[RESOLVED] Mom's netbook infected

[Nabrin]

She was looking for some sort of Reebok sneakers that they don't sell in the stores. "Princess" style or something like that. Anyway, the google search warned her the combo she was searching for had some bad websites, but it got through here AVG anyway.

Here is her Malwarebytes file. Running GMER now per stickied instructions.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4404

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/8/2010 10:27:01 AM
mbam-log-2010-08-08 (10-27-01).txt

Scan type: Quick scan
Objects scanned: 143034
Time elapsed: 20 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Margaret\Local Settings\Temp\svchost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[Nabrin]

Having problems with the GMER program. Third time I have run it and every time it slows down and eventually comes to a stop even though it is not done with the scan. The only way to proceeed is to do a hard reboot on the netbook. Trying one last time then I will just skip that step.

[Nabrin]

The next to last run I let it go for 8 hours and it never finished the scan. Had to hard reboot to restart.

[Broni]

Skip it for now.

[Nabrin]

GMER is acting strange.

First scan looked about like the logs below. Thought it was a wee bit skimpy so ran it again. It locked up but with more logs than I had the first time. So I ran it again. It had a LOT of files listed mostly dlls. But it locked up. That was my 8 hour run.

So I just ran it again, and this is what it spit out.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-08 21:36:38
Windows 5.1.2600 Service Pack 3
Running: 5483i7e3.exe; Driver: C:\DOCUME~1\Margaret\LOCALS~1\Temp\kgnyykog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

[Broni]

It looks fine

[Nabrin]

DDS (Ver_10-03-17.01) - NTFSx86
Run by Margaret at 21:52:12.51 on Sun 08/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.478 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Margaret\Desktop\dds.scr
C:\Program Files\AVG\AVG9\avgsrmax.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=ao751h
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igdlogin - igdlogin.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-3-17 15328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-4 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-4 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-4 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-3-17 220128]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-4-15 237568]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [2009-4-15 5096544]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-15 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-4-15 24064]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rtsustor.sys --> c:\windows\system32\drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

=============== Created Last 30 ================

2010-08-07 18:38:29 0 d-----w- c:\docume~1\margaret\applic~1\Malwarebytes
2010-08-07 18:38:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-07 18:38:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-07 18:38:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-07 18:38:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-07 18:31:40 0 d-----w- c:\program files\Trend Micro
2010-08-07 18:18:44 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-27 13:59:12 1206816 ----a-w- c:\windows\RtlUpd.exe
2010-07-16 13:02:12 12536 ----a-w- c:\windows\system32\avgrsstx.dll

==================== Find3M ====================

2010-07-16 13:02:15 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 13:00:31 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-04-15 12:59:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-08-30 03:24:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082920090830\index.dat
2009-08-29 13:41:06 32768 --sha-w- c:\windows\temp\cookies\index.dat
2009-08-29 13:41:03 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-08-29 13:41:06 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:53:02.75 ===============

[Nabrin]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/29/2009 11:26:16 PM
System Uptime: 8/8/2010 9:43:07 PM (0 hours ago)

