[Cookiegal]

You should keep IE updated even if you don't use it as it gets used in the background for updates.

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

[redkidsdog]

I forgot to name it puppy.exe, hope it doesnt mess things up...here is the info...

ComboFix 12-05-26.02 - cynthia dennis 05/26/2012 19:12:16.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2391 [GMT -4:00]
Running from: c:\documents and settings\cynthia dennis\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Favorites\ehthumbs.db
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\5095D8B1.TMP
c:\documents and settings\All Users\Application Data\TEMP\9B7E8561.TMP
c:\documents and settings\All Users\Application Data\TEMP\ABE30DDB.TMP
c:\documents and settings\All Users\Application Data\TEMP\B35A4CE2.TMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\All Users\Favorites\ehthumbs.db
c:\documents and settings\cynthia dennis\GoToAssistDownloadHelper.exe
c:\windows\EventSystem.log
c:\windows\system32\Cache
c:\windows\system32\Cache\1563ac6259bce0f7.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\DC31DEC.dll
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\pthreadVC.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-04-27 to 2012-05-27 )))))))))))))))))))))))))))))))
.
.
2012-05-26 20:13 . 2012-05-26 20:13 -------- d-----w- c:\program files\Common Files\Java
2012-05-26 20:13 . 2012-05-26 20:13 0 ----a-w- c:\windows\system32\REN97.tmp
2012-05-26 18:08 . 2012-05-26 18:08 0 ----a-w- c:\windows\system32\REN160.tmp
2012-05-26 18:08 . 2012-05-26 18:08 0 ----a-w- c:\windows\system32\REN15F.tmp
2012-05-24 21:47 . 2012-05-24 21:47 0 ----a-w- c:\windows\system32\REN9A.tmp
2012-05-24 21:35 . 2012-05-24 21:35 0 ----a-w- c:\windows\system32\REN5D.tmp
2012-05-24 21:35 . 2012-05-24 21:35 0 ----a-w- c:\windows\system32\REN5C.tmp
2012-05-24 20:26 . 2012-05-24 20:26 0 ----a-w- c:\windows\system32\RENF7.tmp
2012-05-24 20:13 . 2012-05-24 20:13 0 ----a-w- c:\windows\system32\RENC5.tmp
2012-05-24 20:13 . 2012-05-24 20:13 0 ----a-w- c:\windows\system32\RENC4.tmp
2012-05-24 19:53 . 2012-05-24 19:53 0 ----a-w- c:\windows\system32\RENAF.tmp
2012-05-24 19:34 . 2012-05-24 19:34 -------- d-----w- c:\documents and settings\cynthia dennis\Local Settings\Application Data\VS Revo Group
2012-05-24 19:34 . 2009-12-30 15:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-05-24 19:34 . 2012-05-24 19:34 -------- d-----w- c:\program files\VS Revo Group
2012-05-24 18:01 . 2012-05-24 18:01 0 ----a-w- c:\windows\system32\REN6C.tmp
2012-05-24 18:01 . 2012-05-24 18:01 0 ----a-w- c:\windows\system32\REN6B.tmp
2012-05-23 22:00 . 2012-05-23 22:00 0 ----a-w- c:\windows\system32\REN7DF.tmp
2012-05-23 21:56 . 2012-05-23 21:56 0 ----a-w- c:\windows\system32\REN78D.tmp
2012-05-23 21:56 . 2012-05-23 21:56 0 ----a-w- c:\windows\system32\REN78C.tmp
2012-05-23 21:39 . 2012-05-23 21:39 0 ----a-w- c:\windows\system32\REN746.tmp
2012-05-23 19:53 . 2012-05-23 19:53 0 ----a-w- c:\windows\system32\REN415.tmp
2012-05-23 19:53 . 2012-05-23 19:53 0 ----a-w- c:\windows\system32\REN414.tmp
2012-05-23 18:55 . 2012-05-23 18:55 0 ----a-w- c:\windows\system32\REN350.tmp
2012-05-23 18:55 . 2012-05-23 18:55 0 ----a-w- c:\windows\system32\REN34F.tmp
2012-05-10 23:04 . 2012-05-10 23:04 0 ----a-w- c:\windows\system32\REN122.tmp
2012-05-10 23:04 . 2012-05-10 23:04 0 ----a-w- c:\windows\system32\REN121.tmp
2012-05-10 21:58 . 2012-05-10 21:58 -------- d-----w- c:\documents and settings\cynthia dennis\Local Settings\Application Data\Sun
2012-05-09 03:26 . 2012-05-09 03:26 -------- d-----w- c:\documents and settings\cynthia dennis\Application Data\Oracle
2012-05-09 03:26 . 2012-04-04 22:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-09 03:22 . 2012-05-09 03:22 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-09 01:57 . 2012-05-09 01:57 0 ----a-w- c:\windows\system32\REN15B.tmp
2012-05-09 01:57 . 2012-05-09 01:57 0 ----a-w- c:\windows\system32\REN15A.tmp
2012-05-09 01:09 . 2012-05-13 16:27 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-01 17:44 . 2012-05-01 17:44 -------- d-----w- c:\program files\Ask.com
2012-05-01 17:44 . 2012-05-26 20:33 -------- d-----w- c:\documents and settings\cynthia dennis\Local Settings\Application Data\AskToolbar
2012-05-01 17:43 . 2012-05-01 17:43 -------- d-----w- c:\documents and settings\cynthia dennis\Local Settings\Application Data\APN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-13 16:27 . 2011-09-29 18:31 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14 . 2005-08-16 10:18 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2005-08-16 10:18 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-04 04:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 22:47 . 2011-11-29 02:52 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 21:17 . 2012-04-04 21:17 0 ----a-w- c:\windows\system32\REN352.tmp
2012-04-04 21:17 . 2012-04-04 21:17 0 ----a-w- c:\windows\system32\REN351.tmp
