Browser Redirecting

charlied1 · Jun 20, 2011

Ok this is about to drive me insane...I have chased this for 3 days now with no luck,everytime i do a online search and try to click on one of the search results i get redirected to some off the wall website,always a different one though.I have ran maleware bytes,spybot,superanti spyware.mcafee virus scan.hitman pro,and a few others...I have ran just about every virus scan i can think of and nothing picks it up....here is the results from hijack this....Please Help

View attachment hijackthis file.txt

PseFrank · Jun 20, 2011

Have you tried more than one browser...

charlied1 · Jun 20, 2011

no I only have internet explorer on this computer really didn't want to have to go with another browser

BeeCeeBee · Jun 20, 2011

I think your next step is follow the directions contained the the preperation for malware removal thread. Some of your symptoms seem classic. Also, please when you post log results paste them directly onto the reply instead of uploading a file.

See: http://computerhelpforums.net/topic/13814-preparation-for-malware-removal-help/

charlied1 · Jun 20, 2011

Oops sorry bout the uploading thing...this is the report and I am working through the steps you suggested ...Thank You

Logfile of HijackThis v1.99.1
Scan saved at 7:23:37 PM, on 6/20/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dorothy\Desktop\hijackthis_sfx.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Documents and Settings\Dorothy\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110511092843.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: &Search - http://tbedits.weatherblink.com/one-toolbaredits/menusearch.jhtml?s=100000413&p=XNxdm003YYus&si=&a=F7D50D15-BDAB-43C4-BC42-9A3FD16BDC6A&n=2011042712
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1275605401658
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: text/html - {cdf16736-0c9f-4ff7-81ed-1d352b6b2f01} - (no file)
O20 - Winlogon Notify: Antiwpa - antiwpa.dll (file missing)
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

BeeCeeBee · Jun 20, 2011

I will move this to the Malware Removal Forum. If Starbuck things the move is not needed he will move it back. :mellow:

charlied1 · Jun 20, 2011

this is the otl results

otl.text

OTL logfile created on: 6/20/2011 10:33:53 PM - Run 2
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\Dorothy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.71 Gb Available Physical Memory | 83.46% Memory free
5.09 Gb Paging File | 4.59 Gb Available in Paging File | 90.21% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 437.91 Gb Free Space | 94.02% Space Free | Partition Type: NTFS
Drive D: | 0.38 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: COMPUTER_5 | User Name: Dorothy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Dorothy\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Dorothy\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (HitmanPro35CrusaderBoot) Hitman Pro 3.5 Crusader (Boot) -- File not found
SRV - (HidServ) -- File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (MOBKbackup) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe (McAfee, Inc.)
SRV - (MSK80Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McProxy) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\system32\drivers\cfwids.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys (AVG Technologies CZ, s.r.o. )
DRV - (SASKUTIL) -- C:\Documents and Settings\Dorothy\Local Settings\Temp\SAS_SelfExtract\saskutil.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (MOBKFilter) -- C:\WINDOWS\system32\drivers\MOBK.sys (Mozy, Inc.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (SASDIFSV) -- C:\Documents and Settings\Dorothy\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (KMWDFILTER) -- C:\WINDOWS\system32\drivers\KMWDFILTER.sys (Windows (R) Codename Longhorn DDK provider)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (amdide) -- C:\WINDOWS\system32\DRIVERS\amdide.sys (Advanced Micro Devices)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\
FF - HKLM\software\mozilla\Firefox\extensions\\gcffxtbr@WeatherBlink.com: C:\Program Files\WeatherBlink\bar\1.bin [2011/06/20 09:07:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/24 15:15:23 | 000,000,000 | ---D | M]