Motherboard: Acer | | JV11-ML
Processor: Intel(R) Atom(TM) CPU Z520 @ 1.33GHz | U3E1 | 1330/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 141 GiB total, 124.697 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP240: 5/10/2010 7:43:57 PM - System Checkpoint
RP241: 5/11/2010 7:44:42 PM - System Checkpoint
RP242: 5/12/2010 3:00:23 AM - Software Distribution Service 3.0
RP243: 5/13/2010 6:03:12 AM - System Checkpoint
RP244: 5/14/2010 7:03:39 AM - System Checkpoint
RP245: 5/15/2010 9:23:43 AM - System Checkpoint
RP246: 5/16/2010 1:17:11 PM - System Checkpoint
RP247: 5/17/2010 5:04:09 PM - System Checkpoint
RP248: 5/18/2010 5:55:48 PM - System Checkpoint
RP249: 5/19/2010 9:15:37 PM - System Checkpoint
RP250: 5/21/2010 6:02:07 AM - System Checkpoint
RP251: 5/22/2010 4:39:02 PM - System Checkpoint
RP252: 5/23/2010 4:39:52 PM - System Checkpoint
RP253: 5/24/2010 6:32:32 PM - System Checkpoint
RP254: 5/25/2010 7:26:34 PM - System Checkpoint
RP255: 5/26/2010 5:19:56 AM - Software Distribution Service 3.0
RP256: 5/27/2010 6:42:49 AM - System Checkpoint
RP257: 5/28/2010 6:46:00 AM - System Checkpoint
RP258: 5/29/2010 9:02:49 AM - System Checkpoint
RP259: 5/30/2010 9:21:51 AM - System Checkpoint
RP260: 5/31/2010 9:56:19 AM - System Checkpoint
RP261: 5/31/2010 4:31:17 PM - Installed Macrium Reflect - Free Edition
RP262: 6/1/2010 8:36:03 PM - System Checkpoint
RP263: 6/2/2010 4:14:09 PM - Avg Update
RP264: 6/3/2010 5:09:35 PM - System Checkpoint
RP265: 6/4/2010 5:36:09 PM - System Checkpoint
RP266: 6/5/2010 6:06:52 PM - System Checkpoint
RP267: 6/6/2010 6:44:27 PM - System Checkpoint
RP268: 6/7/2010 6:53:41 PM - System Checkpoint
RP269: 6/8/2010 7:36:58 PM - System Checkpoint
RP270: 6/9/2010 10:21:56 PM - System Checkpoint
RP271: 6/10/2010 10:07:17 PM - Software Distribution Service 3.0
RP272: 6/12/2010 6:53:32 AM - System Checkpoint
RP273: 6/13/2010 7:00:56 AM - System Checkpoint
RP274: 6/14/2010 7:10:27 AM - System Checkpoint
RP275: 6/15/2010 12:53:03 PM - System Checkpoint
RP276: 6/16/2010 5:49:52 PM - System Checkpoint
RP277: 6/17/2010 8:09:23 PM - System Checkpoint
RP278: 6/18/2010 8:44:27 PM - System Checkpoint
RP279: 6/20/2010 9:15:24 PM - System Checkpoint
RP280: 6/21/2010 9:40:56 PM - System Checkpoint
RP281: 6/22/2010 10:23:51 PM - System Checkpoint
RP282: 6/23/2010 4:44:56 PM - Software Distribution Service 3.0
RP283: 6/24/2010 8:51:47 PM - System Checkpoint
RP284: 6/25/2010 9:47:17 AM - Avg Update
RP285: 6/26/2010 10:07:50 AM - System Checkpoint
RP286: 6/27/2010 11:51:10 AM - System Checkpoint
RP287: 6/28/2010 3:21:26 PM - System Checkpoint
RP288: 6/29/2010 4:22:35 PM - System Checkpoint
RP289: 6/30/2010 6:46:12 PM - System Checkpoint
RP290: 7/1/2010 7:10:01 PM - System Checkpoint
RP291: 7/2/2010 8:56:13 PM - System Checkpoint
RP292: 7/4/2010 7:48:14 AM - System Checkpoint
RP293: 7/5/2010 9:25:02 AM - System Checkpoint
RP294: 7/6/2010 9:55:32 AM - System Checkpoint
RP295: 7/7/2010 10:12:12 AM - System Checkpoint
RP296: 7/8/2010 11:11:09 AM - System Checkpoint
RP297: 7/9/2010 12:13:07 PM - System Checkpoint
RP298: 7/10/2010 1:49:49 PM - System Checkpoint
RP299: 7/11/2010 1:58:30 PM - System Checkpoint
RP300: 7/12/2010 2:35:02 PM - System Checkpoint
RP301: 7/13/2010 4:28:53 PM - System Checkpoint
RP302: 7/14/2010 5:37:59 PM - Software Distribution Service 3.0
RP303: 7/15/2010 8:32:54 PM - System Checkpoint
RP304: 7/16/2010 8:59:38 AM - Avg Update
RP305: 7/16/2010 9:02:31 AM - Avg Update
RP306: 7/17/2010 9:26:16 AM - System Checkpoint
RP307: 7/18/2010 9:54:23 AM - System Checkpoint
RP308: 7/19/2010 10:54:23 AM - System Checkpoint
RP309: 7/20/2010 11:21:22 AM - Avg Update
RP310: 7/21/2010 12:08:13 PM - System Checkpoint
RP311: 7/22/2010 7:36:38 PM - System Checkpoint
RP312: 7/23/2010 7:49:44 PM - System Checkpoint
RP313: 7/24/2010 8:49:49 PM - System Checkpoint
RP314: 7/25/2010 10:24:37 PM - System Checkpoint
RP315: 7/27/2010 9:04:50 AM - System Checkpoint
RP316: 7/28/2010 9:39:05 AM - System Checkpoint
RP317: 7/29/2010 11:23:15 AM - System Checkpoint
RP318: 7/30/2010 1:16:39 PM - System Checkpoint
RP319: 7/31/2010 1:53:08 PM - System Checkpoint
RP320: 8/1/2010 2:43:10 PM - System Checkpoint
RP321: 8/2/2010 3:34:20 PM - System Checkpoint
RP322: 8/3/2010 3:57:02 PM - System Checkpoint
RP323: 8/3/2010 9:57:22 PM - Software Distribution Service 3.0
RP324: 8/4/2010 10:22:31 PM - System Checkpoint
RP325: 8/5/2010 10:29:16 PM - System Checkpoint
RP326: 8/6/2010 11:01:26 PM - System Checkpoint
RP327: 8/7/2010 2:16:57 PM - Restore Operation
RP328: 8/7/2010 2:40:30 PM - Software Distribution Service 3.0

