[Garrett33]

No visible symptoms! My computer is acting completely normal. I wouldn't even know I had a virus if it weren't for AVG. But apparently they're here and they can't be doing any good so I'd like to get rid of them lol.

I'm not sure where they came from. My only thought is a .pdf file on how to instal drop shackles in my pickup. But that seems kind of strange. I'm running WinXP.
One day I opened up my laptop and AVG (free edition) opened a window titled "Resident Shield alert." Multiple threat detection. This is what is in the menu:

"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Moved to Virus Vault"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP242\A0066899.dll";"Trojan horse Downloader.Generic11.BIFK";"Object is inaccessible."
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066919.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"
"c:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP243\A0066918.exe";"Trojan horse SHeur3.CJVI";"Infected"

Then I came here and read the Cleaning Guide. I saved and tried to run OTL but it failed, all the different names for it did. I clicked the link that took me to "Malware Removal tools won't run tutorial." Downloaded and ran Malwarebytes' Anti-Malware (MBAM) and it came up with the following:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7332

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/31/2011 1:53:50 AM
mbam-log-2011-07-31 (01-53-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 256415
Time elapsed: 2 hour(s), 38 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\V71IQL7HI7 (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\AppSecDll (Trojan.Agent) -> Value: AppSecDll -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job (Trojan.Downloader) -> No action taken.
c:\WINDOWS\Tasks\{8c3fdd81-7ae0-4605-a46a-2488b179f2a3}.job (Trojan.Downloader) -> No action taken.
c:\WINDOWS\Tasks\mswd-63fdda30.job (Trojan.DNSChanger) -> No action taken.

No further action has been taken. Both the Resident Shield alert from AVG and the MBAM results are still open, untouched. Where do I go from here? Thank you very much in advanced. We'd all be broke paying geek squad $200 an hour if it weren't for people like you

[Advertisements]

Hi the AVG ones are showing in system restore, so at the moment are not a problem

Remove all the MBAM selected items

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  %systemroot%\*. /mp /s
  hklm\software\clients\startmenuinternet|command /rs
  CREATERESTOREPOINT
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Post both logs

[Essexboy]

Hi the AVG ones are showing in system restore, so at the moment are not a problem

Remove all the MBAM selected items

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  %systemroot%\*. /mp /s
  hklm\software\clients\startmenuinternet|command /rs
  CREATERESTOREPOINT
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Post both logs

[Garrett33]

It starts the scan but when it hits firefox's settings it stops responding.

[Essexboy]

Try OTL without the custom scan settings - does that work ?

[Garrett33]

Same thing..

[Essexboy]

OK lets use my least favourite analysis tool

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

[Garrett33]

Here it is. I attached it but I don't see it, hopefully you do.

Edited by Garrett33, 02 August 2011 - 02:47 PM.

[Essexboy]

Nope not attached - did you press the attach button ?

[Garrett33]

Hahah, probably not! It's there for sure now.  dds.txt   8.43KB   135 downloads

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Administrator at 13:30:57 on 2011-08-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.84 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://home.peoplepc.com/search
uInternet Settings,ProxyServer = http=127.0.0.1:1069
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://home.peoplepc.com/search
BHO: {01d151c1-2054-4a48-b12a-6bb86c46069d} - c:\windows\system32\atikvmag32.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [CTRegRun] c:\windows\CTRegRun.EXE
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: EnableLUA = 0 (0x0)
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com\clientapps
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249578669046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{AF82E528-7784-49C5-ACFD-462388EF3CDE} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = SbHpNp scecli ASWLNPkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\debi23ho.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-2-7 100495]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-3-29 13696]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-17 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-9-17 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-17 243152]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-2-7 5808]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-9-19 36608]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-30 22712]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-30 41272]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-07-16 01:31:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-20 03:08:57 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
.
============= FINISH: 13:32:59.59 ===============

[Essexboy]

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Garrett33]

I can't exit AVG Anti-Virus Free. The link you provided suggested I right click > Quit Control Center. However, It's not there. I can't find any way to exit it.

[Essexboy]

Try this link

[Garrett33]

That link worked. So I started the scan, it installed Windows Recovery, continued scanning and I think it got to around stage 23 then I got a blue screen that said "Windows has detected.." then restarted. When it powered back up I got a box titled "Microsoft Windows" and says the system has recovered from a serious error. A log of this error has been created. Please tell Microsoft about this problem etc. No further action has been taken.

[Essexboy]

OK so whatever it is (the jury is still out at the moment) I will need to get another way

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right



Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Automatic Scan report from the left and press Save button
Save it to your desktop and attach to your next post


Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information



On completion click the link to locate the zip file to upload and attach to your next post

[Garrett33]

It's unable to start the first scan because there isn't enough memory. CCleaner says I only have 448MB of RAM lol. Should I uninstall MBAM? Under the task manager it's using 20,000k even though it's not open.