Hosts file not found
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20110511092843.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll (Google Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1275605401658 (WUWebControl Class)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 204.174.16.4 204.174.18.2
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\Antiwpa: DllName - antiwpa.dll - File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/03 17:26:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/04/29 04:02:01 | 000,000,055 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\Shell - "" = AutoRun
O33 - MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O33 - MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\Shell - "" = AutoRun
O33 - MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\Shell\AutoRun\command - "" = E:\StartClickFreeBackup.exe
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\BlueBirds.exe -- [2009/04/29 04:02:01 | 000,270,336 | R--- | M] (LG Electronics)
O33 - MountPoints2\L\Shell - "" = AutoRun
O33 - MountPoints2\L\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/20 22:28:50 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dorothy\Desktop\OTL.exe
[2011/06/20 19:21:50 | 000,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2011/06/20 10:51:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
[2011/06/20 09:07:11 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2011/06/20 09:07:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dorothy\Recent
[2011/06/20 09:07:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/06/19 23:41:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dorothy\Application Data\vlc
[2011/06/17 17:04:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dorothy\Application Data\SUPERAntiSpyware.com
[2011/06/17 17:04:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/06/17 15:26:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/17 15:26:14 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/06/17 15:26:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/17 13:40:15 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/05/26 12:21:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/20 22:34:07 | 000,000,333 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\Preparation for Malware removal help - Computer Help Forums.url
[2011/06/20 22:30:00 | 000,000,886 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/20 22:28:53 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dorothy\Desktop\OTL.exe
[2011/06/20 22:26:10 | 000,000,882 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/20 22:21:54 | 000,054,376 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2011/06/20 22:21:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/20 22:21:02 | 000,000,211 | ---- | M] () -- C:\boot.ini
[2011/06/20 19:23:39 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6A790881-F3B7-42A3-A9B6-8BAD3FA7FFC5}.job
[2011/06/20 19:22:54 | 000,251,392 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\hijackthis_sfx.exe
[2011/06/20 16:26:40 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/20 08:48:03 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/06/20 08:15:29 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2011/06/20 07:59:25 | 000,000,265 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\http--clients5.google.com-complete-searchhl=en-us&q=facebook&client=ie8&inputencoding=UTF-8&outputencoding=UTF-8.url
[2011/06/20 04:06:00 | 000,000,320 | ---- | M] () -- C:\WINDOWS\tasks\HP WEP.job
[2011/06/19 16:52:41 | 000,002,356 | ---- | M] () -- C:\Documents and Settings\Dorothy\My Documents\cc_20110619_165238.reg
[2011/06/18 09:12:08 | 000,001,350 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2011/06/17 15:26:16 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/17 14:15:20 | 000,118,820 | ---- | M] () -- C:\Documents and Settings\Dorothy\My Documents\cc_20110617_141516.reg
[2011/06/17 11:42:03 | 054,936,320 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\1995.QDF
[2011/06/16 10:47:29 | 000,000,427 | ---- | M] () -- C:\WINDOWS\TaskGrid.cfg
[2011/06/16 09:08:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/13 09:04:28 | 000,001,536 | ---- | M] () -- C:\WINDOWS\MKDEWE.TRN
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/26 12:25:38 | 000,000,227 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\AccuAuto.Net.url
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/20 22:34:07 | 000,000,333 | ---- | C] () -- C:\Documents and Settings\Dorothy\Desktop\Preparation for Malware removal help - Computer Help Forums.url
[2011/06/20 19:22:54 | 000,251,392 | ---- | C] () -- C:\Documents and Settings\Dorothy\Desktop\hijackthis_sfx.exe
[2011/06/20 07:59:25 | 000,000,265 | ---- | C] () -- C:\Documents and Settings\Dorothy\Desktop\http--clients5.google.com-complete-searchhl=en-us&q=facebook&client=ie8&inputencoding=UTF-8&outputencoding=UTF-8.url
[2011/06/19 16:52:40 | 000,002,356 | ---- | C] () -- C:\Documents and Settings\Dorothy\My Documents\cc_20110619_165238.reg
[2011/06/19 16:02:05 | 000,000,320 | ---- | C] () -- C:\WINDOWS\tasks\HP WEP.job
[2011/06/18 09:12:08 | 000,001,350 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2011/06/17 15:26:16 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/17 14:15:17 | 000,118,820 | ---- | C] () -- C:\Documents and Settings\Dorothy\My Documents\cc_20110617_141516.reg
[2011/05/26 12:25:38 | 000,000,227 | ---- | C] () -- C:\Documents and Settings\Dorothy\Desktop\AccuAuto.Net.url
[2011/05/13 14:01:48 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/05/13 09:34:27 | 000,012,410 | ---- | C] () -- C:\Documents and Settings\Dorothy\Local Settings\Application Data\u3l1bdo4047jk
[2011/05/13 09:34:27 | 000,012,410 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\u3l1bdo4047jk
[2011/03/31 14:43:08 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/09/06 11:47:45 | 000,139,620 | ---- | C] () -- C:\WINDOWS\hpoins15.dat
[2010/09/06 11:47:45 | 000,001,039 | ---- | C] () -- C:\WINDOWS\hpomdl15.dat
[2010/06/29 11:16:28 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/04 14:01:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2010/06/04 13:32:43 | 000,616,960 | ---- | C] () -- C:\WINDOWS\System32\ravepack.dll
[2010/06/04 13:18:58 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2010/06/03 20:07:21 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Dorothy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/03 19:15:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2010/06/03 18:38:18 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2010/06/03 18:38:18 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2010/06/03 18:38:18 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2010/06/03 18:38:18 | 000,176,216 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2010/06/03 17:50:41 | 000,080,416 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2010/06/03 17:28:38 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/06/03 17:23:49 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/06/03 12:17:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/03 12:16:12 | 000,289,296 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/26 23:45:08 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/11/26 23:45:08 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/11/26 23:45:08 | 000,458,736 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/11/26 23:45:08 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/11/26 23:45:08 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/11/26 23:45:08 | 000,077,998 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/11/26 23:45:08 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/11/26 23:45:08 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/11/26 23:45:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/11/26 23:45:08 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/11/26 23:45:08 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/11/26 23:45:08 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/07/31 01:00:52 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\atibrtmon.exe
[2008/02/07 10:05:18 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\hppatusg01.dll
[2007/08/22 05:51:16 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
[2007/08/22 03:36:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe

