Trojan Horse Agent.5.BI

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Trojan Horse Agent.5.BI C000021a {Fatal System Error} -Yikes..too late?

#1 Shake-Boy

Group: Member
Posts: 26
Joined: 06-December 09

Posted 07 March 2011 - 09:40 PM

Good Day,

***Note: Edited 3/8/2011 @ 5:34 PM Eastern ---> Please Read
Just noticed I initially put this in the wrong forum but now it's right. My computer was not bootable at time of original post and should have been in the associated non-bootable forum. I've since replaced my corrupt explorer.exe and winlogon.exe files with good copies from another machine. I can now boot the machine and believe I'm now in the correct forum. I've added OTL log to this post. Other than the statement that my computer will not boot, all following text is is correct. Sorry for any inconvenience.
Shake-Boy (Paul)

I've got Mom's computer. She may have killed it for good this time. Just can't keep her away from the porn...hee hee.

Problem started with google redirects and the full version of AVG Internet Security (v9.0.872) Component screen being blank....showing zero active components. Of course she didn't stop playing with the computer and within a day or two she had a system that would no longer boot completely into Windows. Error is as follows:

C000021A {Fatal System Error} Windows logon system process terminated unexpectedly with a status of 0xC000034. The system has been shut down.

Any method of bringing up the system (recovery mode, safe mode, etc.) results in the same message. Of course...since I can't bring the system up I can't run OTL and attach the logs. Here's some info and what I've done so far:

OS = Windows XP Home Edition

I removed the hard drive and put it in another machine in order to preserve her data. While in the other machine I ran three AVG scans on the drive until the log showed no infections.

Here's what it found on the first scan:

"H:\WINDOWS\system32\winlogon.exe";"Trojan horse Patched_c.KFO";"Moved to Virus Vault"
"H:\WINDOWS\system32\k.dll";"Trojan horse Agent.5.BI";"Moved to Virus Vault"
"H:\WINDOWS\explorer.exe";"Trojan horse Patched_c.KFN";"Moved to Virus Vault"

Here's what it found on the second scan:

"H:\System Volume Information\_restore{46944BC0-208E-4C29-8687-3103695E5E79}\RP230\A0177912.exe";"Trojan horse Patched_c.KFO";"Moved to Virus Vault"
"H:\System Volume Information\_restore{46944BC0-208E-4C29-8687-3103695E5E79}\RP230\A0177911.dll";"Trojan horse Agent.5.BI";"Moved to Virus Vault"
"H:\System Volume Information\_restore{46944BC0-208E-4C29-8687-3103695E5E79}\RP230\A0177910.exe";"Trojan horse Patched_c.KFN";"Moved to Virus Vault"

Third scan was clean.

After the AVG scans I ran current Malwarebytes scan on the drive and the results showed as clean.

I then put the hard drive back in her machine, attempted to bring it up and the result was the same Fatal System Error as above.

I'm currently making an acronis image of the drive on another machine while awaiting response.

I'm tempted to grab a good explorer.exe and winlogon.exe from another machine, slap 'em on the affected drive and try it again...but I'm quashing that temptation and waiting for your advice.

I've used this site's services before and I'm extremely grateful to all of you that participate. I look forward to hearing from you and hope it's not too late to recover this machine without reload. Mom's crossin' her arthritis-ridden fingers.

OTL Log Follows

Sincerely,

Shake-Boy
(Paul)

OTL logfile created on: 3/8/2011 5:47:15 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Marge\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 477.00 Mb Available Physical Memory | 47.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 3072 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.03 Gb Total Space | 47.18 Gb Free Space | 66.42% Space Free | Partition Type: NTFS
Drive D: | 2.11 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 3.77 Gb Total Space | 3.76 Gb Free Space | 99.96% Space Free | Partition Type: FAT32

Computer Name: D1JKKK81 | User Name: Marge | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/08 17:39:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marge\Desktop\OTL.exe
PRC - [2011/02/24 23:46:44 | 002,423,752 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2010/11/24 08:22:51 | 002,069,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/11/24 08:22:43 | 002,331,544 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgfws9.exe
PRC - [2010/11/24 08:22:41 | 000,725,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/09/20 09:00:16 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/06/22 07:30:37 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/06/22 07:30:32 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/06/22 07:30:25 | 000,596,560 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2010/06/22 07:30:24 | 005,897,808 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/06/22 07:30:17 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/06/22 07:30:15 | 000,842,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe
PRC - [2010/03/29 06:39:17 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/05/21 09:55:32 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/09/18 20:11:19 | 001,529,856 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\ATT-SST\McciTrayApp.exe
PRC - [2008/08/13 17:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/15 11:09:36 | 000,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
PRC - [2005/08/24 07:51:18 | 000,442,455 | ---- | M] (Motive, Inc.) -- C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe

