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2005-02-17 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-05-06 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-06 708698]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-09 7561216]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-06 198160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SystemGuardAlerter"="c:\program files\iolo\System Mechanic 6\SystemGuardAlerter.exe" [2006-12-20 386048]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ACU"="c:\program files\Atheros\ACU.exe" [2006-03-26 335961]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2005-05-05 118784]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-13 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-03-09 1519616]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-02-17 14848]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-05-06 2748928]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-05-06 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^C. Harris^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
path=c:\documents and settings\C. Harris\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter.LNK
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Sprint PCS v3 Utility Service"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"ProductivITService"=2 (0x2)
"PnkBstrA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\MWL\\MWLSvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/13/2008 4:52 PM 33800]
R1 TeksKernel;TeksKernel;c:\windows\system32\drivers\TeksKernel.sys [7/8/2004 2:14 PM 9060]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 PM 472320]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/14/2008 9:31 PM 596336]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/14/2008 9:31 PM 596336]
R2 viewer_service;SECTRA Viewer Update Service;c:\program files\Sectra\IDS5web\bin\viewer_service.exe [11/12/2007 7:05 PM 24628]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\SLDRV\slazldrv.sys [5/5/2005 6:33 PM 230448]
S3 1012NDS5;1012NDS5 NDIS Protocol Driver;c:\windows\system32\1012NDS5.sys [3/11/2003 3:33 PM 15872]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [1/13/2009 9:19 PM 33752]
S4 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [7/8/2004 2:22 PM 77824]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.cnn.com/
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.cnn.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel
IE: Open using &Advanced JPEG Compressor - c:\program files\Advanced JPEG Compressor\ajcieex.htm
DPF: {7C705EA9-3C3B-4F3A-B1AA-2184CDFAE4D0} - hxxp://www.offsiteimagemanagement.com/IDS5web/install/Setup.exe
DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file://d:\cdviewer\CdViewer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 12:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\documents and settings\C. Harris\Desktop\GetThermal_for_SAGER
[1].CLEVO.KAPOK\winio.sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WINIO]
"ImagePath"="\??\c:\documents and settings\C. Harris\Desktop\GetThermal_for_SAGER
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3740775528-3358379298-2972928916-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-3740775528-3358379298-2972928916-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a6,11,e5,54,e3,56,1f,51,48,57,d6,ec,34,d2,aa,b5,14,f2,ca,83,7e,a0,80,
f5,90,52,ad,c9,0a,10,31,32,12,51,91,19,77,ca,a9,25,98,12,b4,c4,4e,6c,f2,14,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\program files\AlienGUIse\fastload.dll
c:\program files\iolo\Common\Lib\sguard.dll

- - - - - - - > 'lsass.exe'(1072)
c:\program files\iolo\Common\Lib\sguard.dll

- - - - - - - > 'csrss.exe'(992)
c:\program files\iolo\Common\Lib\sguard.dll
.
Completion time: 2009-08-06 12:44
ComboFix-quarantined-files.txt 2009-08-06 19:44
ComboFix2.txt 2009-08-05 19:39

Pre-Run: 56,425,750,528 bytes free
Post-Run: 56,376,803,328 bytes free

206 --- E O F --- 2009-08-06 19:30

Belahzur wrote:

Hello.

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\program files\iiuoww
c:\documents and settings\C. Harris\Application Data\LimeWire

File::
c:\windows\system32\2351735403.dat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
"AntiVirusOverride"=-
"FirewallOverride"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Hello, it seems that you didn't copy all the contents in the box, please run ComboFix again and make sure you copy all the contents in the box.

When I try to drag and drop CFScript.txt into combo-fix again it tells me that it is inncorrectly spelled, it is spelled right. I have tried this 6 times. So I decided that i would delete the desktop icon for combo fix and put another one there. Now when I drag and drop CFScript.txt into combo-fix it tells me that I cant rename combofix to combo-fix, to use something preferrabley something made up of alpha numeric characters. What is going on? What am I doing wrong?

Thanks for your help,

Rchjr

Hello
That didn't work right. You saved it as CFScript.txt.lnk. Remove the .ink extension.

I do not know how the .ink got on the end of the file. Now I have tried this again and now when I drag and drop CFScript.txt into the combo-fix to re run it it tells me that I can not rename combofix to combo-fix. Where have I gone wrong?

Rchjr

Re-download Combofix via the link, but do not rename this time.
Now try dragging and dropping again.

Here is the log it created. When it ran it said that it needed to install the windows recovery console. MY infected computer is not able to get internet connection due to this malware that has infected it. It said that it could not download files so it aborted. Then it ran and gave this log, this is it in it's enitirety! I have to post this in parts becasue of the size of the log it created.

ComboFix 09-08-07.09 - C. Harris 08/08/2009 13:51.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1573 [GMT -7:00]
Running from: I:\ComboFix.exe
Command switches used :: c:\documents and settings\C. Harris\Desktop\CFScript.txt.lnk
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))
.