========== LOP Check ==========

[2011/05/15 11:23:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/12/06 10:28:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/12/06 10:39:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/06/17 14:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/05/13 12:21:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/05/16 09:09:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OfficeGuardian
[2010/12/06 10:41:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dorothy\Application Data\AVG10
[2010/10/23 14:36:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dorothy\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/06/04 16:11:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dorothy\Application Data\OpenOffice.org
[2011/04/06 11:57:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dorothy\Application Data\RegistryKeys
[2011/06/20 19:23:39 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6A790881-F3B7-42A3-A9B6-8BAD3FA7FFC5}.job

========== Purity Check ==========

< End of report >

extras

OTL logfile created on: 6/20/2011 10:33:53 PM - Run 2
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\Dorothy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.71 Gb Available Physical Memory | 83.46% Memory free
5.09 Gb Paging File | 4.59 Gb Available in Paging File | 90.21% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 437.91 Gb Free Space | 94.02% Space Free | Partition Type: NTFS
Drive D: | 0.38 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: COMPUTER_5 | User Name: Dorothy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Dorothy\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Dorothy\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (HitmanPro35CrusaderBoot) Hitman Pro 3.5 Crusader (Boot) -- File not found
SRV - (HidServ) -- File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (MOBKbackup) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe (McAfee, Inc.)
SRV - (MSK80Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McProxy) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\system32\drivers\cfwids.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys (AVG Technologies CZ, s.r.o. )
DRV - (SASKUTIL) -- C:\Documents and Settings\Dorothy\Local Settings\Temp\SAS_SelfExtract\saskutil.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (MOBKFilter) -- C:\WINDOWS\system32\drivers\MOBK.sys (Mozy, Inc.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (SASDIFSV) -- C:\Documents and Settings\Dorothy\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (KMWDFILTER) -- C:\WINDOWS\system32\drivers\KMWDFILTER.sys (Windows (R) Codename Longhorn DDK provider)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (amdide) -- C:\WINDOWS\system32\DRIVERS\amdide.sys (Advanced Micro Devices)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\
FF - HKLM\software\mozilla\Firefox\extensions\\gcffxtbr@WeatherBlink.com: C:\Program Files\WeatherBlink\bar\1.bin [2011/06/20 09:07:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/24 15:15:23 | 000,000,000 | ---D | M]