========== Modules (SafeList) ==========

MOD - [2011/03/08 17:39:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marge\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2005/06/03 09:23:28 | 000,122,880 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\SBC Self Support Tool\SmartBridge\SBHook.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/11/24 08:22:43 | 002,331,544 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgfws9.exe -- (avgfws9)
SRV - [2010/10/06 10:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/06/22 07:30:32 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/06/22 07:30:24 | 005,897,808 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2008/08/13 17:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)

========== Driver Services (SafeList) ==========

DRV - [2010/06/22 07:30:40 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/06/22 07:30:27 | 000,122,448 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys -- (AVGIDSDriverxpx)
DRV - [2010/06/22 07:30:27 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys -- (AVGIDSFilterxpx)
DRV - [2010/06/22 07:30:27 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys -- (AVGIDSShimxpx)
DRV - [2010/06/22 07:30:27 | 000,025,168 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\AVGIDSxx.sys -- (AVGIDSErHrxpx)
DRV - [2010/06/22 07:30:19 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/01 08:31:33 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/06/01 08:19:12 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/05 09:34:17 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2010/02/28 21:56:03 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/02/28 21:56:03 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/26 14:09:56 | 000,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwfd)
DRV - [2009/12/26 14:09:56 | 000,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwdx)
DRV - [2009/03/25 10:06:30 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/03/25 10:06:28 | 000,214,024 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/03/25 10:06:28 | 000,079,880 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/03/25 10:06:28 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/03/25 10:05:54 | 000,034,216 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/07/28 17:26:30 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/07/28 17:26:30 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Running] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/01 07:44:00 | 000,580,992 | ---- | M] (Omnivision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FilmScan.sys -- (APL531)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/06/16 03:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/06 04:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/06 04:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/06 04:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.newsnet5.com/
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "MyStart Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "MyStart Search"
FF - prefs.js..browser.startup.homepage: "http://www.newsnet5.com/"
FF - prefs.js..keyword.URL: "http://mystart.incredimail.com/?loc=ff_address_bar&search="

FF - HKLM\software\mozilla\Firefox\Extensions\\SpamBlockerUtility@SpamBlockerUtility.com: C:\Program Files\SpamBlockerUtility\bin\10.2.230.0\firefox\extensions
FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/02/10 09:45:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/29 06:40:52 | 000,000,000 | ---D | M]