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Acer Crystal Eye webcam 2.2.0.2
Acer eRecovery Management
Acer ScreenSaver
Acer VCM
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.3
Air Strike 2
Apple Application Support
Apple Software Update
Atheros Driver Installation Program
AVG Free 9.0
Bejeweled 2 Deluxe
Big Fish Games Client
C:\Program Files\Acer GameZone\GameConsole
Cake Mania 2
Carbonite Online Backup Setup
Compatibility Pack for the 2007 Office system
Cooking Dash
CyberLink PowerDVD 8
Dream Day First Home
Dream Day Wedding
Driver Robot 1.1.0.13
Epson CreativeZone
Epson Easy Photo Print 2
EPSON NX410 Series Printer Uninstall
EPSON Scan
eSobi v2
Facebook Plug-In
Farm Frenzy
Galapago
Google Desktop
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Home Sweet Home
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator 500
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 16
Java(TM) 6 Update 17
Jewel Quest Solitaire
Junk Mail filter update
Launch Manager
Lexmark Fax Solutions
Lexmark Toolbar
LTCM Client
Macrium Reflect - Free Edition
Mahjong Escape Ancient China
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Suite Activation Assistant
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.1
Parking Dash
Peggle
QuickTime
Rainbow Web
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Segoe UI
Star Defender 4
Sudoku Puzzle Addict
Synaptics Pointing Device Driver
Tradewinds 2
Tri-Peaks Solitaire To Go
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 Card Reader Software
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
Zuma Deluxe

==== Event Viewer Messages From Past Week ========

8/8/2010 10:50:20 AM, error: System Error [1003] - Error code 10000050, parameter1 e3ae1000, parameter2 00000000, parameter3 ebdf5c3e, parameter4 00000001.
8/7/2010 2:49:15 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
8/7/2010 2:16:31 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================

[Nabrin]

Also,

I did turn off all startup items using MSCONFIG early on in an attempt to increase her performance because everything was slow...it still is slow, but not as slow as before.

[Broni]

I want you to re-enable all items, you disabled.
As our instructions say - do not make any changes to the computer, while the cleaning process is in progress.

When done....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

[Nabrin]

Found no way to turn off AVG from its control panel so I decided to uninstall it while I am doing this. Cant get it to uninstall and Combofix flags me saying it is still running AVG.

Giving me a registry key issue failure.