Hosts file not found
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20110511092843.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll (Google Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1275605401658 (WUWebControl Class)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 204.174.16.4 204.174.18.2
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\Antiwpa: DllName - antiwpa.dll - File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/03 17:26:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/04/29 04:02:01 | 000,000,055 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\Shell - "" = AutoRun
O33 - MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O33 - MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\Shell - "" = AutoRun
O33 - MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\Shell\AutoRun\command - "" = E:\StartClickFreeBackup.exe
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\BlueBirds.exe -- [2009/04/29 04:02:01 | 000,270,336 | R--- | M] (LG Electronics)
O33 - MountPoints2\L\Shell - "" = AutoRun
O33 - MountPoints2\L\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/20 22:28:50 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dorothy\Desktop\OTL.exe
[2011/06/20 19:21:50 | 000,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2011/06/20 10:51:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
[2011/06/20 09:07:11 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2011/06/20 09:07:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dorothy\Recent
[2011/06/20 09:07:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/06/19 23:41:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dorothy\Application Data\vlc
[2011/06/17 17:04:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dorothy\Application Data\SUPERAntiSpyware.com
[2011/06/17 17:04:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/06/17 15:26:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/17 15:26:14 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/06/17 15:26:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/17 13:40:15 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/05/26 12:21:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/20 22:34:07 | 000,000,333 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\Preparation for Malware removal help - Computer Help Forums.url
[2011/06/20 22:30:00 | 000,000,886 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/20 22:28:53 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dorothy\Desktop\OTL.exe
[2011/06/20 22:26:10 | 000,000,882 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/20 22:21:54 | 000,054,376 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2011/06/20 22:21:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/20 22:21:02 | 000,000,211 | ---- | M] () -- C:\boot.ini
[2011/06/20 19:23:39 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6A790881-F3B7-42A3-A9B6-8BAD3FA7FFC5}.job
[2011/06/20 19:22:54 | 000,251,392 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\hijackthis_sfx.exe
[2011/06/20 16:26:40 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/20 08:48:03 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/06/20 08:15:29 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2011/06/20 07:59:25 | 000,000,265 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\http--clients5.google.com-complete-searchhl=en-us&q=facebook&client=ie8&inputencoding=UTF-8&outputencoding=UTF-8.url
[2011/06/20 04:06:00 | 000,000,320 | ---- | M] () -- C:\WINDOWS\tasks\HP WEP.job
[2011/06/19 16:52:41 | 000,002,356 | ---- | M] () -- C:\Documents and Settings\Dorothy\My Documents\cc_20110619_165238.reg
[2011/06/18 09:12:08 | 000,001,350 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2011/06/17 15:26:16 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/17 14:15:20 | 000,118,820 | ---- | M] () -- C:\Documents and Settings\Dorothy\My Documents\cc_20110617_141516.reg
[2011/06/17 11:42:03 | 054,936,320 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\1995.QDF
[2011/06/16 10:47:29 | 000,000,427 | ---- | M] () -- C:\WINDOWS\TaskGrid.cfg
[2011/06/16 09:08:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/13 09:04:28 | 000,001,536 | ---- | M] () -- C:\WINDOWS\MKDEWE.TRN
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/26 12:25:38 | 000,000,227 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\AccuAuto.Net.url
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/20 22:34:07 | 000,000,333 | ---- | C] () -- C:\Documents and Settings\Dorothy\Desktop\Preparation for Malware removal help - Computer Help Forums.url
[2011/06/20 19:22:54 | 000,251,392 | ---- | C] () -- C:\Documents and Settings\Dorothy\Desktop\hijackthis_sfx.exe
[2011/06/20 07:59:25 | 000,000,265 | ---- | C] () -- C:\Documents and Settings\Dorothy\Desktop\http--clients5.google.com-complete-searchhl=en-us&q=facebook&client=ie8&inputencoding=UTF-8&outputencoding=UTF-8.url
[2011/06/19 16:52:40 | 000,002,356 | ---- | C] () -- C:\Documents and Settings\Dorothy\My Documents\cc_20110619_165238.reg
[2011/06/19 16:02:05 | 000,000,320 | ---- | C] () -- C:\WINDOWS\tasks\HP WEP.job
[2011/06/18 09:12:08 | 000,001,350 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2011/06/17 15:26:16 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/17 14:15:17 | 000,118,820 | ---- | C] () -- C:\Documents and Settings\Dorothy\My Documents\cc_20110617_141516.reg
[2011/05/26 12:25:38 | 000,000,227 | ---- | C] () -- C:\Documents and Settings\Dorothy\Desktop\AccuAuto.Net.url
[2011/05/13 14:01:48 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/05/13 09:34:27 | 000,012,410 | ---- | C] () -- C:\Documents and Settings\Dorothy\Local Settings\Application Data\u3l1bdo4047jk
[2011/05/13 09:34:27 | 000,012,410 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\u3l1bdo4047jk
[2011/03/31 14:43:08 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/09/06 11:47:45 | 000,139,620 | ---- | C] () -- C:\WINDOWS\hpoins15.dat
[2010/09/06 11:47:45 | 000,001,039 | ---- | C] () -- C:\WINDOWS\hpomdl15.dat
[2010/06/29 11:16:28 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/04 14:01:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2010/06/04 13:32:43 | 000,616,960 | ---- | C] () -- C:\WINDOWS\System32\ravepack.dll
[2010/06/04 13:18:58 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2010/06/03 20:07:21 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Dorothy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/03 19:15:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2010/06/03 18:38:18 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2010/06/03 18:38:18 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2010/06/03 18:38:18 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2010/06/03 18:38:18 | 000,176,216 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2010/06/03 17:50:41 | 000,080,416 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2010/06/03 17:28:38 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/06/03 17:23:49 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/06/03 12:17:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/03 12:16:12 | 000,289,296 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/26 23:45:08 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/11/26 23:45:08 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/11/26 23:45:08 | 000,458,736 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/11/26 23:45:08 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/11/26 23:45:08 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/11/26 23:45:08 | 000,077,998 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/11/26 23:45:08 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/11/26 23:45:08 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/11/26 23:45:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/11/26 23:45:08 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/11/26 23:45:08 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/11/26 23:45:08 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/07/31 01:00:52 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\atibrtmon.exe
[2008/02/07 10:05:18 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\hppatusg01.dll
[2007/08/22 05:51:16 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
[2007/08/22 03:36:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe

========== LOP Check ==========

[2011/05/15 11:23:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/12/06 10:28:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/12/06 10:39:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/06/17 14:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/05/13 12:21:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/05/16 09:09:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OfficeGuardian
[2010/12/06 10:41:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dorothy\Application Data\AVG10
[2010/10/23 14:36:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dorothy\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/06/04 16:11:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dorothy\Application Data\OpenOffice.org
[2011/04/06 11:57:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dorothy\Application Data\RegistryKeys
[2011/06/20 19:23:39 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6A790881-F3B7-42A3-A9B6-8BAD3FA7FFC5}.job

========== Purity Check ==========

< End of report >

starbuck · Feb 4, 2014

Hi charlied1

Unfortunately you posted the Main.txt from OTL twice.... instead of the Extras.txt.
The Extras.txt would have been very helpful in determining what AV you are running.
There are signs of McAfee and AVG.
Are they both still installed or was AVG removed? ( if so there's still entries on the system):

I'd also like to ask why there is no startup entry for the AV program??