[2010/01/16 10:54:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Marge\Application Data\Mozilla\Firefox\Profiles\zd3b3813.default\extensions
[2008/05/08 20:09:17 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Marge\Application Data\Mozilla\Firefox\Profiles\zd3b3813.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/01/16 10:54:27 | 000,000,000 | ---D | M] (ShopAtHome Intelligent Shopping Toolbar) -- C:\Documents and Settings\Marge\Application Data\Mozilla\Firefox\Profiles\zd3b3813.default\extensions\toolbar@shopathome.com
[2008/08/19 09:35:21 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\Marge\Application Data\Mozilla\Firefox\Profiles\zd3b3813.default\searchplugins\MyStart Search.xml
[2008/10/12 14:05:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2008/04/28 08:33:40 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
File not found (No name found) -- C:\PROGRAM FILES\GOOGLE\GOOGLE PHOTOS SCREENSAVER\FF_EXT
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\REAL-NETWORKS@PARTNERS.MOZILLA.COM
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\TALKBACK@MOZILLA.ORG
File not found (No name found) -- C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD
[2005/04/27 15:10:49 | 000,102,400 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npracplug.dll
[2008/03/24 19:21:00 | 002,889,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (PPCScamBHO Class) - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (EarthLink, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
O2 - BHO: (SidebarAutoLaunch Class) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (FLYLADY BenefitBar) - {E19E589B-749F-4641-9ED3-032DEB7A8D92} - C:\Program Files\BenefitBarIE\benefitbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (FLYLADY BenefitBar) - {E19E589B-749F-4641-9ED3-032DEB7A8D92} - C:\Program Files\BenefitBarIE\benefitbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ATT-SST_McciTrayApp] C:\Program Files\ATT-SST\McciTrayApp.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [Motive SmartBridge] C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe (Motive, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk = C:\Program Files\PrintMaster Gold 17\Remind.exe (Broderbund Properties LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} http://auditor.cuyah...etch/Sketch.ocx (SketchCtl.Pic1)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://active.macrom...abs/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 () - http://a229.g.akamai...52528.jpg&h=150
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Marge\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Marge\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{80887c62-7f4a-11dd-9343-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{80887c62-7f4a-11dd-9343-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{80887c62-7f4a-11dd-9343-00038a000015}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/08 17:45:42 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Marge\Desktop\OTL.exe
[2008/05/08 08:39:46 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[2007/10/15 20:35:00 | 000,040,960 | ---- | C] ( ) -- C:\WINDOWS\FSUNS.EXE
[2 C:\Documents and Settings\Marge\Desktop\*.tmp files -> C:\Documents and Settings\Marge\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/08 17:45:11 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{11EA8F63-8CCA-4326-8428-327056D6226D}.job
[2011/03/08 17:44:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/08 17:43:21 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-4265926637-3216133850-731197849-1006.job
[2011/03/08 17:41:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/08 17:41:38 | 1071,697,920 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/08 17:39:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marge\Desktop\OTL.exe
[2011/03/08 10:29:27 | 000,647,066 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavifw.avm
[2011/03/08 10:27:11 | 072,217,353 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/03/08 10:15:36 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-4265926637-3216133850-731197849-1006.job
[2011/03/04 09:23:42 | 000,000,265 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\Royal Wedding.url
[2011/03/04 00:00:01 | 000,000,370 | ---- | M] () -- C:\WINDOWS\tasks\PPv5Scan_Daily as Marge at 12 00 AM.job
[2011/03/03 22:00:00 | 000,000,362 | ---- | M] () -- C:\WINDOWS\tasks\PPv5Scan_Daily as Marge at 10 00 PM.job
[2011/03/03 21:00:00 | 000,000,370 | ---- | M] () -- C:\WINDOWS\tasks\PPv5Scan_Daily as Marge at 9 00 PM.job
[2011/03/03 15:35:29 | 000,000,241 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\Dictionary.url
[2011/03/02 16:38:26 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\Netflix.url
[2011/03/01 16:59:00 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\CCleaner.job
[2011/02/27 04:20:12 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\Word 2003.lnk
[2011/02/24 18:12:16 | 000,000,262 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\weather radar.url
[2011/02/22 09:58:06 | 000,000,571 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\Favorites.lnk
[2011/02/21 21:48:12 | 000,017,211 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\imdb.url
[2011/02/13 21:39:52 | 000,851,272 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/13 21:10:18 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/07 13:37:23 | 000,051,704 | ---- | M] () -- C:\Documents and Settings\Marge\My Documents\Est_3531_from_Bay_Furnace_.pdf
[2 C:\Documents and Settings\Marge\Desktop\*.tmp files -> C:\Documents and Settings\Marge\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/08 10:11:31 | 1071,697,920 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/04 09:23:42 | 000,000,265 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\Royal Wedding.url
[2011/02/24 18:12:16 | 000,000,262 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\weather radar.url
[2011/02/22 09:58:06 | 000,000,571 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\Favorites.lnk
[2011/02/21 21:48:12 | 000,017,211 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\imdb.url
[2011/02/13 21:02:48 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/02/11 16:11:31 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\Netflix.url
[2011/02/07 13:37:23 | 000,051,704 | ---- | C] () -- C:\Documents and Settings\Marge\My Documents\Est_3531_from_Bay_Furnace_.pdf
[2010/02/10 09:43:59 | 000,023,110 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2009/12/06 22:13:16 | 000,002,671 | ---- | C] () -- C:\WINDOWS\System32\emp2.exe
[2009/11/08 22:32:52 | 000,196,151 | ---- | C] () -- C:\WINDOWS\hpoins41.dat
[2009/11/08 22:32:51 | 000,001,253 | ---- | C] () -- C:\WINDOWS\hpomdl41.dat