2012-04-04 19:56 . 2010-11-15 16:37 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-02 02:00 . 2012-03-02 02:00 0 ----a-w- c:\windows\system32\REN87.tmp
2012-03-02 02:00 . 2012-03-02 02:00 0 ----a-w- c:\windows\system32\REN86.tmp
2012-03-01 01:25 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 01:25 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-03-01 01:25 . 2005-08-16 10:18 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2012-03-01 01:25 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2012-02-29 14:10 . 2005-08-16 10:18 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2005-08-16 10:18 148480 ----a-w- c:\windows\system32\imagehlp.dll
2011-03-01 02:08 . 2011-03-01 02:08 453 ----a-w- c:\program files\0228201121084248.bat
2011-03-01 01:39 . 2011-03-01 01:39 453 ----a-w- c:\program files\0228201120393061.bat
2012-04-21 01:19 . 2012-05-09 03:21 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-08-16 19:00 . 2010-08-16 19:01 119808 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys
.
[7] 2008-04-14 . 9B9F1C38D559047B8AC0DBA2D5FEBDE9 . 4096 . . [5.3.2600.5512] . . c:\windows\ServicePackFiles\i386\ksuser.dll
[-] 2004-08-04 . CBCD254547689BFF80C9F547B20911E9 . 4096 . . [5.3.2600.2180] . . c:\windows\system32\ksuser.dll
.
[7] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ServicePackFiles\i386\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\ERDNT\cache\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\drivers\aec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2011-12-08 23:33 1547104 ----a-w- c:\program files\AVG Secure Search\9.0.0.18\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-03 20:31 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\9.0.0.18\AVG Secure Search_toolbar.dll" [2011-12-08 1547104]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="c:\program files\PC Tools Security\pctsGui.exe" [2012-01-11 2659768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-11 2500552]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2011-12-08 827232]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\cynthia dennis\Start Menu\Programs\Startup\
HughesNetStatusMeter.lnk - c:\program files\HughesNetStatusMeter\HughesNetStatusMeter\HughesNetStatusMeter.exe [2011-8-16 142848]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^cynthia dennis^Start Menu^Programs^Startup^RCA Detective.lnk]
backup=c:\windows\pss\RCA Detective.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\Launch\aollaunch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2008-06-03 05:35 50528 ----a-w- c:\program files\AOL 9.1a\aol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2010-07-13 20:40 70720 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 16:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 16:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-06 03:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2005-08-31 17:06 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 07:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
2005-07-22 19:03 425984 ----a-w- c:\program files\Dell Photo AIO Printer 924\dlccmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 15:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-16 19:00 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPClientMonitor]
2007-08-06 16:59 45056 ----a-w- c:\program files\GalleryPlayer\Player\GPClientMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPDownloadManager]
2007-08-06 16:59 163840 ----a-w- c:\program files\GalleryPlayer\Player\GPDownloadManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2011-11-19 21:15 0 ----a-w- c:\program files\Common Files\AOL\1142377546\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 22:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-04-04 19:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-09-09 01:20 8192 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2005-09-09 01:20 110592 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoSysTray]
2009-10-01 15:53 20480 ----a-w- c:\program files\Plaxo\3.23.0.11\plaxosystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
2009-10-01 15:53 403015 ----a-w- c:\program files\Plaxo\3.23.0.11\PlaxoHelper_en.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-02-14 17:12 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-03-23 06:20 339968 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector]
2003-11-18 23:20 45056 ------w- c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\1142377546\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1142377546\\ee\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\1142377546\\ee\\aolservicehost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\AOL 9.1a\\waol.exe"=
"%windir%\\system32\\lsass.exe"=
"c:\\Program Files\\AVG\\AVG Anti-Vrus Free Edition 10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AOL Desktop 9.6a\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.6a\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\pogo games\\PogoDGC.exe"=