It is not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

If AVG was removed, please run the AVG remover to clean off the orphan entries

To remove AVG go to:
http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe

download to your desktop.
then double click to start the uninstaller.

Step 1

Download TDSSKiller and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

Vista/Win7 users should right-click and select Run As Administrator.

.

If an infected file is detected, the default action will be Cure, click on Continue.

.

If a suspicious file is detected, the default action will be Skip, click on Continue.

.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next reply.

Step 2
Double click on OTL to run it.
Copy the lines in bold below. (make sure that :Otl is on the first line )

tl
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O20 - Winlogon\Notify\Antiwpa: DllName - antiwpa.dll - File not found
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - File not found
O33 - MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\Shell - "" = AutoRun
O33 - MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O33 - MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\Shell - "" = AutoRun
O33 - MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\Shell\AutoRun\command - "" = E:\StartClickFreeBackup.exe
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\BlueBirds.exe -- [2009/04/29 04:02:01 | 000,270,336 | R--- | M] (LG Electronics)
O33 - MountPoints2\L\Shell - "" = AutoRun
O33 - MountPoints2\L\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
[2011/05/13 09:34:27 | 000,012,410 | ---- | C] () -- C:\Documents and Settings\Dorothy\Local Settings\Application Data\u3l1bdo4047jk
[2011/05/13 09:34:27 | 000,012,410 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\u3l1bdo4047jk

:Files
ipconfig /flushdns /c

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]

Return to OTL,

right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

.

Click the red Run Fix button.

OTL will reboot your system once the fix has completed.

After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

In your next reply, please submit:
TDSSKiller report
Otl fix report

Also please repost the Extras.txt from the 1st OTL run.

Note:
HijackThis can be removed from the system.
Your copy is an out of date copy, but to be honest we never rely on it anymore as it doesn't give us anywhere near enough information.

Thanks.

charlied1 · Jun 21, 2011

Thank you all so much for your time.I hate to be the dumb one here but I tryed to download the tdsskiller to my desktop it downloaded and saved to my desktop ok but when i click on it the little hour glass comes up for a second or two then goes away but nothing happens.I deleted it and tryed to download it again but got the same result.I did have Avg on the computer but I used revouninstaller to uninstall it.It does not show up anymore in revo but if i go to add remove programs it still shows up but does not give me the option to uninstall it I downloaded the Avg uninstaller as suggested run it and it did a reboot I went back to add remove programs and it still shows Avg 2011 but gives me no options to uninstall.I read the other maleware removal post as i was told to and downloaded the gmer I ran it ....it took bout 4 hrs to run...I have posted the results of it below,I hope it can help maybe someone can see something there because I don't know what most of it is.....again thank you for all your help...there is a lot of programs and info on the computer I am doing everything i can to avoid doing a clean install.I am out of my league here so please I am up for any suggestion......ok trying to post gmer result but it keeps saying post to long

charlied1 · Jun 21, 2011

well now I cant upload it either...i give up

Match · Jun 21, 2011

well now I cant upload it either...i give up
Click to expand...

I would wait for Starbuck to get back to you on this, it may seem daunting but he will give you step by step instructions to get round problems.

All it takes is time and patients and he will save you from doing a clean install, and save your data. well I've not seen him fail yet

starbuck · Jun 22, 2011

Hi charlied1

Ok, let's just take things one step at a time and it'll be nice and easy for you.

Did you run the OTL fix?
If so let me have the report.

I tryed to download the tdsskiller to my desktop it downloaded and saved to my desktop ok but when i click on it the little hour glass comes up for a second or two then goes away but nothing happens
Click to expand...

Maybe something is interfering and stopping it from running.
We'll look into that.

ok trying to post gmer result but it keeps saying post to long
now I cant upload it either
Click to expand...

You can email the report to me and i'll post it for you.
Check your PM's.

We'll wait for the OTL fix report and the GMer report before continuing.

Thanks

charlied1 · Jun 22, 2011

this is what come up when I run the ot fix.