[2009/08/04 20:54:26 | 000,075,384 | ---- | C] () -- C:\WINDOWS\TrueInstall.exe
[2009/05/14 15:05:59 | 000,091,520 | ---- | C] () -- C:\WINDOWS\System32\WebIQEngineSetup.exe
[2009/04/19 17:22:53 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2009/03/25 21:01:47 | 000,000,047 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/09/08 12:47:13 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2008/08/31 14:10:22 | 000,001,160 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/06/14 14:24:00 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\JpgLib.dll
[2008/01/18 22:44:30 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2007/11/26 18:12:32 | 000,000,397 | ---- | C] () -- C:\Program Files\My Documents.lnk
[2007/10/17 18:25:44 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2007/05/07 14:03:50 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Marge\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/02/28 17:37:10 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2007/02/28 16:08:16 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/02/28 15:04:33 | 001,440,054 | ---- | C] () -- C:\Documents and Settings\Marge\Local Settings\Application Data\AzureBay.bmp
[2007/02/28 15:04:33 | 000,055,686 | ---- | C] () -- C:\Documents and Settings\Marge\Local Settings\Application Data\cal.bmp
[2007/02/28 15:04:31 | 005,760,054 | ---- | C] () -- C:\Documents and Settings\Marge\Local Settings\Application Data\sswpprep.bmp
[2007/02/28 15:01:31 | 001,440,054 | ---- | C] () -- C:\Documents and Settings\Marge\Local Settings\Application Data\ssprep.bmp
[2007/02/28 14:59:19 | 000,001,402 | ---- | C] () -- C:\Documents and Settings\Marge\Local Settings\Application Data\AzureBay.ini
[2007/01/10 10:57:15 | 000,000,514 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2007/01/09 13:58:10 | 000,000,073 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2006/01/30 23:06:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PestPatrol5.INI
[2005/11/09 13:07:46 | 000,000,083 | ---- | C] () -- C:\WINDOWS\importclient.INI
[2005/11/09 12:32:12 | 000,000,751 | ---- | C] () -- C:\WINDOWS\Bti.ini
[2005/11/09 12:32:09 | 000,116,640 | ---- | C] () -- C:\WINDOWS\System32\Ptsaci40.dll
[2005/11/09 12:32:09 | 000,030,080 | ---- | C] () -- C:\WINDOWS\System32\Ptabimp3.exe
[2005/10/12 19:02:23 | 000,034,660 | ---- | C] () -- C:\WINDOWS\System32\ppaluninst.exe
[2005/10/10 16:44:18 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\RegHero.exe
[2005/10/10 16:44:18 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\PopWait.exe
[2005/10/03 16:12:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/27 23:13:10 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/09/27 22:56:41 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/09/27 22:32:18 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2005/09/27 22:32:12 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/09/27 22:32:00 | 000,000,394 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/07/03 23:28:30 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Marge\Local Settings\Application Data\ScreenSaver.ini
[2005/01/28 08:08:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 13:12:05 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 13:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 13:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 12:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 12:57:15 | 000,851,272 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 12:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 12:51:20 | 000,445,370 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 12:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 12:51:20 | 000,072,576 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 12:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 12:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 12:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 12:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 12:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 12:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 12:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 12:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/05/31 19:43:00 | 000,005,632 | ---- | C] () -- C:\WINDOWS\TrueProcess.exe
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/10/26 07:34:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/10/21 11:02:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2006/07/15 16:18:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund LLC
[2006/07/15 16:17:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2009/09/10 18:56:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2007/10/17 22:32:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GamesBar
[2008/03/13 18:20:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IM
[2008/03/13 18:16:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IncrediMail
[2006/07/15 16:30:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Riverdeep Interactive Learning Limited
[2008/01/14 15:18:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/04/06 09:19:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/01/11 23:02:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo
[2008/05/08 10:02:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\Eyeblaster
[2005/10/12 19:19:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\Leadertech
[2009/04/19 20:05:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\MSNInstaller
[2010/10/28 21:01:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\PCDr
[2006/07/03 10:34:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\ScamGuard
[2009/03/15 18:02:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\Snapfish
[2011/03/01 16:59:00 | 000,000,264 | ---- | M] () -- C:\WINDOWS\Tasks\CCleaner.job
[2011/02/05 18:00:00 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Cleanup.job
[2011/03/03 22:00:00 | 000,000,362 | ---- | M] () -- C:\WINDOWS\Tasks\PPv5Scan_Daily as Marge at 10 00 PM.job
[2011/03/04 00:00:01 | 000,000,370 | ---- | M] () -- C:\WINDOWS\Tasks\PPv5Scan_Daily as Marge at 12 00 AM.job
[2011/03/03 21:00:00 | 000,000,370 | ---- | M] () -- C:\WINDOWS\Tasks\PPv5Scan_Daily as Marge at 9 00 PM.job
[2011/03/08 17:45:11 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{11EA8F63-8CCA-4326-8428-327056D6226D}.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 155 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CFE0B346
@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C46995DA
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:017D5143
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B894C266
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