2009-08-07 03:38 . 2009-08-07 03:38 -------- d-s---w- C:\Combo-Fix
2009-08-02 20:22 . 2009-08-02 20:22 -------- d-----w- c:\program files\Trend Micro
2009-08-02 02:03 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-02 02:03 . 2009-08-04 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 02:03 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 21:17 . 2009-07-31 21:17 -------- d-----w- c:\program files\iiuoww
2009-07-31 17:53 . 2009-07-31 17:53 -------- d-----w- c:\program files\HTvid
2009-07-28 21:23 . 2009-07-30 21:32 -------- d-----w- c:\documents and settings\C. Harris\Application Data\Apple Computer
2009-07-28 21:22 . 2009-03-19 23:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-28 21:22 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\program files\iPod
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\program files\iTunes
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\program files\Bonjour
2009-07-28 21:21 . 2009-07-28 21:22 -------- d-----w- c:\program files\QuickTime
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\documents and settings\C. Harris\Local Settings\Application Data\Apple
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\program files\Apple Software Update
2009-07-28 21:20 . 2009-07-28 21:20 -------- d-----w- c:\program files\Common Files\Apple
2009-07-28 21:20 . 2009-07-28 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-28 21:20 . 2009-07-28 21:23 -------- d-----w- c:\documents and settings\C. Harris\Local Settings\Application Data\Apple Computer
2009-07-13 21:22 . 2009-07-13 21:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 01:22 . 2006-08-19 07:33 -------- d-----w- c:\documents and settings\C. Harris\Application Data\Petroglyph
2009-08-05 01:22 . 2005-06-23 16:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 01:22 . 2006-08-19 07:22 -------- d-----w- c:\program files\LucasArts
2009-08-05 01:06 . 2007-05-12 16:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-05 00:28 . 2009-05-26 22:38 -------- d-----w- c:\documents and settings\C. Harris\Application Data\Skype
2009-08-05 00:21 . 2008-11-24 01:48 -------- d-----w- c:\documents and settings\C. Harris\Application Data\skypePM
2009-07-22 20:10 . 2008-09-22 04:15 -------- d-----w- c:\documents and settings\C. Harris\Application Data\LimeWire
2009-07-12 07:33 . 2006-08-12 06:35 24032 ----a-w- c:\documents and settings\C. Harris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 04:21 . 2008-07-17 05:10 -------- d-----w- c:\program files\Common Files\Real
2009-07-06 04:20 . 2009-07-06 04:20 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-06 04:20 . 2009-07-06 04:20 -------- d-----w- c:\program files\Real
2009-07-06 04:20 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-06 04:20 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-05 22:47 . 2007-02-22 22:19 -------- d-----w- c:\program files\SpeedFan
2009-06-30 23:39 . 2006-10-23 03:18 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-06-30 23:39 . 2006-10-23 03:18 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-06-30 23:39 . 2006-10-23 03:18 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-06-26 16:50 . 2004-08-04 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 03:50 . 2009-06-02 03:50 612 ----a-w- c:\windows\eReg.dat
2008-10-29 03:42 . 2008-10-29 03:42 109 --sha-w- c:\windows\system32\2351735403.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-19 39408]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [2006-12-20 557056]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2005-02-17 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-05-06 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-06 708698]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-09 7561216]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-06 198160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SystemGuardAlerter"="c:\program files\iolo\System Mechanic 6\SystemGuardAlerter.exe" [2006-12-20 386048]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ACU"="c:\program files\Atheros\ACU.exe" [2006-03-26 335961]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2005-05-05 118784]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-13 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-03-09 1519616]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-02-17 14848]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-05-06 2748928]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-05-06 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^C. Harris^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
path=c:\documents and settings\C. Harris\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter.LNK
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Sprint PCS v3 Utility Service"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"ProductivITService"=2 (0x2)
"PnkBstrA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

Here is the second part:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\MWL\\MWLSvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/13/2008 4:52 PM 33800]
R1 TeksKernel;TeksKernel;c:\windows\system32\drivers\TeksKernel.sys [7/8/2004 2:14 PM 9060]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 PM 472320]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/14/2008 9:31 PM 596336]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/14/2008 9:31 PM 596336]
R2 viewer_service;SECTRA Viewer Update Service;c:\program files\Sectra\IDS5web\bin\viewer_service.exe [11/12/2007 7:05 PM 24628]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\SLDRV\slazldrv.sys [5/5/2005 6:33 PM 230448]
S3 1012NDS5;1012NDS5 NDIS Protocol Driver;c:\windows\system32\1012NDS5.sys [3/11/2003 3:33 PM 15872]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [1/13/2009 9:19 PM 33752]
S4 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [7/8/2004 2:22 PM 77824]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-12-28 c:\windows\Tasks\ParetoLogic Privacy Controls_{06439176-D49B-11DD-B5FF-000B6B34F7FE}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 18:29]

2009-07-31 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 19:25]

2009-08-08 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-12-23 17:08]