Error: Unable to interpret <netsvcs> in the current context!
Error: Unable to interpret <msconfig> in the current context!
Error: Unable to interpret <%SYSTEMDRIVE%\*.*> in the current context!
Error: Unable to interpret <%systemroot%\system32\Spool\prtprocs\w32x86\*.dll> in the current context!
Error: Unable to interpret <%systemroot%\*. /mp /s> in the current context!
Error: Unable to interpret <%systemroot%\system32\*.dll /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\Tasks\*.job /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\system32\drivers\*.sys /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\system32\*.exe /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\System32\config\*.sav> in the current context!
Error: Unable to interpret <%PROGRAMFILES%\*> in the current context!
Error: Unable to interpret <HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU> in the current context!
Error: Unable to interpret <hklm\software\clients\startmenuinternet|command /rs> in the current context!
Error: Unable to interpret <hklm\software\clients\startmenuinternet|command /64 /rs> in the current context!
Error: Unable to interpret <CREATERESTOREPOINT> in the current context!

OTL by OldTimer - Version 3.2.24.1 log created on 06222011_131007

starbuck · Jun 22, 2011

Hi charlied1

Thanks for the GMer report.
It was too big to post...... plus i couldn't add it as an attachment either.
Very odd as it's only a notepad text file 113kb in size.
I'll have a word about the problem.

There's nothing showing in the report as far as rootkits or malware is concerned.

Error: Unable to interpret <netsvcs> in the current context!
Error: Unable to interpret <msconfig> in the current context!
Error: Unable to interpret <%SYSTEMDRIVE%\*.*> in the current context!
Error: Unable to interpret <%systemroot%\system32\Spool\prtprocs\w32x86\*.dll> in the current context!
Error: Unable to interpret <%systemroot%\*. /mp /s> in the current context!
Error: Unable to interpret <%systemroot%\system32\*.dll /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\Tasks\*.job /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\system32\drivers\*.sys /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\system32\*.exe /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\System32\config\*.sav> in the current context!
Error: Unable to interpret <%PROGRAMFILES%\*> in the current context!
Error: Unable to interpret <HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU> in the current context!
Error: Unable to interpret <hklm\software\clients\startmenuinternet|command /rs> in the current context!
Error: Unable to interpret <hklm\software\clients\startmenuinternet|command /64 /rs> in the current context!
Error: Unable to interpret <CREATERESTOREPOINT> in the current context!
Click to expand...

Ok, i can see exactly what's happened.
You have taken the original scan list and added that to the Scans/Fixes box and clicked on Fix.

Please look back at Post #8 Step 2.
Follow those instructions, copy the list there and add that to the scans/fixes box and then click on Fix.

Once we have that i'll be ready to get you to run another type of scan.

Thanks.

charlied1 · Jun 22, 2011

does this look right?

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Starting removal of ActiveX control {17492023-C23A-453E-A040-C7C580BBF700}
C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17492023-C23A-453E-A040-C7C580BBF700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{17492023-C23A-453E-A040-C7C580BBF700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17492023-C23A-453E-A040-C7C580BBF700}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ac1beb68-7005-11df-be39-002421dcf65a}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ac1beb68-7005-11df-be39-002421dcf65a}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac1beb68-7005-11df-be39-002421dcf65a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ac1beb68-7005-11df-be39-002421dcf65a}\ not found.
File K:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ac1beb6c-7005-11df-be39-002421dcf65a}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ac1beb6c-7005-11df-be39-002421dcf65a}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac1beb6c-7005-11df-be39-002421dcf65a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ac1beb6c-7005-11df-be39-002421dcf65a}\ not found.
File E:\StartClickFreeBackup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ not found.
File move failed. D:\BlueBirds.exe scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\L\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\L\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\L\ not found.
File L:\LaunchU3.exe -a not found.
C:\Documents and Settings\Dorothy\Local Settings\Application Data\u3l1bdo4047jk moved successfully.
C:\Documents and Settings\All Users\Application Data\u3l1bdo4047jk moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Dorothy\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Dorothy\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.COMPUTER_5
->Temp folder emptied: 54367711 bytes
->Temporary Internet Files folder emptied: 40466298 bytes
->Flash cache emptied: 57955 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56466 bytes

User: Dorothy
->Temp folder emptied: 1878653040 bytes
->Temporary Internet Files folder emptied: 162774771 bytes
->Java cache emptied: 103078 bytes
->Google Chrome cache emptied: 6373857 bytes
->Flash cache emptied: 15570 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 9234464 bytes
->Flash cache emptied: 43321 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 480244973 bytes
->Java cache emptied: 872 bytes
->Flash cache emptied: 71755 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 35934 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 91185668 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2,600.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator

User: Administrator.COMPUTER_5
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Dorothy
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.24.1 log created on 06222011_145737