"c:\\Program Files\\pogo games\\WebUpdater.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 5:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/14/2010 11:01 PM 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [11/14/2010 10:01 PM 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [11/14/2010 10:01 PM 909728]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2/26/2012 9:47 PM 54328]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2/26/2012 9:47 PM 574424]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 4:48 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 4:49 AM 295248]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [9/11/2010 12:40 AM 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/11/2010 12:40 AM 25240]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [11/14/2010 10:01 PM 253352]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2/26/2012 9:34 PM 185560]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [1/19/2011 3:38 PM 546768]
R2 PGMTrusted;PGMTrusted;c:\program files\Pogo Games\PGMTrusted.exe [1/4/2012 10:40 AM 519888]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2/26/2012 9:33 PM 402336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/12/2007 5:41 PM 24652]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 10:42 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 10:42 PM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 10:42 PM 16720]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2/26/2012 9:39 PM 56840]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [11/14/2010 11:01 PM 70536]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2/26/2012 9:47 PM 35264]
R3 ThreatFire;ThreatFire;c:\program files\PC Tools Security\TFEngine\TFService.exe service --> c:\program files\PC Tools Security\TFEngine\TFService.exe service [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 7:25 AM 4433248]
S2 gupdate1c9e86fcf03a50a;Google Update Service (gupdate1c9e86fcf03a50a);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2009 3:32 PM 133104]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG Anti-Vrus Free Edition 10\Toolbar\ToolbarBroker.exe [11/14/2010 11:24 PM 1025352]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/14/2006 1:20 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2009 3:32 PM 133104]
S3 KodakPPCAM;Kodak EZ200 DIGITAL CAMERA;c:\windows\system32\drivers\dc31vid.sys [6/7/2008 9:37 PM 430336]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/8/2012 11:22 PM 129976]
S3 Normandy;Normandy SR2; [x]
S3 PA7333I;Kodak Webcam Explorer Bulk Mode Device;c:\windows\system32\drivers\DC31Bulk.sys [6/7/2008 9:37 PM 28669]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [5/24/2012 3:34 PM 27064]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 19:31]
.
2012-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 19:31]
.
2012-05-27 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2012-01-03 20:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 66.82.4.8
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\9.0.1\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\cynthia dennis\Application Data\Mozilla\Firefox\Profiles\nb892ffe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{7917456F-57BE-44A2-8EAD-DCFC24EDB2F4} - okid02.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-PCTools FGuard - c:\program files\PC Tools Security\BDT\FGuard.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-InstaLAN - c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
MSConfigStartUp-TomTomHOME - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-26 20:00
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???? ??????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????? ?????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\ActiveX Compatibility\{60E7*CAC-E9A7-4302-B9EE-8582EDE22FBF}]
"Compatibility Flags"=dword:00000400
"Pst"=dword:00000002
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\program files\PC Tools Security\TFEngine\TFNI.dll
.
- - - - - - - > 'lsass.exe'(888)
c:\windows\system32\guard32.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(6000)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\program files\AOL Deskbar\deskbar.dll
c:\program files\Common Files\AOL\AOL Toolbar\smartbox.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized. dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\program files\PC Tools Security\TFEngine\TFNI.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools Security\pctsSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\wanmpsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\dllhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\PC Tools Security\TFEngine\TFService.exe
.
**************************************************************************
.
Completion time: 2012-05-26 20:23:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-27 00:21
ComboFix2.txt 2010-08-15 22:11
.
Pre-Run: 24,625,180,672 bytes free
Post-Run: 26,255,294,464 bytes free
.
- - End Of File - - D0124CBD88AE9C843C9645FD884838F2