#2 maliprog

Group: Malware Removal
Posts: 5,959
Joined: 20-April 09

Posted 15 March 2011 - 01:34 AM

Hello Shake-Boy and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
Absence of symptoms does not always mean the computer is clean
Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
Please DO NOT run any scans or fix on your own without my direction.
Please read all of my response through at least once before attempting to follow the procedures described.
If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
You must reply within 3 days or your topic will be closed

Step 1

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Confirm deletion to all infection AVP finds
Once it has finished select report and post that.

Posted Image

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Step 2

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\\ComboFix.txt log in your next reply.

Step 3

Please don't forget to include these items in your reply:

AVPTool log
Combofix log

It would be helpful if you could post each log in separate post

#3 Shake-Boy

Group: Member
Posts: 26
Joined: 06-December 09

Posted 15 March 2011 - 02:28 AM

Hi maliprog,

Before Kaspersky installation is complete I get the following message that you did not address:

"It is recommended to scan the computer in Windows Safe Mode (press F8 after computer restart)"

I'm completely comfortable starting the machine in safe mode but want to make sure that you want me to follow this instruction coming from Kaspersky or would you like me to take another course of action?

Please advise.

Thanks!

#4 maliprog

Group: Malware Removal
Posts: 5,959
Joined: 20-April 09

Posted 15 March 2011 - 04:03 AM

Hi Shake-Boy,

You can scan it in normal mode. If, for some reason, scan fails then restart it in Safe mode.

#5 Shake-Boy

Group: Member
Posts: 26
Joined: 06-December 09

Posted 15 March 2011 - 12:17 PM

Hi maliprog,

A couple notes before I post my AVPTool and Combofix logs.

1. Thank You for your help!

2. Combofix posted a message requiring me to uninstall AVG Antivirus before it would run at all. The AVG uninstall failed over and over with the inability to modify a registry key. I checked the permissions of the key and it appears they had been altered. Not sure if this is information that will help you or not...but I thought I should mention it. The key was HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows I was unable to see any of the values and found that access from SYSTEM and Administrators had been set to deny. I changed the permission values based on what I see on a clean machine and was then able to see the values and uninstall AVG.

Here are the entries from AVPTool Log. Combofix log in next post per your request.

Autoscan: completed 4 hours ago (events: 2, objects: 181558, time: 02:04:08)
3/15/2011 6:05:19 AM Task started
3/15/2011 8:09:30 AM Task completed