Files\Folders moved on Reboot...
File move failed. D:\BlueBirds.exe scheduled to be moved on reboot.
File\Folder C:\Documents and Settings\Dorothy\Local Settings\Temp\~DF610.tmp not found!
File\Folder C:\Documents and Settings\Dorothy\Local Settings\Temp\~DF665.tmp not found!
File\Folder C:\Documents and Settings\Dorothy\Local Settings\Temp\~DF711.tmp not found!
File\Folder C:\Documents and Settings\Dorothy\Local Settings\Temp\~DF76D.tmp not found!
File\Folder C:\Documents and Settings\Dorothy\Local Settings\Temp\~DFC925.tmp not found!
File\Folder C:\Documents and Settings\Dorothy\Local Settings\Temp\~DFC94B.tmp not found!
File\Folder C:\Documents and Settings\Dorothy\Local Settings\Temp\~DFC9D5.tmp not found!
File\Folder C:\Documents and Settings\Dorothy\Local Settings\Temp\~DFC9FB.tmp not found!
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\V1SM4GK4\blank[1].html moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\V1SM4GK4\redirect_v92_cim_11_10_4[1].html moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\TIHM6ZEM\blank[2].html moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\TIHM6ZEM\openmail.app[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\RE81KLT7\openmail.app[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\Q23H8R68\12111426332@x90[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\Q23H8R68\57-malware-removal[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\Q23H8R68\data_sync[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\Q23H8R68\launch[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\Q23H8R68\pixel[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\J8FSYLVV\1660291257@x23[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\J8FSYLVV\celebrity-gossip[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\J8FSYLVV\like[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\J8FSYLVV\openmail.app[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\J8FSYLVV\r[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\J8FSYLVV\us_widget[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\G08W9E2R\audmeasure[1].gif moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\G08W9E2R\drts[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\G08W9E2R\fc[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\G08W9E2R\login_status[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\G08W9E2R\p-01-0VIaSjnOLg[1].gif moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\G08W9E2R\pixel[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\FET2SR8E\andes_c[1].html moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\FET2SR8E\celebrity-gossip[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\FET2SR8E\data_sync[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\FET2SR8E\page__pid__153688[1].htm moved successfully.
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\FET2SR8E\sandbox[1].htm moved successfully.
File move failed. C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

starbuck · Jun 22, 2011

Hi charlied1

does this look right?
Click to expand...

Perfect

There is certain malware that can stop TDSSKiller from running, if that is the reason it wouldn't run.
We do have a program that can get around that.

I've had to customize this next speech for you because i want you to run Combofix..... but combofix won't run if AVG is still on the system.
and we're not sure if it's all been removed.
See the problem?

Let me explain this step so you know what to expect:

We'll get CF downloaded.
Then you'll have to run a script which will remove all or any traces of AVG..... and start CF using this script.
May sound complicated, but it's not really.... i'll walk you through it all.

Take a deep breath.............

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

This is an example, you may rename ComboFix to anything you want.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
For more information read:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Leave Combofix on your Desktop ( very important)

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
Code:
REGISTRY::
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayRSAlert]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinished]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinishedThreatFound]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanStarted]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEnd]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEndFail]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdStart]
[-HKEY_CURRENT_USER\AppEvents\Schemes\Apps\avgtray]
[-HKEY_CURRENT_USER\Software\Avg]
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\.avgdx]
[-HKEY_CLASSES_ROOT\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A3E}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{41B21542-2055-4212-A6F2-395CD109B14B}]
[-HKEY_CLASSES_ROOT\CLSID\{6F59E522-4689-156E-316C-D5B48819DE95} ]
[-HKEY_CLASSES_ROOT\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}]
[-HKEY_CLASSES_ROOT\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}]
[-HKEY_CLASSES_ROOT\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}]
[-HKEY_CLASSES_ROOT\CLSID\{F1FE4608-7924-4908-8E12-81CFA206F00A}]
[-HKEY_CLASSES_ROOT\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\Installer\Features\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Features\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Features\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\Products\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Products\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Products\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\06DD9E4F7F3FF9C41BC2BD64A2CE18FE]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\38F747DBDC97B4E459142E21199F9D10]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter.1]
[-HKEY_CLASSES_ROOT\MicroScanner.MicroScanner]
[-HKEY_CLASSES_ROOT\piffile\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\linkscanner]
[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DevDiv\VC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AVGSE.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0323CB96-221A-4042-84A3-93EDE47099FC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1A258E63-8DF5-4ADB-9832-38A0121D65EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlwaysUnloadDll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABED-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABEE-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABEF-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{9781B2D1-AF27-474F-A3A5-C0763FBDF3B7}]
[-HKEY_CLASSES_ROOT\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
[-HKEY_CLASSES_ROOT\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_CLASSES_ROOT\CLSID\{F2DDE6B2-9684-4A55-86D4-E255E237B77C}]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\avgsecuritytoolbar]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayWSAlert]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_CURRENT_USER\Software\AppDataLow\Avg]
[-HKEY_CURRENT_USER\Software\AVG Security Toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG Security Toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG9Uninstall]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\AvgEms]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayRSAlert]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanFinished]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanFinishedThreatFound]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanStarted]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayWSAlert]
[-HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\avgtray]
[-HKEY_USERS\.DEFAULT\Software\AppDataLow\Avg]
[-HKEY_USERS\.DEFAULT\Software\Avg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"=-
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"=-
"avg@igeared"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList]
"AVG"=-