Going to have to backburner this for the night. Gotta go to work in 5 hours so need some sleep. Thanks for the help so far...will get back on tomorrow evening after work. Hopefully, I will find a way to get AVG off the machine so I can run the Combofix software.

[Broni]

Run AVG Remover: http://www.avg.com/us-en/download-tools
I suggest, you switch to some other AV, anyway.
Avast, Avira....

[Nabrin]

Ok...cranking up for the evening to try to finish fixing this.

What about MS security essentials?

[Broni]

It seems to be fine as well...

[Nabrin]

OK, this is with all startup items turned on.


ComboFix 10-08-09.02 - Margaret 08/09/2010 20:59:31.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.406 [GMT -4:00]
Running from: c:\documents and settings\Margaret\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Margaret\Application Data\.#

.
((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-08-07 18:38 . 2010-08-07 18:38 -------- d-----w- c:\documents and settings\Margaret\Application Data\Malwarebytes
2010-08-07 18:38 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-07 18:38 . 2010-08-07 18:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-07 18:38 . 2010-08-07 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-07 18:38 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-07 18:31 . 2010-08-07 18:31 -------- d-----w- c:\program files\Trend Micro
2010-08-07 18:18 . 2010-08-07 18:18 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-07 18:16 . 2010-08-07 18:16 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2010-07-27 13:59 . 2010-07-27 13:59 1206816 ----a-w- c:\windows\RtlUpd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 00:24 . 2010-02-10 11:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-09 02:55 . 2010-08-09 02:55 503808 ----a-w- c:\documents and settings\Margaret\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6c237438-n\msvcp71.dll
2010-08-09 02:55 . 2010-08-09 02:55 499712 ----a-w- c:\documents and settings\Margaret\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6c237438-n\jmc.dll
2010-08-09 02:55 . 2010-08-09 02:55 348160 ----a-w- c:\documents and settings\Margaret\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6c237438-n\msvcr71.dll
2010-08-09 02:55 . 2010-08-09 02:55 12800 ----a-w- c:\documents and settings\Margaret\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-598ce757-n\decora-d3d.dll
2010-08-09 02:55 . 2010-08-09 02:55 61440 ----a-w- c:\documents and settings\Margaret\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-598ce757-n\decora-sse.dll
2010-08-09 02:54 . 2009-09-02 23:37 -------- d-----w- c:\program files\Java
2010-08-09 02:47 . 2009-09-04 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-07-17 09:00 . 2010-08-09 02:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-29 19:15 . 2009-04-15 14:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-16 19:59 . 2009-11-28 17:07 1 ----a-w- c:\documents and settings\Margaret\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-14 14:31 . 2009-04-15 12:43 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-16 16:21 . 2010-05-16 16:21 50354 ----a-w- c:\documents and settings\Margaret\Application Data\Facebook\uninstall.exe
2010-05-16 16:20 . 2010-05-16 16:20 2114184 ----a-w- c:\documents and settings\Margaret\Application Data\Facebook\Install_Facebook_Plug-In_1.0.3.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-30 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-27 1434920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-24 17567744]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-10-17 91432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PersistenceThread"="c:\windows\system32\PersistenceThread.exe" [2009-05-01 92696]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2008-12-24 1540288]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-02-20 817672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-01 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-01 354840]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-04-15 24064]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 290816]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2008-10-03 294544]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-4-15 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igdlogin]
2009-04-28 03:44 65536 ----a-w- c:\windows\system32\igdlogin.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Acer\\Acer VCM\\VC.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [3/17/2010 9:51 AM 15328]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [3/17/2010 9:51 AM 220128]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [4/15/2009 10:59 AM 237568]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [4/15/2009 9:48 AM 5096544]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/15/2009 9:52 AM 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/15/2009 10:04 AM 24064]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-06 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.13\DriverRobot.exe [2009-10-18 02:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PLFSetI - c:\windows\PLFSetI.exe
Notify-avgrsstarter - avgrsstx.dll
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2010-08-09 21:12:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-10 01:12

Pre-Run: 134,107,443,200 bytes free
Post-Run: 134,780,174,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 7D4A5C51F0C671B27223ECDC2E1D9954