2008-12-28 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-12-23 17:08]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.cnn.com/
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.cnn.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel
IE: Open using &Advanced JPEG Compressor - c:\program files\Advanced JPEG Compressor\ajcieex.htm
DPF: {7C705EA9-3C3B-4F3A-B1AA-2184CDFAE4D0} - hxxp://www.offsiteimagemanagement.com/IDS5web/install/Setup.exe
DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file://d:\cdviewer\CdViewer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-08 13:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\documents and settings\C. Harris\Desktop\GetThermal_for_SAGER
[1].CLEVO.KAPOK\winio.sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WINIO]
"ImagePath"="\??\c:\documents and settings\C. Harris\Desktop\GetThermal_for_SAGER
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3740775528-3358379298-2972928916-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-3740775528-3358379298-2972928916-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a6,11,e5,54,e3,56,1f,51,48,57,d6,ec,34,d2,aa,b5,14,f2,ca,83,7e,a0,80,
f5,90,52,ad,c9,0a,10,31,32,12,51,91,19,77,ca,a9,25,98,12,b4,c4,4e,6c,f2,14,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\program files\AlienGUIse\fastload.dll
c:\program files\iolo\Common\Lib\sguard.dll

- - - - - - - > 'lsass.exe'(1072)
c:\program files\iolo\Common\Lib\sguard.dll

- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(988)
c:\program files\iolo\Common\Lib\sguard.dll
.
Completion time: 2009-08-08 13:57
ComboFix-quarantined-files.txt 2009-08-08 20:57
ComboFix2.txt 2009-08-06 19:44
ComboFix3.txt 2009-08-05 19:39

Pre-Run: 56,389,099,520 bytes free
Post-Run: 56,341,078,016 bytes free

220 --- E O F --- 2009-08-06 19:30

Hey there,

Have not heard from you in two days, have I done something wrong?

Rchjr

Hello.

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  c:\program files\iiuoww
  c:\documents and settings\C. Harris\Application Data\LimeWire
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Here is the log it created:

========== FILES ==========
c:\program files\iiuoww moved successfully.
c:\documents and settings\C. Harris\Application Data\LimeWire\xml\data moved successfully.
c:\documents and settings\C. Harris\Application Data\LimeWire\xml moved successfully.
c:\documents and settings\C. Harris\Application Data\LimeWire\themes\limewirePro_theme moved successfully.
c:\documents and settings\C. Harris\Application Data\LimeWire\themes moved successfully.
c:\documents and settings\C. Harris\Application Data\LimeWire\promotion moved successfully.
c:\documents and settings\C. Harris\Application Data\LimeWire\certificate moved successfully.
c:\documents and settings\C. Harris\Application Data\LimeWire\.AppSpecialShare moved successfully.
c:\documents and settings\C. Harris\Application Data\LimeWire moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 08142009_133100

Thaks for your help,

Rchjr

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Hello,

Well I was able to run malwarebytes now and it picked up 19 infected objects. I still have a problem, I am unable to connect to the internet. Somewhere during this process something happened, I have mcafee wireless security and it says that it is disconnected. I dont know how to connect it back. I used to have mcafee virus scan as well and awhile back I tried to unisntall it and everytime I do I get this message " The installation cannot continue because some components are missing c:/progra`1mcafee.com/agent/uninst/comrem.dll) are missing. So I cant uninstall mcafee security suite ( this was for my wireless network) to remove it and start over. Any suggestions? I beleive the original problem is gone.



Thank for your help ,

Rchjr

Completely Uninstall McAfee software

Download the McAfee Consumer Product Removal Tool

Using McAfee Consumer Product Removal Tool
· Double click the MCPR.exe
· A Command Line window will be displayed, and then close automatically.
· Wait for a second Command Line window to be displayed. Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
· After the second window appears, the program will begin the cleanup.
· Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window: The machine must reboot to complete the un-installation. Reboot now? [y.n]
· Press Y on the keyboard.
· Wait for the computer to restart.
· All McAfee products are now removed from your computer.

Hello,

That did not work, after it ran it locked up about 3/4's of a way thru it. It stayed on something called " removing mwl " , it stayed there for a a half hour. So I closed the window and rebooted. Now when I try and run it again I get two messages. One says clean up failed, the other says clean uip is allready running. What next?

Thanks,

Rchjr

Please download Revo Uninstall from here: Revo Uinstaller

1. Download and run the setup file for Revo Uninstaller.
   
2. Once setup, run Revo Uninstaller.
   
3. Select the following item for removal by clicking on it once.
   
   Mcafee Security Suite
   
   
4. Then hit the "Uninstall" button at the top.
   
5. Close Revo Uninstaller.
   

I must be cursed or something, I installed the revo uninstaller. But the icons for Mcafee wireless network does not show up, nor do any of the mcafee programs accept for the mcafee uninstaller. So that was the only thing it unistalled. How do I get mcafee home wireless network security to show up in the revo uninstaller? I tried to reinstall that program but it said that I had to unistall the previoius version before I could install the new one.

Frustrated!,

Rchjr

We'll have to remove Mcafee manually with ComboFix:

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Hello,

I used the respawn disc that came with my alienware laptop and it fixed the problem. I thank you for your help, you got rid of that stupid virus for me.

Where do I make a donationa at?

Thanks again!

Rchjr

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.