DRIVER::
Avg
AVGIDSAgent
AVGIDSDriver
AVGIDSEH
AVGIDSFilter
AVGIDSShim
Avgldx86
Avgmfx86
Avgrkx86
Avgtdix
avgwd
AVG Security Toolbar Service
avg9emc
avg9wd

FOLDER::
%SYSTEMDRIVE%\$AVG
%COMMONAPPDATA%\AVG10
%COMMONAPPDATA%\MFAData
%COMMONPROGRAMS%\AVG 2011
%APPDATA%\AVG10
%PROGRAMFILES%\AVG
%SYSTEM%\drivers\AVG
%COMMONAPPDATA%\AVG Security Toolbar
%COMMONAPPDATA%\avg9
%COMMONPrograms%\AVG Free 9.0

File::
%COMMONAPPDATA%\Common Files\6F59E522-4689-156E-316C-D5B48819DE95.dat
%COMMONDESKTOP%\AVG 2011.lnk
%SYSTEM%\drivers\AVGIDSDriver.sys
%SYSTEM%\drivers\AVGIDSEH.sys
%SYSTEM%\drivers\AVGIDSFilter.sys
%SYSTEM%\drivers\AVGIDSShim.sys
%SYSTEM%\drivers\avgldx86.sys
%SYSTEM%\drivers\avgmfx86.sys
%SYSTEM%\drivers\avgrkx86.sys
%SYSTEM%\drivers\avgtdix.sys
%COMMONDesktop%\AVG Free 9.0.lnk
%PROGRAMFILES%\Mozilla Firefox\searchplugins\avg_igeared.xml
%SYSTEM%\avgrsstx.dll

SECCENTER::
AVG Anti-Virus Free
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If running Vista/Win7, you may not see the recovery console screens

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Now please wait for ComboFix to finish running.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I'm sure that you'll manage this without any problem.... but if you do have problems, you know where i am.

Thanks

charlied1 · Jun 22, 2011

well I downloaded the combfix saved it to the desktop with the name of cbf then copied the text and saved in in notebook to desktop with the name you have shown...when I drag it to the combofix folder a box comes up and as if i want to run so i click run then another box comes up with bright yellow lettering in it says it is extracting a bunch of files then after bout 30 sec it goes away and after it quits the notepad document is still on my descktop but the combofix is gone

allheart55 (Cindy E) · Jun 22, 2011

Upload attachment

starbuck · Jun 22, 2011

after it quits the notepad document is still on my descktop but the combofix is gone
Click to expand...

Do you mean the Combofix icon disappeared ?

charlied1 · Jun 22, 2011

starbuck said: ↑

Do you mean the Combofix icon disappeared ?
Click to expand...

yeah,It just goes away...i have done it 4 times now and each time the same result

Log in or Sign up

Browser Redirecting

charlied1 Registered Members

PseFrank Registered Members

charlied1 Registered Members

BeeCeeBee ADMINISTRATOR IN MEMORY

charlied1 Registered Members

BeeCeeBee ADMINISTRATOR IN MEMORY

charlied1 Registered Members

starbuck Rest In Peace Pete Administrator

charlied1 Registered Members

charlied1 Registered Members

Match Registered Members

starbuck Rest In Peace Pete Administrator

charlied1 Registered Members

starbuck Rest In Peace Pete Administrator

charlied1 Registered Members

starbuck Rest In Peace Pete Administrator

charlied1 Registered Members

allheart55 (Cindy E) Administrator Administrator

Attached Files:

gmer.txt

starbuck Rest In Peace Pete Administrator

charlied1 Registered Members

Share This Page

Log in or Sign up

Browser Redirecting

charlied1 Registered Members

PseFrank Registered Members

charlied1 Registered Members

BeeCeeBee ADMINISTRATOR IN MEMORY

charlied1 Registered Members

BeeCeeBee ADMINISTRATOR IN MEMORY

charlied1 Registered Members

starbuck Rest In Peace Pete Administrator

charlied1 Registered Members

charlied1 Registered Members

Match Registered Members

starbuck Rest In Peace Pete Administrator

charlied1 Registered Members

starbuck Rest In Peace Pete Administrator

charlied1 Registered Members

starbuck Rest In Peace Pete Administrator

charlied1 Registered Members

allheart55 (Cindy E) Administrator Administrator

Attached Files:

gmer.txt

starbuck Rest In Peace Pete Administrator

charlied1 Registered Members

Share This Page

Useful Searches