[Cookiegal]

Your machine seems to be using older versions of some files when newer versions are available so we'll copy the latest versions to override the older ones.

c:\program files\0228201121084248.bat
c:\program files\0228201120393061.bat

But before proceeding, can you tell me what these batch files are for? Did you create them intentionally? If you don't recognize them, you can right-click on them and select "edit" and it should open up in Notepad. You can copy/paste the contents here.

[redkidsdog]

These are files from pogo download games, i have no problem if they need to be deleted. I didnt create them intentionally though.

:tryDelete
IF EXIST "C:\Program Files\Oberon Media\Jewel Quest 3" GOTO WaitAndTryAgain
ping -n 2 localhost>NUL
for /f %%a in ('dir /b "C:\Program Files\Oberon Media"') do ( GOTO End )
:EmptyLabel
echo "EMPTY"
rd /s /q "C:\Program Files\Oberon Media"
IF EXIST "C:\Program Files\Oberon Media" GOTO WaitAndTryAgain
GOTO End
:WaitAndTryAgain
ping -n 2 localhost>NUL
GOTO tryDelete
:End
Del /F /Q "C:\Program Files\0228201121084248.bat"


:tryDelete
IF EXIST "C:\Program Files\Oberon Media\Jewel Quest 3" GOTO WaitAndTryAgain
ping -n 2 localhost>NUL
for /f %%a in ('dir /b "C:\Program Files\Oberon Media"') do ( GOTO End )
:EmptyLabel
echo "EMPTY"
rd /s /q "C:\Program Files\Oberon Media"
IF EXIST "C:\Program Files\Oberon Media" GOTO WaitAndTryAgain
GOTO End
:WaitAndTryAgain
ping -n 2 localhost>NUL
GOTO tryDelete
:End
Del /F /Q "C:\Program Files\0228201120393061.bat"

[Cookiegal]

I don't believe they are causing any problems. Just wanted to be sure they weren't malicious.

Open Notepad and copy and paste the text in the code box below into it:

Code:

File::
c:\windows\system32\REN97.tmp
c:\windows\system32\REN160.tmp
c:\windows\system32\REN15F.tmp
c:\windows\system32\REN9A.tmp
c:\windows\system32\REN5D.tmp
c:\windows\system32\REN5C.tmp
c:\windows\system32\RENF7.tmp
c:\windows\system32\RENC5.tmp
c:\windows\system32\RENC4.tmp
c:\windows\system32\RENAF.tmp
c:\windows\system32\REN6C.tmp
c:\windows\system32\REN6B.tmp
c:\windows\system32\REN7DF.tmp
c:\windows\system32\REN78D.tmp
c:\windows\system32\REN78C.tmp
c:\windows\system32\REN746.tmp
c:\windows\system32\REN415.tmp
c:\windows\system32\REN414.tmp
c:\windows\system32\REN350.tmp
c:\windows\system32\REN34F.tmp
c:\windows\system32\REN122.tmp
c:\windows\system32\REN121.tmp
c:\windows\system32\REN15B.tmp
c:\windows\system32\REN15A.tmp
c:\windows\system32\REN352.tmp
c:\windows\system32\REN351.tmp
c:\windows\system32\REN87.tmp
c:\windows\system32\REN86.tmp

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
c:\windows\ServicePackFiles\i386\ksuser.dll | c:\windows\system32\ksuser.dll
c:\windows\ServicePackFiles\i386\aec.sys | c:\windows\system32\drivers\aec.sys

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\ActiveX Compatibility\{60E7*CAC-E9A7-4302-B9EE-8582EDE22FBF}]

Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

[redkidsdog]

I cant find the combo fix, not on a shortcut. Sorry, i know its a simple thing, but i am having trouble for sure.

[Cookiegal]

It was supposed to be placed on the desktop but instead you put it here:

c:\documents and settings\cynthia dennis\My Documents\Downloads\ComboFix.exe

[redkidsdog]

I am taking the text shortcut and placing it in the cat icon, but its not running. I messed up earlier and it started to work, but i didnt have the text in it, so i stopped it. Did I make a major error by doing that??? I hope not. But, its not launching now.

[Cookiegal]

Try moving both to the desktop and then execute the script.

[redkidsdog]

That is how I did it the first time. Moved the script shortcut to the combofix.exe shortcut, and dropped it into the combofix. How should I have done it?

[Cookiegal]

They are not shortcuts, they are the actual files.

Did you move the ComboFix.exe file from your "My Documents\Downloads" folder to the desktop?

[redkidsdog]

Yes, it is now on the desktop. As well as the CFScript.txt.

[Cookiegal]

Now try to drop the CFScript.txt onto the ComboFix.exe please.

[redkidsdog]

I have both files on my desktop screen with a shortcut. I retried to drop them, and the mouse spins for a moment then nothing else happens.

[Cookiegal]

Please run a new scan with ComboFix as you did before (disable security programs) and post that log.