#6 Shake-Boy

Group: Member
Posts: 26
Joined: 06-December 09

Posted 15 March 2011 - 12:22 PM

Combofix Log

ComboFix 11-03-14.07 - Marge 03/15/2011 13:37:07.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.710 [GMT -4:00]
Running from: c:\documents and settings\Marge\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-03-15 08:26 . 2011-03-15 08:26 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-15 08:14 . 2009-10-22 16:54 37392 ----a-w- c:\windows\system32\drivers\65285962.sys
2011-03-15 08:14 . 2009-10-10 02:31 315408 ----a-w- c:\windows\system32\drivers\6528596.sys
2011-03-15 08:14 . 2009-09-25 20:59 128016 ----a-w- c:\windows\system32\drivers\65285961.sys
2011-03-08 15:08 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer.exe
2011-03-08 15:07 . 2008-04-14 00:12 507904 ----a-w- c:\windows\system32\winlogon.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-10 17:51 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 17:51 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:09 . 2009-09-07 23:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2009-09-07 23:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2008-05-08 13:39 . 2008-05-08 13:39 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\PrintMaster Gold 17\Remind.exe [2006-2-22 344064]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 17:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-02-25 04:46 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-29 11:39 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\AMCAP.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
.
R0 65285962;65285962 Boot Guard Driver;c:\windows\system32\drivers\65285962.sys [3/15/2011 4:14 AM 37392]
R1 65285961;65285961;c:\windows\system32\drivers\65285961.sys [3/15/2011 4:14 AM 128016]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 9:43 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 67656]
S3 APL531;35mm Film Scanner;c:\windows\system32\drivers\FilmScan.sys [8/1/2006 8:44 AM 580992]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 12872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-01 c:\windows\Tasks\CCleaner.job
- c:\progra~1\CCleaner\ccleaner.exe [2010-11-24 15:52]
.
2011-02-05 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]
.
2011-03-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4265926637-3216133850-731197849-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4265926637-3216133850-731197849-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-15 c:\windows\Tasks\User_Feed_Synchronization-{11EA8F63-8CCA-4326-8428-327056D6226D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.newsnet5.com/
uSearchMigratedDefaultUrl =
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} - hxxp://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-ATT-SST_McciTrayApp - c:\program files\ATT-SST\McciTrayApp.exe
AddRemove-35mm Film Scanner - c:\windows\FILMSCANuns.exe USB\Vid_05a9&PID_35E3 35mm Film Scanner
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 13:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2011-03-15 13:50:52
ComboFix-quarantined-files.txt 2011-03-15 17:50
.
Pre-Run: 50,556,674,048 bytes free
Post-Run: 50,941,526,016 bytes free
.
- - End Of File - - 94D951A848AF2D3B39E553B47DBA5EBA

#7 maliprog

Group: Malware Removal
Posts: 5,959
Joined: 20-April 09

Posted 15 March 2011 - 02:44 PM

Hi Shake-Boy,

You did a lot of work to run Combofix

. That was my mistake and I should worn you. Before we continue please tell me what problems do you have now?

#8 Shake-Boy

Group: Member
Posts: 26
Joined: 06-December 09

Posted 15 March 2011 - 04:24 PM

Hi maliprog,

At this point I don't know if there are any remaining problems. I haven't used the computer for anything at all since my Mom handed it over to me last week. Since my first post I've only turned it on to perform your instructions. I've been using another machine for everything including corresponding with you. Didn't want to allow any lingering malware to do any further damage. Her original problem began with search engine redirects.

I will re-install AVG and use her computer as my main system for the rest of the day and into tomorrow and will let you know what I do or do not find. Do you think it's ok to have it hooked to the same router as my non-infected machine? I've never had them plugged in at the same time.

If this thing's already clean it'll be the simplest problem she ever gave me! She somehow picks something up about once a year despite the processes I've given her for safe computing.

Sorry I'm so long winded. Talk to you later. Thanks Again!

Shake-Boy (Paul)

#9 maliprog

Group: Malware Removal
Posts: 5,959
Joined: 20-April 09

Posted 16 March 2011 - 12:01 AM

Hi Shake-Boy,

From this logs I don't see any infection anymore. Please use your system normally for one day and let me know.

#10 Shake-Boy

Group: Member
Posts: 26
Joined: 06-December 09

Posted 17 March 2011 - 01:02 PM

Hi Maliprog,

I need one more day to play with the computer and make sure nothing strange is happening. I haven't been home much to test.

I'll post an update tomorrow.

Thanks!

Paul (Shake-Boy)

#11 maliprog

Group: Malware Removal
Posts: 5,959
Joined: 20-April 09

Posted 19 March 2011 - 12:20 AM

Hi Shake-Boy,

Your logs and system are clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update

Click Start, click Run, type sysdm.cpl, and then press ENTER.
Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
Click OK button

2. Delete Temp files

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.

4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.

#12 Shake-Boy

Group: Member
Posts: 26
Joined: 06-December 09

Posted 21 March 2011 - 09:59 AM

Hi maliprog,

Thank you for your assistance. Sorry to take so long to reply. I appreciate your making sure my machine is now clean.

I performed the cleanup tasks you requested.

Thanks Again.

Take care.

Shake-Boy

#13 maliprog

Group: Malware Removal
Posts: 5,959
Joined: 20-April 09

Posted 21 March 2011 - 11:54 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

Trojan Horse Agent.5.BI - Geeks to Go Forums